Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SOA 89035673890.exe

Overview

General Information

Sample name:SOA 89035673890.exe
Analysis ID:1520360
MD5:f2a9270835ef7d0db0a287867cb98f6f
SHA1:3d3b9b719b0d4c1040e3b337ecae1f5b8729f5db
SHA256:e518c029a8b513fd3c2e77c475f8bd19c54c8a15d38198d878c8322a7b491f52
Tags:exeFormbookPaymentuser-cocaman
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SOA 89035673890.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\SOA 89035673890.exe" MD5: F2A9270835EF7D0DB0A287867CB98F6F)
    • svchost.exe (PID: 2676 cmdline: "C:\Users\user\Desktop\SOA 89035673890.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • autofmt.exe (PID: 4960 cmdline: "C:\Windows\SysWOW64\autofmt.exe" MD5: C72D80A976B7EB40534E8464957A979F)
        • autofmt.exe (PID: 3368 cmdline: "C:\Windows\SysWOW64\autofmt.exe" MD5: C72D80A976B7EB40534E8464957A979F)
        • systray.exe (PID: 5956 cmdline: "C:\Windows\SysWOW64\systray.exe" MD5: 28D565BB24D30E5E3DE8AFF6900AF098)
          • cmd.exe (PID: 6104 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 1136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.orsaperevod.online/e62s/"], "decoy": ["ellinksa.shop", "uckyspinph.xyz", "owdark.net", "arriage-therapy-72241.bond", "w7ijko4rv4p97b.top", "heirbuzzwords.buzz", "aspart.shop", "ctivemail5-kagoya-com.info", "shacertification9.shop", "zitcd65k3.buzz", "llkosoi.info", "ru8.info", "rhgtrdjdjykyetrdjftd.buzz", "yschoollist.kiwi", "oftfolio.online", "rograma-de-almacen-2.online", "oudoarms.top", "mwquas.xyz", "orjagaucha.website", "nlinechat-mh.online", "nlinebankingrates.net", "3llyb.vip", "42du394dr.autos", "ahealthcaretrends2.bond", "gbox.net", "anatanwater.net", "amearcade.shop", "ighrane.online", "01599.xyz", "ams.zone", "-mart.vip", "42bet.xyz", "6snf.shop", "nitycacao.shop", "arageflooringepoxynearme1.today", "c7qkaihvsc.top", "amingacor.click", "airosstudio.tech", "iktokonline.pro", "homasotooleboxing.net", "ashforhouse24.online", "1539.app", "atangtoto4.click", "ndex.autos", "atorengineered.tech", "angkalantogel.company", "ajudepo777.top", "jacksontimepiece.net", "gstudio-ai.homes", "unter-saaaa.buzz", "atageneral.sbs", "ingston-saaab.buzz", "i5t3.christmas", "ampanyaak.click", "dneshima.today", "angbaojia.top", "ubuz.net", "pp-games-delearglu.xyz", "insgw.bond", "7f243xb.skin", "roliig.top", "wdie3162.vip", "reechagroup.vip", "op-phone-deal.today"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18819:$sqlite3step: 68 34 1C 7B E1
      • 0x1892c:$sqlite3step: 68 34 1C 7B E1
      • 0x18848:$sqlite3text: 68 38 2A 90 C5
      • 0x1896d:$sqlite3text: 68 38 2A 90 C5
      • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 33 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.SOA 89035673890.exe.43f0000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.SOA 89035673890.exe.43f0000.1.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0.2.SOA 89035673890.exe.43f0000.1.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          0.2.SOA 89035673890.exe.43f0000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          0.2.SOA 89035673890.exe.43f0000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18819:$sqlite3step: 68 34 1C 7B E1
          • 0x1892c:$sqlite3step: 68 34 1C 7B E1
          • 0x18848:$sqlite3text: 68 38 2A 90 C5
          • 0x1896d:$sqlite3text: 68 38 2A 90 C5
          • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 10 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\SOA 89035673890.exe", CommandLine: "C:\Users\user\Desktop\SOA 89035673890.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SOA 89035673890.exe", ParentImage: C:\Users\user\Desktop\SOA 89035673890.exe, ParentProcessId: 6600, ParentProcessName: SOA 89035673890.exe, ProcessCommandLine: "C:\Users\user\Desktop\SOA 89035673890.exe", ProcessId: 2676, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\SOA 89035673890.exe", CommandLine: "C:\Users\user\Desktop\SOA 89035673890.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SOA 89035673890.exe", ParentImage: C:\Users\user\Desktop\SOA 89035673890.exe, ParentProcessId: 6600, ParentProcessName: SOA 89035673890.exe, ProcessCommandLine: "C:\Users\user\Desktop\SOA 89035673890.exe", ProcessId: 2676, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.orsaperevod.online/e62s/"], "decoy": ["ellinksa.shop", "uckyspinph.xyz", "owdark.net", "arriage-therapy-72241.bond", "w7ijko4rv4p97b.top", "heirbuzzwords.buzz", "aspart.shop", "ctivemail5-kagoya-com.info", "shacertification9.shop", "zitcd65k3.buzz", "llkosoi.info", "ru8.info", "rhgtrdjdjykyetrdjftd.buzz", "yschoollist.kiwi", "oftfolio.online", "rograma-de-almacen-2.online", "oudoarms.top", "mwquas.xyz", "orjagaucha.website", "nlinechat-mh.online", "nlinebankingrates.net", "3llyb.vip", "42du394dr.autos", "ahealthcaretrends2.bond", "gbox.net", "anatanwater.net", "amearcade.shop", "ighrane.online", "01599.xyz", "ams.zone", "-mart.vip", "42bet.xyz", "6snf.shop", "nitycacao.shop", "arageflooringepoxynearme1.today", "c7qkaihvsc.top", "amingacor.click", "airosstudio.tech", "iktokonline.pro", "homasotooleboxing.net", "ashforhouse24.online", "1539.app", "atangtoto4.click", "ndex.autos", "atorengineered.tech", "angkalantogel.company", "ajudepo777.top", "jacksontimepiece.net", "gstudio-ai.homes", "unter-saaaa.buzz", "atageneral.sbs", "ingston-saaab.buzz", "i5t3.christmas", "ampanyaak.click", "dneshima.today", "angbaojia.top", "ubuz.net", "pp-games-delearglu.xyz", "insgw.bond", "7f243xb.skin", "roliig.top", "wdie3162.vip", "reechagroup.vip", "op-phone-deal.today"]}
          Multi AV Scanner detection for submitted file
          Source: SOA 89035673890.exeReversingLabs: Detection: 50%
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.SOA 89035673890.exe.43f0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.2620000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SOA 89035673890.exe.43f0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4137609395.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1725331810.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1776763291.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4137525602.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4136875397.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1776288968.0000000002621000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: SOA 89035673890.exeJoe Sandbox ML: detected
          Source: SOA 89035673890.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: systray.pdb source: svchost.exe, 00000001.00000002.1776834326.0000000002EA0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000002.1776592840.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1776616086.0000000002A12000.00000004.00000020.00020000.00000000.sdmp, systray.exe, systray.exe, 00000005.00000002.4136689241.0000000000690000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: systray.pdbGCTL source: svchost.exe, 00000001.00000002.1776834326.0000000002EA0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000002.1776592840.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1776616086.0000000002A12000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000005.00000002.4136689241.0000000000690000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: SOA 89035673890.exe, 00000000.00000003.1721823891.0000000004420000.00000004.00001000.00020000.00000000.sdmp, SOA 89035673890.exe, 00000000.00000003.1722968448.00000000045C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1777038365.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725662139.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1724219097.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1777038365.0000000003000000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000005.00000002.4138372758.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000005.00000003.1776803846.0000000004C5C000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000005.00000002.4138372758.000000000514E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000005.00000003.1779280149.0000000004E08000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: SOA 89035673890.exe, 00000000.00000003.1721823891.0000000004420000.00000004.00001000.00020000.00000000.sdmp, SOA 89035673890.exe, 00000000.00000003.1722968448.00000000045C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1777038365.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725662139.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1724219097.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1777038365.0000000003000000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 00000005.00000002.4138372758.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000005.00000003.1776803846.0000000004C5C000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000005.00000002.4138372758.000000000514E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000005.00000003.1779280149.0000000004E08000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000002.00000002.4152886900.000000001104F000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000005.00000002.4139428695.00000000054FF000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000005.00000002.4137119058.0000000003036000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000002.00000002.4152886900.000000001104F000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000005.00000002.4139428695.00000000054FF000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000005.00000002.4137119058.0000000003036000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop esi1_2_026372F1
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop esi5_2_02DA72F1

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.orsaperevod.online/e62s/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.uckyspinph.xyz
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.ctivemail5-kagoya-com.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.dneshima.today replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.uckyspinph.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.atangtoto4.click replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ighrane.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ampanyaak.click replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.orsaperevod.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.rograma-de-almacen-2.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.6snf.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.anatanwater.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.heirbuzzwords.buzz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ctivemail5-kagoya-com.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.dneshima.today replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.uckyspinph.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.atangtoto4.click replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ighrane.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ampanyaak.click replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.orsaperevod.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.rograma-de-almacen-2.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.6snf.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.anatanwater.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.heirbuzzwords.buzz replaycode: Name error (3)
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
          Source: global trafficDNS traffic detected: DNS query: www.ctivemail5-kagoya-com.info
          Source: global trafficDNS traffic detected: DNS query: www.heirbuzzwords.buzz
          Source: global trafficDNS traffic detected: DNS query: www.anatanwater.net
          Source: global trafficDNS traffic detected: DNS query: www.atangtoto4.click
          Source: global trafficDNS traffic detected: DNS query: www.ighrane.online
          Source: global trafficDNS traffic detected: DNS query: www.dneshima.today
          Source: global trafficDNS traffic detected: DNS query: www.uckyspinph.xyz
          Source: global trafficDNS traffic detected: DNS query: www.ampanyaak.click
          Source: global trafficDNS traffic detected: DNS query: www.6snf.shop
          Source: global trafficDNS traffic detected: DNS query: www.rograma-de-almacen-2.online
          Source: global trafficDNS traffic detected: DNS query: www.orsaperevod.online
          Source: explorer.exe, 00000002.00000003.3114071206.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1736519946.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147057517.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000002.00000003.3114071206.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1736519946.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147057517.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000002.00000003.3114071206.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1736519946.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147057517.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000002.00000003.3114071206.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1736519946.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147057517.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000002.00000000.1729796780.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000002.00000000.1737348596.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147969859.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
          Source: explorer.exe, 00000002.00000000.1737348596.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147969859.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
          Source: explorer.exe, 00000002.00000000.1735381420.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1735937795.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1737554147.0000000009B60000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.3llyb.vip
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.3llyb.vip/e62s/
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.3llyb.vip/e62s/www.ellinksa.shop
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.3llyb.vipReferer:
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6snf.shop
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6snf.shop/e62s/
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6snf.shop/e62s/www.rograma-de-almacen-2.online
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6snf.shopReferer:
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ampanyaak.click
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ampanyaak.click/e62s/
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ampanyaak.click/e62s/www.6snf.shop
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ampanyaak.clickReferer:
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anatanwater.net
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anatanwater.net/e62s/
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anatanwater.net/e62s/www.atangtoto4.click
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anatanwater.netReferer:
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.atangtoto4.click
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.atangtoto4.click/e62s/
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.atangtoto4.click/e62s/www.mwquas.xyz
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.atangtoto4.clickReferer:
          Source: explorer.exe, 00000002.00000003.3109264702.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3112713912.000000000C9B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739009190.000000000C964000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ctivemail5-kagoya-com.info
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ctivemail5-kagoya-com.info/e62s/
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ctivemail5-kagoya-com.info/e62s/www.heirbuzzwords.buzz
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ctivemail5-kagoya-com.infoReferer:
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dneshima.today
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dneshima.today/e62s/
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dneshima.today/e62s/www.uckyspinph.xyz
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dneshima.todayReferer:
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ellinksa.shop
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ellinksa.shop/e62s/
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ellinksa.shop/e62s/www.shacertification9.shop
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ellinksa.shopReferer:
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.heirbuzzwords.buzz
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.heirbuzzwords.buzz/e62s/
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.heirbuzzwords.buzz/e62s/www.anatanwater.net
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.heirbuzzwords.buzzReferer:
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ighrane.online
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ighrane.online/e62s/
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ighrane.online/e62s/www.dneshima.today
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ighrane.onlineReferer:
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jacksontimepiece.net
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jacksontimepiece.net/e62s/
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jacksontimepiece.net/e62s/www.3llyb.vip
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jacksontimepiece.netReferer:
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mwquas.xyz
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mwquas.xyz/e62s/
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mwquas.xyz/e62s/www.ighrane.online
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mwquas.xyzReferer:
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orsaperevod.online
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orsaperevod.online/e62s/
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orsaperevod.online/e62s/www.jacksontimepiece.net
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orsaperevod.onlineReferer:
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rograma-de-almacen-2.online
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rograma-de-almacen-2.online/e62s/
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rograma-de-almacen-2.online/e62s/www.orsaperevod.online
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rograma-de-almacen-2.onlineReferer:
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shacertification9.shop
          Source: explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shacertification9.shop/e62s/
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shacertification9.shopReferer:
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uckyspinph.xyz
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uckyspinph.xyz/e62s/
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uckyspinph.xyz/e62s/www.ampanyaak.click
          Source: explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uckyspinph.xyzReferer:
          Source: explorer.exe, 00000002.00000000.1739009190.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3109264702.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000002.00000000.1729796780.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: explorer.exe, 00000002.00000000.1729796780.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
          Source: explorer.exe, 00000002.00000002.4150486626.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739009190.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000002.00000002.4147057517.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1736519946.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3114071206.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000002.00000002.4147057517.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1736519946.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3114071206.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
          Source: explorer.exe, 00000002.00000002.4139563777.000000000371D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3112867339.000000000370C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1728601620.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3114920568.000000000371C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4137122743.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1727718919.0000000001248000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000002.00000002.4147057517.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3114071206.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1736519946.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147057517.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1736519946.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3114071206.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000002.00000002.4147057517.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3114071206.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1736519946.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
          Source: explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
          Source: explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000002.00000000.1729796780.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
          Source: explorer.exe, 00000002.00000000.1729796780.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
          Source: explorer.exe, 00000002.00000003.3109264702.000000000C5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739009190.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4151004410.000000000C5E4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
          Source: explorer.exe, 00000002.00000000.1729796780.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
          Source: explorer.exe, 00000002.00000003.3109264702.000000000C5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739009190.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4151004410.000000000C5E4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
          Source: explorer.exe, 00000002.00000003.3109264702.000000000C5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739009190.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4151004410.000000000C5E4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000002.00000000.1739009190.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4150486626.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
          Source: explorer.exe, 00000002.00000003.3109264702.000000000C5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739009190.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4151004410.000000000C5E4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
          Source: explorer.exe, 00000002.00000002.4144194272.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
          Source: explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.SOA 89035673890.exe.43f0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.2620000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SOA 89035673890.exe.43f0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4137609395.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1725331810.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1776763291.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4137525602.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4136875397.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1776288968.0000000002621000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.SOA 89035673890.exe.43f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.SOA 89035673890.exe.43f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SOA 89035673890.exe.43f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.svchost.exe.2620000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.svchost.exe.2620000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.svchost.exe.2620000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SOA 89035673890.exe.43f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.SOA 89035673890.exe.43f0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SOA 89035673890.exe.43f0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4137609395.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4137609395.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4137609395.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1725331810.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1725331810.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1725331810.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1776763291.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1776763291.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1776763291.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4137525602.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4137525602.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4137525602.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4136875397.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4136875397.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4136875397.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1776288968.0000000002621000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1776288968.0000000002621000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1776288968.0000000002621000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: SOA 89035673890.exe PID: 6600, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 2676, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: systray.exe PID: 5956, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072B60 NtClose,LdrInitializeThunk,1_2_03072B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072BF0 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_03072BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072AD0 NtReadFile,LdrInitializeThunk,1_2_03072AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072F30 NtCreateSection,LdrInitializeThunk,1_2_03072F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072F90 NtProtectVirtualMemory,LdrInitializeThunk,1_2_03072F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072FB0 NtResumeThread,LdrInitializeThunk,1_2_03072FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072FE0 NtCreateFile,LdrInitializeThunk,1_2_03072FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072E80 NtReadVirtualMemory,LdrInitializeThunk,1_2_03072E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_03072EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072D10 NtMapViewOfSection,LdrInitializeThunk,1_2_03072D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072D30 NtUnmapViewOfSection,LdrInitializeThunk,1_2_03072D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072DD0 NtDelayExecution,LdrInitializeThunk,1_2_03072DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03072DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03072C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072CA0 NtQueryInformationToken,LdrInitializeThunk,1_2_03072CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03074340 NtSetContextThread,1_2_03074340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03074650 NtSuspendThread,1_2_03074650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072B80 NtQueryInformationFile,1_2_03072B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072BA0 NtEnumerateValueKey,1_2_03072BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072BE0 NtQueryValueKey,1_2_03072BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072AB0 NtWaitForSingleObject,1_2_03072AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072AF0 NtWriteFile,1_2_03072AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072F60 NtCreateProcessEx,1_2_03072F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072FA0 NtQuerySection,1_2_03072FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072E30 NtWriteVirtualMemory,1_2_03072E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072EE0 NtQueueApcThread,1_2_03072EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072D00 NtSetInformationFile,1_2_03072D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072DB0 NtEnumerateKey,1_2_03072DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072C00 NtQueryInformationProcess,1_2_03072C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072C60 NtCreateKey,1_2_03072C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072CC0 NtQueryVirtualMemory,1_2_03072CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072CF0 NtOpenProcess,1_2_03072CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073010 NtOpenDirectoryObject,1_2_03073010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073090 NtSetValueKey,1_2_03073090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030735C0 NtCreateMutant,1_2_030735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030739B0 NtGetContextThread,1_2_030739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073D10 NtOpenProcessToken,1_2_03073D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073D70 NtOpenThread,1_2_03073D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263A330 NtCreateFile,1_2_0263A330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263A3E0 NtReadFile,1_2_0263A3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263A460 NtClose,1_2_0263A460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263A510 NtAllocateVirtualMemory,1_2_0263A510
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263A2EA NtCreateFile,1_2_0263A2EA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263A50A NtAllocateVirtualMemory,1_2_0263A50A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263A58B NtAllocateVirtualMemory,1_2_0263A58B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,1_2_02F7A036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7A042 NtQueryInformationProcess,1_2_02F7A042
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6E2232 NtCreateFile,2_2_0E6E2232
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6E3E12 NtProtectVirtualMemory,2_2_0E6E3E12
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6E3E0A NtProtectVirtualMemory,2_2_0E6E3E0A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022D10 NtMapViewOfSection,LdrInitializeThunk,5_2_05022D10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022DD0 NtDelayExecution,LdrInitializeThunk,5_2_05022DD0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_05022DF0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022C60 NtCreateKey,LdrInitializeThunk,5_2_05022C60
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_05022C70
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_05022CA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022F30 NtCreateSection,LdrInitializeThunk,5_2_05022F30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022FE0 NtCreateFile,LdrInitializeThunk,5_2_05022FE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_05022EA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022B60 NtClose,LdrInitializeThunk,5_2_05022B60
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022BE0 NtQueryValueKey,LdrInitializeThunk,5_2_05022BE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_05022BF0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022AD0 NtReadFile,LdrInitializeThunk,5_2_05022AD0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050235C0 NtCreateMutant,LdrInitializeThunk,5_2_050235C0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05024650 NtSuspendThread,5_2_05024650
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05024340 NtSetContextThread,5_2_05024340
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022D00 NtSetInformationFile,5_2_05022D00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022D30 NtUnmapViewOfSection,5_2_05022D30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022DB0 NtEnumerateKey,5_2_05022DB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022C00 NtQueryInformationProcess,5_2_05022C00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022CC0 NtQueryVirtualMemory,5_2_05022CC0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022CF0 NtOpenProcess,5_2_05022CF0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022F60 NtCreateProcessEx,5_2_05022F60
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022F90 NtProtectVirtualMemory,5_2_05022F90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022FA0 NtQuerySection,5_2_05022FA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022FB0 NtResumeThread,5_2_05022FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022E30 NtWriteVirtualMemory,5_2_05022E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022E80 NtReadVirtualMemory,5_2_05022E80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022EE0 NtQueueApcThread,5_2_05022EE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022B80 NtQueryInformationFile,5_2_05022B80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022BA0 NtEnumerateValueKey,5_2_05022BA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022AB0 NtWaitForSingleObject,5_2_05022AB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05022AF0 NtWriteFile,5_2_05022AF0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05023010 NtOpenDirectoryObject,5_2_05023010
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05023090 NtSetValueKey,5_2_05023090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05023D10 NtOpenProcessToken,5_2_05023D10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05023D70 NtOpenThread,5_2_05023D70
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050239B0 NtGetContextThread,5_2_050239B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DAA3E0 NtReadFile,5_2_02DAA3E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DAA330 NtCreateFile,5_2_02DAA330
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DAA460 NtClose,5_2_02DAA460
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DAA510 NtAllocateVirtualMemory,5_2_02DAA510
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DAA2EA NtCreateFile,5_2_02DAA2EA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DAA58B NtAllocateVirtualMemory,5_2_02DAA58B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DAA50A NtAllocateVirtualMemory,5_2_02DAA50A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04CFA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,5_2_04CFA036
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04CF9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,5_2_04CF9BAF
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04CFA042 NtQueryInformationProcess,5_2_04CFA042
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04CF9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_04CF9BB2
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004096A00_2_004096A0
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0042200C0_2_0042200C
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0041A2170_2_0041A217
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004122160_2_00412216
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0042435D0_2_0042435D
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004033C00_2_004033C0
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0044F4300_2_0044F430
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004125E80_2_004125E8
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0044663B0_2_0044663B
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004138010_2_00413801
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0042096F0_2_0042096F
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004129D00_2_004129D0
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004119E30_2_004119E3
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0041C9AE0_2_0041C9AE
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0047EA6F0_2_0047EA6F
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0040FA100_2_0040FA10
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0044EB590_2_0044EB59
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00423C810_2_00423C81
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00411E780_2_00411E78
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00442E0C0_2_00442E0C
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00420EC00_2_00420EC0
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0044CF170_2_0044CF17
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00444FD20_2_00444FD2
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_03F697400_2_03F69740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FA3521_2_030FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F01_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031003E61_2_031003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E02741_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C02C01_2_030C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030301001_2_03030100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA1181_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C81581_2_030C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F41A21_2_030F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031001AA1_2_031001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F81CC1_2_030F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D20001_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030647501_2_03064750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030407701_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303C7C01_2_0303C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305C6E01_2_0305C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030405351_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031005911_2_03100591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E44201_2_030E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F24461_2_030F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EE4F61_2_030EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FAB401_2_030FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F6BD71_2_030F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA801_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030569621_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A01_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310A9A61_2_0310A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304A8401_2_0304A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030428401_2_03042840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030268B81_2_030268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E8F01_2_0306E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03082F281_2_03082F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060F301_2_03060F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E2F301_2_030E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4F401_2_030B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BEFA01_2_030BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032FC81_2_03032FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FEE261_2_030FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040E591_2_03040E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052E901_2_03052E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FCE931_2_030FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FEEDB1_2_030FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304AD001_2_0304AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DCD1F1_2_030DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03058DBF1_2_03058DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303ADE01_2_0303ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040C001_2_03040C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0CB51_2_030E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030CF21_2_03030CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F132D1_2_030F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302D34C1_2_0302D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0308739A1_2_0308739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030452A01_2_030452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305B2C01_2_0305B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E12ED1_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305D2F01_2_0305D2F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307516C1_2_0307516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302F1721_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310B16B1_2_0310B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304B1B01_2_0304B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EF0CC1_2_030EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030470C01_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F70E91_2_030F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FF0E01_2_030FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FF7B01_2_030FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030856301_2_03085630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F16CC1_2_030F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F75711_2_030F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DD5B01_2_030DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031095C31_2_031095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FF43F1_2_030FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030314601_2_03031460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFB761_2_030FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305FB801_2_0305FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B5BF01_2_030B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307DBF91_2_0307DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFA491_2_030FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F7A461_2_030F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B3A6C1_2_030B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DDAAC1_2_030DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03085AA01_2_03085AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E1AA31_2_030E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EDAC61_2_030EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D59101_2_030D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030499501_2_03049950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305B9501_2_0305B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AD8001_2_030AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030438E01_2_030438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFF091_2_030FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03041F921_2_03041F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFFB11_2_030FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03049EB01_2_03049EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03043D401_2_03043D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F1D5A1_2_030F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F7D731_2_030F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305FDC01_2_0305FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B9C321_2_030B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFCF21_2_030FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263E0EA1_2_0263E0EA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263E7431_2_0263E743
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263E43E1_2_0263E43E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263EAD01_2_0263EAD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263EE341_2_0263EE34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02622FB01_2_02622FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02622D901_2_02622D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026210261_2_02621026
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026210301_2_02621030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263D5691_2_0263D569
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263D5761_2_0263D576
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263DA811_2_0263DA81
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263DB721_2_0263DB72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02629E601_2_02629E60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02629E5B1_2_02629E5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7A0361_2_02F7A036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7B2321_2_02F7B232
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F710821_2_02F71082
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7E5CD1_2_02F7E5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F75B321_2_02F75B32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F75B301_2_02F75B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F789121_2_02F78912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72D021_2_02F72D02
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6E22322_2_0E6E2232
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6E10362_2_0E6E1036
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6D80822_2_0E6D8082
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6DCB302_2_0E6DCB30
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6DCB322_2_0E6DCB32
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6D9D022_2_0E6D9D02
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6DF9122_2_0E6DF912
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6E55CD2_2_0E6E55CD
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC3AB322_2_0FC3AB32
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC3AB302_2_0FC3AB30
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC402322_2_0FC40232
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC435CD2_2_0FC435CD
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC37D022_2_0FC37D02
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC3D9122_2_0FC3D912
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC360822_2_0FC36082
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC3F0362_2_0FC3F036
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050B05915_2_050B0591
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050944205_2_05094420
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050A24465_2_050A2446
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FF05355_2_04FF0535
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0509E4F65_2_0509E4F6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050147505_2_05014750
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FEC7C05_2_04FEC7C0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FF07705_2_04FF0770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0500C6E05_2_0500C6E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0508A1185_2_0508A118
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050781585_2_05078158
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050B01AA5_2_050B01AA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050A41A25_2_050A41A2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050A81CC5_2_050A81CC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050820005_2_05082000
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FE01005_2_04FE0100
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050AA3525_2_050AA352
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050B03E65_2_050B03E6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FFE3F05_2_04FFE3F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050902745_2_05090274
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050702C05_2_050702C0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FE0CF25_2_04FE0CF2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0508CD1F5_2_0508CD1F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05008DBF5_2_05008DBF
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FF0C005_2_04FF0C00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FEADE05_2_04FEADE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05090CB55_2_05090CB5
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FFAD005_2_04FFAD00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05032F285_2_05032F28
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05010F305_2_05010F30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05092F305_2_05092F30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05064F405_2_05064F40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FF0E595_2_04FF0E59
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0506EFA05_2_0506EFA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050AEE265_2_050AEE26
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FE2FC85_2_04FE2FC8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05002E905_2_05002E90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050ACE935_2_050ACE93
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050AEEDB5_2_050AEEDB
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FD68B85_2_04FD68B8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050069625_2_05006962
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050BA9A65_2_050BA9A6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FF28405_2_04FF2840
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FFA8405_2_04FFA840
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FF29A05_2_04FF29A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0501E8F05_2_0501E8F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050AAB405_2_050AAB40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FEEA805_2_04FEEA80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050A6BD75_2_050A6BD7
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050A75715_2_050A7571
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FE14605_2_04FE1460
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0508D5B05_2_0508D5B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050B95C35_2_050B95C3
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050AF43F5_2_050AF43F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050AF7B05_2_050AF7B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050356305_2_05035630
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050A16CC5_2_050A16CC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FF70C05_2_04FF70C0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050BB16B5_2_050BB16B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0502516C5_2_0502516C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FFB1B05_2_04FFB1B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FDF1725_2_04FDF172
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0509F0CC5_2_0509F0CC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050A70E95_2_050A70E9
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050AF0E05_2_050AF0E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050A132D5_2_050A132D
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FF52A05_2_04FF52A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0503739A5_2_0503739A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FDD34C5_2_04FDD34C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0500B2C05_2_0500B2C0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050912ED5_2_050912ED
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0500D2F05_2_0500D2F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050A1D5A5_2_050A1D5A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050A7D735_2_050A7D73
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0500FDC05_2_0500FDC0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05069C325_2_05069C32
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FF3D405_2_04FF3D40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050AFCF25_2_050AFCF2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050AFF095_2_050AFF09
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FF9EB05_2_04FF9EB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050AFFB15_2_050AFFB1
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FB3FD25_2_04FB3FD2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FB3FD55_2_04FB3FD5
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FF1F925_2_04FF1F92
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050859105_2_05085910
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FF38E05_2_04FF38E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0500B9505_2_0500B950
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0505D8005_2_0505D800
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FF99505_2_04FF9950
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050AFB765_2_050AFB76
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0500FB805_2_0500FB80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05065BF05_2_05065BF0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0502DBF95_2_0502DBF9
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050AFA495_2_050AFA49
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_050A7A465_2_050A7A46
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05063A6C5_2_05063A6C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05035AA05_2_05035AA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0508DAAC5_2_0508DAAC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_05091AA35_2_05091AA3
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0509DAC65_2_0509DAC6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DAE7435_2_02DAE743
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DAD5765_2_02DAD576
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DAD5695_2_02DAD569
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DAEAD05_2_02DAEAD0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DADA815_2_02DADA81
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02D99E5B5_2_02D99E5B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02D99E605_2_02D99E60
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DAEE345_2_02DAEE34
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02D92FB05_2_02D92FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02D92D905_2_02D92D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04CFA0365_2_04CFA036
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04CFE5CD5_2_04CFE5CD
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04CF2D025_2_04CF2D02
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04CF10825_2_04CF1082
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04CF89125_2_04CF8912
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04CFB2325_2_04CFB232
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04CF5B325_2_04CF5B32
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04CF5B305_2_04CF5B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 103 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 262 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 107 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 0505EA12 appears 86 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04FDB970 appears 262 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 05037E54 appears 107 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 05025130 appears 58 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 0506F290 appears 103 times
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: String function: 004115D7 appears 36 times
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: String function: 00416C70 appears 39 times
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: String function: 00445AE0 appears 65 times
          Source: SOA 89035673890.exe, 00000000.00000003.1722521561.0000000004543000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SOA 89035673890.exe
          Source: SOA 89035673890.exe, 00000000.00000003.1722968448.00000000046ED000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SOA 89035673890.exe
          Source: SOA 89035673890.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 0.2.SOA 89035673890.exe.43f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.SOA 89035673890.exe.43f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.SOA 89035673890.exe.43f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.svchost.exe.2620000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.svchost.exe.2620000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.svchost.exe.2620000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SOA 89035673890.exe.43f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.SOA 89035673890.exe.43f0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.SOA 89035673890.exe.43f0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4137609395.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4137609395.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4137609395.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1725331810.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1725331810.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1725331810.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1776763291.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1776763291.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1776763291.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4137525602.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4137525602.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4137525602.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4136875397.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4136875397.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4136875397.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1776288968.0000000002621000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1776288968.0000000002621000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1776288968.0000000002621000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: SOA 89035673890.exe PID: 6600, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 2676, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: systray.exe PID: 5956, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.evad.winEXE@12/1@11/0
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1136:120:WilError_03
          Source: C:\Users\user\Desktop\SOA 89035673890.exeFile created: C:\Users\user\AppData\Local\Temp\ProberJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeCommand line argument: SystemTray_Main5_2_006913B0
          Source: SOA 89035673890.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SOA 89035673890.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: SOA 89035673890.exeReversingLabs: Detection: 50%
          Source: C:\Users\user\Desktop\SOA 89035673890.exeFile read: C:\Users\user\Desktop\SOA 89035673890.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SOA 89035673890.exe "C:\Users\user\Desktop\SOA 89035673890.exe"
          Source: C:\Users\user\Desktop\SOA 89035673890.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SOA 89035673890.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SOA 89035673890.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SOA 89035673890.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: SOA 89035673890.exeStatic file information: File size 1111823 > 1048576
          Source: Binary string: systray.pdb source: svchost.exe, 00000001.00000002.1776834326.0000000002EA0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000002.1776592840.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1776616086.0000000002A12000.00000004.00000020.00020000.00000000.sdmp, systray.exe, systray.exe, 00000005.00000002.4136689241.0000000000690000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: systray.pdbGCTL source: svchost.exe, 00000001.00000002.1776834326.0000000002EA0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000002.1776592840.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1776616086.0000000002A12000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000005.00000002.4136689241.0000000000690000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: SOA 89035673890.exe, 00000000.00000003.1721823891.0000000004420000.00000004.00001000.00020000.00000000.sdmp, SOA 89035673890.exe, 00000000.00000003.1722968448.00000000045C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1777038365.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725662139.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1724219097.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1777038365.0000000003000000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000005.00000002.4138372758.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000005.00000003.1776803846.0000000004C5C000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000005.00000002.4138372758.000000000514E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000005.00000003.1779280149.0000000004E08000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: SOA 89035673890.exe, 00000000.00000003.1721823891.0000000004420000.00000004.00001000.00020000.00000000.sdmp, SOA 89035673890.exe, 00000000.00000003.1722968448.00000000045C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1777038365.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725662139.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1724219097.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1777038365.0000000003000000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 00000005.00000002.4138372758.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000005.00000003.1776803846.0000000004C5C000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000005.00000002.4138372758.000000000514E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000005.00000003.1779280149.0000000004E08000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000002.00000002.4152886900.000000001104F000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000005.00000002.4139428695.00000000054FF000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000005.00000002.4137119058.0000000003036000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000002.00000002.4152886900.000000001104F000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000005.00000002.4139428695.00000000054FF000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000005.00000002.4137119058.0000000003036000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
          Source: SOA 89035673890.exeStatic PE information: real checksum: 0xa961f should be: 0x11e591
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00462463 push edi; ret 0_2_00462465
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300225F pushad ; ret 1_2_030027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030027FA pushad ; ret 1_2_030027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030309AD push ecx; mov dword ptr [esp], ecx1_2_030309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300283D push eax; iretd 1_2_03002858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300135E push eax; iretd 1_2_03001369
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263275B push ss; retf 1_2_0263275D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263D4D2 push eax; ret 1_2_0263D4D8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263D4DB push eax; ret 1_2_0263D542
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263D485 push eax; ret 1_2_0263D4D8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0263D53C push eax; ret 1_2_0263D542
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7EB1E push esp; retn 0000h1_2_02F7EB1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7EB02 push esp; retn 0000h1_2_02F7EB03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7E9B5 push esp; retn 0000h1_2_02F7EAE7
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6E5B02 push esp; retn 0000h2_2_0E6E5B03
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6E5B1E push esp; retn 0000h2_2_0E6E5B1F
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6E59B5 push esp; retn 0000h2_2_0E6E5AE7
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC43B02 push esp; retn 0000h2_2_0FC43B03
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC43B1E push esp; retn 0000h2_2_0FC43B1F
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC439B5 push esp; retn 0000h2_2_0FC43AE7
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_00691B3D push ecx; ret 5_2_00691B50
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FB27FA pushad ; ret 5_2_04FB27F9
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FB225F pushad ; ret 5_2_04FB27F9
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FB283D push eax; iretd 5_2_04FB2858
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FE09AD push ecx; mov dword ptr [esp], ecx5_2_04FE09B6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04FB1368 push eax; iretd 5_2_04FB1369
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DAE118 push ecx; ret 5_2_02DAE119
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DA275B push ss; retf 5_2_02DA275D
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DAD4DB push eax; ret 5_2_02DAD542
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_02DAD4D2 push eax; ret 5_2_02DAD4D8
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
          Source: C:\Users\user\Desktop\SOA 89035673890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\SOA 89035673890.exeAPI/Special instruction interceptor: Address: 3F69364
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 2629904 second address: 262990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 2629B7E second address: 2629B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 2D99904 second address: 2D9990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 2D99B7E second address: 2D99B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E rdtsc 1_2_0307096E
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9751Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 870Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 877Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeWindow / User API: threadDelayed 546Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeWindow / User API: threadDelayed 9425Jump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-85142
          Source: C:\Users\user\Desktop\SOA 89035673890.exeAPI coverage: 3.7 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 2.1 %
          Source: C:\Windows\SysWOW64\systray.exeAPI coverage: 2.2 %
          Source: C:\Windows\explorer.exe TID: 5496Thread sleep count: 9751 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5496Thread sleep time: -19502000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5496Thread sleep count: 192 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5496Thread sleep time: -384000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\systray.exe TID: 4048Thread sleep count: 546 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exe TID: 4048Thread sleep time: -1092000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\systray.exe TID: 4048Thread sleep count: 9425 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exe TID: 4048Thread sleep time: -18850000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
          Source: explorer.exe, 00000002.00000002.4147969859.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000002.00000000.1736519946.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
          Source: explorer.exe, 00000002.00000000.1729796780.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000002.00000002.4147969859.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000002.00000000.1727718919.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
          Source: explorer.exe, 00000002.00000002.4144194272.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000003.3106904847.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000002.4144194272.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
          Source: explorer.exe, 00000002.00000000.1736519946.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
          Source: explorer.exe, 00000002.00000003.3114071206.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1736519946.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147057517.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147057517.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1736519946.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3114071206.00000000097D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: SOA 89035673890.exe, 00000000.00000002.1724673263.000000000097E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224fg
          Source: explorer.exe, 00000002.00000003.3106904847.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000002.00000000.1729796780.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
          Source: explorer.exe, 00000002.00000000.1736519946.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
          Source: explorer.exe, 00000002.00000000.1727718919.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000002.00000000.1727718919.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\SOA 89035673890.exeAPI call chain: ExitProcess graph end nodegraph_0-84830
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E rdtsc 1_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072B60 NtClose,LdrInitializeThunk,1_2_03072B60
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_03F69630 mov eax, dword ptr fs:[00000030h]0_2_03F69630
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_03F695D0 mov eax, dword ptr fs:[00000030h]0_2_03F695D0
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_03F67F90 mov eax, dword ptr fs:[00000030h]0_2_03F67F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]1_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]1_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]1_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C310 mov ecx, dword ptr fs:[00000030h]1_2_0302C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050310 mov ecx, dword ptr fs:[00000030h]1_2_03050310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]1_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03108324 mov ecx, dword ptr fs:[00000030h]1_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]1_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]1_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov ecx, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FA352 mov eax, dword ptr fs:[00000030h]1_2_030FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D8350 mov ecx, dword ptr fs:[00000030h]1_2_030D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310634F mov eax, dword ptr fs:[00000030h]1_2_0310634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D437C mov eax, dword ptr fs:[00000030h]1_2_030D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]1_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]1_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]1_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]1_2_0305438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]1_2_0305438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]1_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]1_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]1_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EC3CD mov eax, dword ptr fs:[00000030h]1_2_030EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B63C0 mov eax, dword ptr fs:[00000030h]1_2_030B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]1_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]1_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov ecx, dword ptr fs:[00000030h]1_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]1_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D43D4 mov eax, dword ptr fs:[00000030h]1_2_030D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D43D4 mov eax, dword ptr fs:[00000030h]1_2_030D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]1_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]1_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]1_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030663FF mov eax, dword ptr fs:[00000030h]1_2_030663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302823B mov eax, dword ptr fs:[00000030h]1_2_0302823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B8243 mov eax, dword ptr fs:[00000030h]1_2_030B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B8243 mov ecx, dword ptr fs:[00000030h]1_2_030B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310625D mov eax, dword ptr fs:[00000030h]1_2_0310625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A250 mov eax, dword ptr fs:[00000030h]1_2_0302A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036259 mov eax, dword ptr fs:[00000030h]1_2_03036259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EA250 mov eax, dword ptr fs:[00000030h]1_2_030EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EA250 mov eax, dword ptr fs:[00000030h]1_2_030EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]1_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]1_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]1_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302826B mov eax, dword ptr fs:[00000030h]1_2_0302826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]1_2_0306E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]1_2_0306E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]1_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]1_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]1_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]1_2_030402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]1_2_030402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov ecx, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031062D6 mov eax, dword ptr fs:[00000030h]1_2_031062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]1_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]1_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]1_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov ecx, dword ptr fs:[00000030h]1_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]1_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]1_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]1_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F0115 mov eax, dword ptr fs:[00000030h]1_2_030F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060124 mov eax, dword ptr fs:[00000030h]1_2_03060124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov ecx, dword ptr fs:[00000030h]1_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C156 mov eax, dword ptr fs:[00000030h]1_2_0302C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C8158 mov eax, dword ptr fs:[00000030h]1_2_030C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]1_2_03036154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]1_2_03036154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104164 mov eax, dword ptr fs:[00000030h]1_2_03104164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104164 mov eax, dword ptr fs:[00000030h]1_2_03104164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03070185 mov eax, dword ptr fs:[00000030h]1_2_03070185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]1_2_030EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]1_2_030EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4180 mov eax, dword ptr fs:[00000030h]1_2_030D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4180 mov eax, dword ptr fs:[00000030h]1_2_030D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]1_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]1_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]1_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]1_2_030F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]1_2_030F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031061E5 mov eax, dword ptr fs:[00000030h]1_2_031061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030601F8 mov eax, dword ptr fs:[00000030h]1_2_030601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4000 mov ecx, dword ptr fs:[00000030h]1_2_030B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A020 mov eax, dword ptr fs:[00000030h]1_2_0302A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C020 mov eax, dword ptr fs:[00000030h]1_2_0302C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6030 mov eax, dword ptr fs:[00000030h]1_2_030C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032050 mov eax, dword ptr fs:[00000030h]1_2_03032050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6050 mov eax, dword ptr fs:[00000030h]1_2_030B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305C073 mov eax, dword ptr fs:[00000030h]1_2_0305C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303208A mov eax, dword ptr fs:[00000030h]1_2_0303208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030280A0 mov eax, dword ptr fs:[00000030h]1_2_030280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C80A8 mov eax, dword ptr fs:[00000030h]1_2_030C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F60B8 mov eax, dword ptr fs:[00000030h]1_2_030F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F60B8 mov ecx, dword ptr fs:[00000030h]1_2_030F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B20DE mov eax, dword ptr fs:[00000030h]1_2_030B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0302A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030380E9 mov eax, dword ptr fs:[00000030h]1_2_030380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B60E0 mov eax, dword ptr fs:[00000030h]1_2_030B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C0F0 mov eax, dword ptr fs:[00000030h]1_2_0302C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030720F0 mov ecx, dword ptr fs:[00000030h]1_2_030720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C700 mov eax, dword ptr fs:[00000030h]1_2_0306C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030710 mov eax, dword ptr fs:[00000030h]1_2_03030710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060710 mov eax, dword ptr fs:[00000030h]1_2_03060710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]1_2_0306C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]1_2_0306C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]1_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306273C mov ecx, dword ptr fs:[00000030h]1_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]1_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AC730 mov eax, dword ptr fs:[00000030h]1_2_030AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306674D mov esi, dword ptr fs:[00000030h]1_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]1_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]1_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030750 mov eax, dword ptr fs:[00000030h]1_2_03030750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE75D mov eax, dword ptr fs:[00000030h]1_2_030BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]1_2_03072750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]1_2_03072750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4755 mov eax, dword ptr fs:[00000030h]1_2_030B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038770 mov eax, dword ptr fs:[00000030h]1_2_03038770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D678E mov eax, dword ptr fs:[00000030h]1_2_030D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030307AF mov eax, dword ptr fs:[00000030h]1_2_030307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E47A0 mov eax, dword ptr fs:[00000030h]1_2_030E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303C7C0 mov eax, dword ptr fs:[00000030h]1_2_0303C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B07C3 mov eax, dword ptr fs:[00000030h]1_2_030B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]1_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]1_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]1_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE7E1 mov eax, dword ptr fs:[00000030h]1_2_030BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]1_2_030347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]1_2_030347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE609 mov eax, dword ptr fs:[00000030h]1_2_030AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072619 mov eax, dword ptr fs:[00000030h]1_2_03072619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E627 mov eax, dword ptr fs:[00000030h]1_2_0304E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03066620 mov eax, dword ptr fs:[00000030h]1_2_03066620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068620 mov eax, dword ptr fs:[00000030h]1_2_03068620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303262C mov eax, dword ptr fs:[00000030h]1_2_0303262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304C640 mov eax, dword ptr fs:[00000030h]1_2_0304C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]1_2_030F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]1_2_030F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]1_2_0306A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]1_2_0306A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03062674 mov eax, dword ptr fs:[00000030h]1_2_03062674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]1_2_03034690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]1_2_03034690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C6A6 mov eax, dword ptr fs:[00000030h]1_2_0306C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030666B0 mov eax, dword ptr fs:[00000030h]1_2_030666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0306A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A6C7 mov eax, dword ptr fs:[00000030h]1_2_0306A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B06F1 mov eax, dword ptr fs:[00000030h]1_2_030B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B06F1 mov eax, dword ptr fs:[00000030h]1_2_030B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6500 mov eax, dword ptr fs:[00000030h]1_2_030C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038550 mov eax, dword ptr fs:[00000030h]1_2_03038550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038550 mov eax, dword ptr fs:[00000030h]1_2_03038550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]1_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]1_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]1_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032582 mov eax, dword ptr fs:[00000030h]1_2_03032582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032582 mov ecx, dword ptr fs:[00000030h]1_2_03032582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064588 mov eax, dword ptr fs:[00000030h]1_2_03064588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E59C mov eax, dword ptr fs:[00000030h]1_2_0306E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]1_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]1_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]1_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030545B1 mov eax, dword ptr fs:[00000030h]1_2_030545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030545B1 mov eax, dword ptr fs:[00000030h]1_2_030545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E5CF mov eax, dword ptr fs:[00000030h]1_2_0306E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E5CF mov eax, dword ptr fs:[00000030h]1_2_0306E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030365D0 mov eax, dword ptr fs:[00000030h]1_2_030365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A5D0 mov eax, dword ptr fs:[00000030h]1_2_0306A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A5D0 mov eax, dword ptr fs:[00000030h]1_2_0306A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030325E0 mov eax, dword ptr fs:[00000030h]1_2_030325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C5ED mov eax, dword ptr fs:[00000030h]1_2_0306C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C5ED mov eax, dword ptr fs:[00000030h]1_2_0306C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]1_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]1_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]1_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]1_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]1_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]1_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C427 mov eax, dword ptr fs:[00000030h]1_2_0302C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EA456 mov eax, dword ptr fs:[00000030h]1_2_030EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302645D mov eax, dword ptr fs:[00000030h]1_2_0302645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305245A mov eax, dword ptr fs:[00000030h]1_2_0305245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC460 mov ecx, dword ptr fs:[00000030h]1_2_030BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]1_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]1_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]1_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EA49A mov eax, dword ptr fs:[00000030h]1_2_030EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030364AB mov eax, dword ptr fs:[00000030h]1_2_030364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030644B0 mov ecx, dword ptr fs:[00000030h]1_2_030644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BA4B0 mov eax, dword ptr fs:[00000030h]1_2_030BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030304E5 mov ecx, dword ptr fs:[00000030h]1_2_030304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104B00 mov eax, dword ptr fs:[00000030h]1_2_03104B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EB20 mov eax, dword ptr fs:[00000030h]1_2_0305EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EB20 mov eax, dword ptr fs:[00000030h]1_2_0305EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F8B28 mov eax, dword ptr fs:[00000030h]1_2_030F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F8B28 mov eax, dword ptr fs:[00000030h]1_2_030F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4B4B mov eax, dword ptr fs:[00000030h]1_2_030E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4B4B mov eax, dword ptr fs:[00000030h]1_2_030E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]1_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]1_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]1_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]1_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6B40 mov eax, dword ptr fs:[00000030h]1_2_030C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6B40 mov eax, dword ptr fs:[00000030h]1_2_030C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FAB40 mov eax, dword ptr fs:[00000030h]1_2_030FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D8B42 mov eax, dword ptr fs:[00000030h]1_2_030D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028B50 mov eax, dword ptr fs:[00000030h]1_2_03028B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DEB50 mov eax, dword ptr fs:[00000030h]1_2_030DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302CB7E mov eax, dword ptr fs:[00000030h]1_2_0302CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040BBE mov eax, dword ptr fs:[00000030h]1_2_03040BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040BBE mov eax, dword ptr fs:[00000030h]1_2_03040BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4BB0 mov eax, dword ptr fs:[00000030h]1_2_030E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4BB0 mov eax, dword ptr fs:[00000030h]1_2_030E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]1_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]1_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]1_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]1_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]1_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]1_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DEBD0 mov eax, dword ptr fs:[00000030h]1_2_030DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]1_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]1_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]1_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EBFC mov eax, dword ptr fs:[00000030h]1_2_0305EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BCBF0 mov eax, dword ptr fs:[00000030h]1_2_030BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BCA11 mov eax, dword ptr fs:[00000030h]1_2_030BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA24 mov eax, dword ptr fs:[00000030h]1_2_0306CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EA2E mov eax, dword ptr fs:[00000030h]1_2_0305EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03054A35 mov eax, dword ptr fs:[00000030h]1_2_03054A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03054A35 mov eax, dword ptr fs:[00000030h]1_2_03054A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040A5B mov eax, dword ptr fs:[00000030h]1_2_03040A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040A5B mov eax, dword ptr fs:[00000030h]1_2_03040A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]1_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]1_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]1_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DEA60 mov eax, dword ptr fs:[00000030h]1_2_030DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030ACA72 mov eax, dword ptr fs:[00000030h]1_2_030ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030ACA72 mov eax, dword ptr fs:[00000030h]1_2_030ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104A80 mov eax, dword ptr fs:[00000030h]1_2_03104A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068A90 mov edx, dword ptr fs:[00000030h]1_2_03068A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038AA0 mov eax, dword ptr fs:[00000030h]1_2_03038AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038AA0 mov eax, dword ptr fs:[00000030h]1_2_03038AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086AA4 mov eax, dword ptr fs:[00000030h]1_2_03086AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]1_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]1_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]1_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030AD0 mov eax, dword ptr fs:[00000030h]1_2_03030AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064AD0 mov eax, dword ptr fs:[00000030h]1_2_03064AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064AD0 mov eax, dword ptr fs:[00000030h]1_2_03064AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306AAEE mov eax, dword ptr fs:[00000030h]1_2_0306AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306AAEE mov eax, dword ptr fs:[00000030h]1_2_0306AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE908 mov eax, dword ptr fs:[00000030h]1_2_030AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE908 mov eax, dword ptr fs:[00000030h]1_2_030AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC912 mov eax, dword ptr fs:[00000030h]1_2_030BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028918 mov eax, dword ptr fs:[00000030h]1_2_03028918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028918 mov eax, dword ptr fs:[00000030h]1_2_03028918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B892A mov eax, dword ptr fs:[00000030h]1_2_030B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C892B mov eax, dword ptr fs:[00000030h]1_2_030C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0946 mov eax, dword ptr fs:[00000030h]1_2_030B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104940 mov eax, dword ptr fs:[00000030h]1_2_03104940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]1_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]1_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]1_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E mov eax, dword ptr fs:[00000030h]1_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E mov edx, dword ptr fs:[00000030h]1_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E mov eax, dword ptr fs:[00000030h]1_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4978 mov eax, dword ptr fs:[00000030h]1_2_030D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4978 mov eax, dword ptr fs:[00000030h]1_2_030D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC97C mov eax, dword ptr fs:[00000030h]1_2_030BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030309AD mov eax, dword ptr fs:[00000030h]1_2_030309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030309AD mov eax, dword ptr fs:[00000030h]1_2_030309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B89B3 mov esi, dword ptr fs:[00000030h]1_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B89B3 mov eax, dword ptr fs:[00000030h]1_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B89B3 mov eax, dword ptr fs:[00000030h]1_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C69C0 mov eax, dword ptr fs:[00000030h]1_2_030C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030649D0 mov eax, dword ptr fs:[00000030h]1_2_030649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FA9D3 mov eax, dword ptr fs:[00000030h]1_2_030FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE9E0 mov eax, dword ptr fs:[00000030h]1_2_030BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030629F9 mov eax, dword ptr fs:[00000030h]1_2_030629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030629F9 mov eax, dword ptr fs:[00000030h]1_2_030629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC810 mov eax, dword ptr fs:[00000030h]1_2_030BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov ecx, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A830 mov eax, dword ptr fs:[00000030h]1_2_0306A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D483A mov eax, dword ptr fs:[00000030h]1_2_030D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D483A mov eax, dword ptr fs:[00000030h]1_2_030D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03042840 mov ecx, dword ptr fs:[00000030h]1_2_03042840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060854 mov eax, dword ptr fs:[00000030h]1_2_03060854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034859 mov eax, dword ptr fs:[00000030h]1_2_03034859
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_00691B93 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00691B93

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\SOA 89035673890.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeThread register set: target process: 2580Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\systray.exe base address: 690000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\SOA 89035673890.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2578008Jump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
          Source: C:\Users\user\Desktop\SOA 89035673890.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SOA 89035673890.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
          Source: SOA 89035673890.exe, explorer.exe, 00000002.00000000.1729466917.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3114071206.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1728123203.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000000.1728123203.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4138411475.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000002.4137122743.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1727718919.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
          Source: explorer.exe, 00000002.00000000.1728123203.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4138411475.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000002.00000000.1728123203.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4138411475.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: SOA 89035673890.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.SOA 89035673890.exe.43f0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.2620000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SOA 89035673890.exe.43f0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4137609395.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1725331810.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1776763291.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4137525602.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4136875397.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1776288968.0000000002621000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: SOA 89035673890.exeBinary or memory string: WIN_XP
          Source: SOA 89035673890.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
          Source: SOA 89035673890.exeBinary or memory string: WIN_XPe
          Source: SOA 89035673890.exeBinary or memory string: WIN_VISTA
          Source: SOA 89035673890.exeBinary or memory string: WIN_7
          Source: SOA 89035673890.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.SOA 89035673890.exe.43f0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.2620000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SOA 89035673890.exe.43f0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4137609395.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1725331810.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1776763291.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4137525602.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4136875397.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1776288968.0000000002621000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
          Source: C:\Users\user\Desktop\SOA 89035673890.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Shared Modules          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          Command and Scripting Interpreter          		Logon Script (Windows)2
          Valid Accounts          		3
          Obfuscated Files or Information          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS25
          System Information Discovery          		Distributed Component Object ModelInput Capture11
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script512
          Process Injection          		2
          Valid Accounts          		LSA Secrets241
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Virtualization/Sandbox Evasion          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
          Access Token Manipulation          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job512
          Process Injection          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520360 Sample: SOA 89035673890.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 30 www.uckyspinph.xyz 2->30 32 www.rograma-de-almacen-2.online 2->32 34 9 other IPs or domains 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 44 6 other signatures 2->44 11 SOA 89035673890.exe 1 2->11         started        signatures3 42 Performs DNS queries to domains with low reputation 30->42 process4 signatures5 54 Writes to foreign memory regions 11->54 56 Maps a DLL or memory area into another process 11->56 14 svchost.exe 11->14         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 3 other signatures 14->64 17 explorer.exe 69 1 14->17 injected process8 process9 19 systray.exe 17->19         started        22 autofmt.exe 17->22         started        24 autofmt.exe 17->24         started        signatures10 46 Modifies the context of a thread in another process (thread injection) 19->46 48 Maps a DLL or memory area into another process 19->48 50 Tries to detect virtualization through RDTSC time measurements 19->50 52 Switches to a custom stack to bypass stack traces 19->52 26 cmd.exe 1 19->26         started        process11 process12 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SOA 89035673890.exe50%ReversingLabsWin32.Trojan.Autoitinject
          SOA 89035673890.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          https://excel.office.com0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          http://www.ampanyaak.click/e62s/0%Avira URL Cloudsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          http://www.rograma-de-almacen-2.online/e62s/0%Avira URL Cloudsafe
          http://www.heirbuzzwords.buzz/e62s/www.anatanwater.net0%Avira URL Cloudsafe
          https://aka.ms/odirmr0%Avira URL Cloudsafe
          http://www.ctivemail5-kagoya-com.infoReferer:0%Avira URL Cloudsafe
          http://schemas.micro0%URL Reputationsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          http://www.anatanwater.net/e62s/0%Avira URL Cloudsafe
          http://www.ctivemail5-kagoya-com.info/e62s/www.heirbuzzwords.buzz0%Avira URL Cloudsafe
          http://www.ellinksa.shop0%Avira URL Cloudsafe
          http://www.3llyb.vip/e62s/www.ellinksa.shop0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we0%Avira URL Cloudsafe
          https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%Avira URL Cloudsafe
          http://www.heirbuzzwords.buzz0%Avira URL Cloudsafe
          http://www.anatanwater.net0%Avira URL Cloudsafe
          http://www.ampanyaak.clickReferer:0%Avira URL Cloudsafe
          http://www.atangtoto4.click/e62s/0%Avira URL Cloudsafe
          http://www.ampanyaak.click/e62s/www.6snf.shop0%Avira URL Cloudsafe
          www.orsaperevod.online/e62s/0%Avira URL Cloudsafe
          http://www.3llyb.vip0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY0%Avira URL Cloudsafe
          http://www.6snf.shop/e62s/0%Avira URL Cloudsafe
          http://www.orsaperevod.online0%Avira URL Cloudsafe
          http://www.mwquas.xyz/e62s/0%Avira URL Cloudsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%Avira URL Cloudsafe
          http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%Avira URL Cloudsafe
          https://wns.windows.com/L0%Avira URL Cloudsafe
          http://www.dneshima.today0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark0%Avira URL Cloudsafe
          http://www.6snf.shop/e62s/www.rograma-de-almacen-2.online0%Avira URL Cloudsafe
          http://www.jacksontimepiece.net0%Avira URL Cloudsafe
          http://www.orsaperevod.onlineReferer:0%Avira URL Cloudsafe
          https://word.office.com0%Avira URL Cloudsafe
          http://www.shacertification9.shop/e62s/0%Avira URL Cloudsafe
          http://schemas.micr0%Avira URL Cloudsafe
          http://www.jacksontimepiece.net/e62s/0%Avira URL Cloudsafe
          http://www.shacertification9.shopReferer:0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu0%Avira URL Cloudsafe
          http://www.ighrane.online/e62s/0%Avira URL Cloudsafe
          https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-0%Avira URL Cloudsafe
          http://www.ellinksa.shopReferer:0%Avira URL Cloudsafe
          http://www.ighrane.online0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu0%Avira URL Cloudsafe
          http://www.uckyspinph.xyz/e62s/www.ampanyaak.click0%Avira URL Cloudsafe
          http://www.atangtoto4.clickReferer:0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark0%Avira URL Cloudsafe
          https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img0%Avira URL Cloudsafe
          https://outlook.com_0%Avira URL Cloudsafe
          https://www.rd.com/list/polite-habits-campers-dislike/0%Avira URL Cloudsafe
          http://www.ctivemail5-kagoya-com.info0%Avira URL Cloudsafe
          http://www.rograma-de-almacen-2.onlineReferer:0%Avira URL Cloudsafe
          http://www.anatanwater.net/e62s/www.atangtoto4.click0%Avira URL Cloudsafe
          http://www.rograma-de-almacen-2.online/e62s/www.orsaperevod.online0%Avira URL Cloudsafe
          http://www.shacertification9.shop0%Avira URL Cloudsafe
          http://www.ampanyaak.click0%Avira URL Cloudsafe
          http://www.ighrane.online/e62s/www.dneshima.today0%Avira URL Cloudsafe
          https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe0%Avira URL Cloudsafe
          http://www.mwquas.xyz/e62s/www.ighrane.online0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at0%Avira URL Cloudsafe
          http://schemas.mi0%Avira URL Cloudsafe
          http://www.anatanwater.netReferer:0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl0%Avira URL Cloudsafe
          http://www.ctivemail5-kagoya-com.info/e62s/0%Avira URL Cloudsafe
          http://www.ellinksa.shop/e62s/0%Avira URL Cloudsafe
          https://powerpoint.office.comcember0%Avira URL Cloudsafe
          http://www.mwquas.xyzReferer:0%Avira URL Cloudsafe
          https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-0%Avira URL Cloudsafe
          http://www.uckyspinph.xyzReferer:0%Avira URL Cloudsafe
          http://www.atangtoto4.click0%Avira URL Cloudsafe
          http://www.atangtoto4.click/e62s/www.mwquas.xyz0%Avira URL Cloudsafe
          http://www.dneshima.todayReferer:0%Avira URL Cloudsafe
          http://www.heirbuzzwords.buzz/e62s/0%Avira URL Cloudsafe
          https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi0%Avira URL Cloudsafe
          http://www.ighrane.onlineReferer:0%Avira URL Cloudsafe
          http://www.dneshima.today/e62s/www.uckyspinph.xyz0%Avira URL Cloudsafe
          https://api.msn.com/q0%Avira URL Cloudsafe
          http://www.mwquas.xyz0%Avira URL Cloudsafe
          https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc0%Avira URL Cloudsafe
          http://www.jacksontimepiece.netReferer:0%Avira URL Cloudsafe
          https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-10%Avira URL Cloudsafe
          https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg0%Avira URL Cloudsafe
          http://www.orsaperevod.online/e62s/0%Avira URL Cloudsafe
          https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark0%Avira URL Cloudsafe
          http://www.orsaperevod.online/e62s/www.jacksontimepiece.net0%Avira URL Cloudsafe
          http://www.ellinksa.shop/e62s/www.shacertification9.shop0%Avira URL Cloudsafe
          http://www.heirbuzzwords.buzzReferer:0%Avira URL Cloudsafe
          http://www.uckyspinph.xyz/e62s/0%Avira URL Cloudsafe
          http://www.uckyspinph.xyz0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent0%Avira URL Cloudsafe
          https://aka.ms/Vh5j3k0%Avira URL Cloudsafe
          http://www.dneshima.today/e62s/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.uckyspinph.xyz
          		unknown
          		unknowntrue
            		unknown
            www.atangtoto4.click
            		unknown
            		unknowntrue
              		unknown
              www.6snf.shop
              		unknown
              		unknowntrue
                		unknown
                www.ctivemail5-kagoya-com.info
                		unknown
                		unknowntrue
                  		unknown
                  www.anatanwater.net
                  		unknown
                  		unknowntrue
                    		unknown
                    www.ighrane.online
                    		unknown
                    		unknowntrue
                      		unknown
                      www.orsaperevod.online
                      		unknown
                      		unknowntrue
                        		unknown
                        www.ampanyaak.click
                        		unknown
                        		unknowntrue
                          		unknown
                          www.dneshima.today
                          		unknown
                          		unknowntrue
                            		unknown
                            www.rograma-de-almacen-2.online
                            		unknown
                            		unknowntrue
                              		unknown
                              www.heirbuzzwords.buzz
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                www.orsaperevod.online/e62s/true
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://aka.ms/odirmrexplorer.exe, 00000002.00000000.1729796780.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.3llyb.vip/e62s/www.ellinksa.shopexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ctivemail5-kagoya-com.infoReferer:explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ellinksa.shopexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.anatanwater.net/e62s/explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.rograma-de-almacen-2.online/e62s/explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147057517.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1736519946.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3114071206.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.ampanyaak.click/e62s/explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ctivemail5-kagoya-com.info/e62s/www.heirbuzzwords.buzzexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://excel.office.comexplorer.exe, 00000002.00000003.3109264702.000000000C5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739009190.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4151004410.000000000C5E4000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.heirbuzzwords.buzz/e62s/www.anatanwater.netexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.heirbuzzwords.buzzexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.atangtoto4.click/e62s/explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ampanyaak.clickReferer:explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.anatanwater.netexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.6snf.shop/e62s/explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ampanyaak.click/e62s/www.6snf.shopexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.3llyb.vipexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.orsaperevod.onlineexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000002.00000000.1729796780.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.mwquas.xyz/e62s/explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000002.00000000.1739009190.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3109264702.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.6snf.shop/e62s/www.rograma-de-almacen-2.onlineexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.dneshima.todayexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000003.3109264702.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3112713912.000000000C9B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739009190.000000000C964000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://wns.windows.com/Lexplorer.exe, 00000002.00000000.1739009190.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4150486626.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jacksontimepiece.netexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.orsaperevod.onlineReferer:explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://word.office.comexplorer.exe, 00000002.00000003.3109264702.000000000C5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739009190.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4151004410.000000000C5E4000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.shacertification9.shop/e62s/explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ighrane.online/e62s/explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000002.00000000.1729796780.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jacksontimepiece.net/e62s/explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.shacertification9.shopReferer:explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.micrexplorer.exe, 00000002.00000000.1737348596.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147969859.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ellinksa.shopReferer:explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ighrane.onlineexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.atangtoto4.clickReferer:explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.uckyspinph.xyz/e62s/www.ampanyaak.clickexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ctivemail5-kagoya-com.infoexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000002.4150486626.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739009190.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000002.00000000.1729796780.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.rograma-de-almacen-2.onlineReferer:explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://outlook.com_explorer.exe, 00000002.00000003.3109264702.000000000C5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739009190.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4151004410.000000000C5E4000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.anatanwater.net/e62s/www.atangtoto4.clickexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.rograma-de-almacen-2.online/e62s/www.orsaperevod.onlineexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.shacertification9.shopexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ampanyaak.clickexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ighrane.online/e62s/www.dneshima.todayexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.mwquas.xyz/e62s/www.ighrane.onlineexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.miexplorer.exe, 00000002.00000000.1737348596.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147969859.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.anatanwater.netReferer:explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000002.00000002.4144194272.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ctivemail5-kagoya-com.info/e62s/explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ellinksa.shop/e62s/explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://powerpoint.office.comcemberexplorer.exe, 00000002.00000003.3109264702.000000000C5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739009190.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4151004410.000000000C5E4000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.mwquas.xyzReferer:explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.uckyspinph.xyzReferer:explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.microexplorer.exe, 00000002.00000000.1735381420.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1735937795.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1737554147.0000000009B60000.00000002.00000001.00040000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.atangtoto4.clickexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.atangtoto4.click/e62s/www.mwquas.xyzexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.dneshima.todayReferer:explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.dneshima.today/e62s/www.uckyspinph.xyzexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.heirbuzzwords.buzz/e62s/explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.mwquas.xyzexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ighrane.onlineReferer:explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.msn.com/qexplorer.exe, 00000002.00000002.4147057517.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1736519946.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3114071206.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jacksontimepiece.netReferer:explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.orsaperevod.online/e62s/explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.orsaperevod.online/e62s/www.jacksontimepiece.netexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.heirbuzzwords.buzzReferer:explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ellinksa.shop/e62s/www.shacertification9.shopexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.uckyspinph.xyz/e62s/explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000002.00000002.4144194272.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1729796780.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.dneshima.today/e62s/explorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.uckyspinph.xyzexplorer.exe, 00000002.00000003.3105272073.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478471133.000000000CB2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4152006439.000000000CB2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://aka.ms/Vh5j3kexplorer.exe, 00000002.00000000.1729796780.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4144194272.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                No contacted IP infos

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1520360
                                Start date and time:2024-09-27 09:08:05 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 10m 41s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:11
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Sample name:SOA 89035673890.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@12/1@11/0
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 53
                                • Number of non-executed functions: 302
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtEnumerateKey calls found.
                                • Report size getting too big, too many NtOpenKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: SOA 89035673890.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                03:09:16API Interceptor8947492x Sleep call for process: explorer.exe modified
                                03:09:45API Interceptor7573520x Sleep call for process: systray.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASNs

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Temp\Prober

                                Download File
                                Process:C:\Users\user\Desktop\SOA 89035673890.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):189440
                                Entropy (8bit):7.876461383159956
                                Encrypted:false
                                SSDEEP:3072:ddBWrIfyp70feVqifiGJqRGfiWXhz5HqylFr1QF96WNpr2tUyVE9yUvD/Yu8rrrN:ddBWrI4WBj3w9Ky7srr2dE9XvD/Cd
                                MD5:3F9C82E32164BA04E6E7199580EC3D13
                                SHA1:677ADA586ED552B6A12166F2375939AFC0E9ED95
                                SHA-256:B64FA0A02313DDBCB2D163994EDA5B9F17395D6835FC51BD20F38E7472EB89C7
                                SHA-512:01D386A1BE97AF1C8083CE24DAAF3AC25FCD3BB67C8FF4ACF5D46A9ADD107A34486E365C9FFD19FEFB2F837E749D3D8E899E785AEF3D3D22217E7B2214CC7345
                                Malicious:false
                                Reputation:low
                                Preview:..w..AMZP..N...{.UK...:9...X2FUAMZPRLQGRA3OGNUHEOW291OJNX.FUACE.\L.N.`.N..t.-&$.IC -<9_f6 #4?&l3"r3F!g';h....T^+/`U?LqAMZPRLQ.I..(..)..W..N....'..P....4..O....#..[ZY..(.2FUAMZPRLQGRA3OG..HE.V39.rO.X2FUAMZP.LSFY@9OG.WHEOW291OJ..3FUQMZP.NQGR.3OWNUHGOW790OJNX2CU@MZPRLQ.PA3MGNUHEOU2y.OJ^X2VUAMZ@RLAGRA3OG^UHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUo9?(&LQG..1OG^UHE.U29!OJNX2FUAMZPRLQgRASOGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGRA3OGNUHEOW291OJNX2FUAMZPRLQGR

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.391361787898883
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:SOA 89035673890.exe
                                File size:1'111'823 bytes
                                MD5:f2a9270835ef7d0db0a287867cb98f6f
                                SHA1:3d3b9b719b0d4c1040e3b337ecae1f5b8729f5db
                                SHA256:e518c029a8b513fd3c2e77c475f8bd19c54c8a15d38198d878c8322a7b491f52
                                SHA512:3b6339a3434693dd9076469ee757805e7e2b78d14c77624a0a4b3b9a65f9b8a275137f5e8638abebfd5da7dbe1592aa7300543905d93a118779ae15f04c80837
                                SSDEEP:24576:8RmJkcoQricOIQxiZY1iaADPzYJw7P04dA2iGKowNCC:pJZoQrbTFZY1iaADPzpzqhaw8C
                                TLSH:AF35E122F9D68036C2F323B19E7EF36A9A3D653A0336D19737C82D615E605416B2D723
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                File Icon

                                Icon Hash:566c39314c96ab45

                                Static PE Info

                                General

                                Entrypoint:0x4165c1
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:0
                                File Version Major:5
                                File Version Minor:0
                                Subsystem Version Major:5
                                Subsystem Version Minor:0
                                Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                Entrypoint Preview

                                Instruction
                                call 00007FD6E50EF93Bh
                                jmp 00007FD6E50E67AEh
                                int3
                                int3
                                int3
                                int3
                                int3
                                push ebp
                                mov ebp, esp
                                push edi
                                push esi
                                mov esi, dword ptr [ebp+0Ch]
                                mov ecx, dword ptr [ebp+10h]
                                mov edi, dword ptr [ebp+08h]
                                mov eax, ecx
                                mov edx, ecx
                                add eax, esi
                                cmp edi, esi
                                jbe 00007FD6E50E692Ah
                                cmp edi, eax
                                jc 00007FD6E50E6AC6h
                                cmp ecx, 00000080h
                                jc 00007FD6E50E693Eh
                                cmp dword ptr [004A9724h], 00000000h
                                je 00007FD6E50E6935h
                                push edi
                                push esi
                                and edi, 0Fh
                                and esi, 0Fh
                                cmp edi, esi
                                pop esi
                                pop edi
                                jne 00007FD6E50E6927h
                                jmp 00007FD6E50E6D02h
                                test edi, 00000003h
                                jne 00007FD6E50E6936h
                                shr ecx, 02h
                                and edx, 03h
                                cmp ecx, 08h
                                jc 00007FD6E50E694Bh
                                rep movsd
                                jmp dword ptr [00416740h+edx*4]
                                mov eax, edi
                                mov edx, 00000003h
                                sub ecx, 04h
                                jc 00007FD6E50E692Eh
                                and eax, 03h
                                add ecx, eax
                                jmp dword ptr [00416654h+eax*4]
                                jmp dword ptr [00416750h+ecx*4]
                                nop
                                jmp dword ptr [004166D4h+ecx*4]
                                nop
                                inc cx
                                add byte ptr [eax-4BFFBE9Ah], dl
                                inc cx
                                add byte ptr [ebx], ah
                                ror dword ptr [edx-75F877FAh], 1
                                inc esi
                                add dword ptr [eax+468A0147h], ecx
                                add al, cl
                                jmp 00007FD6E755F127h
                                add esi, 03h
                                add edi, 03h
                                cmp ecx, 08h
                                jc 00007FD6E50E68EEh
                                rep movsd
                                jmp dword ptr [00000000h+edx*4]

                                Rich Headers

                                Programming Language:
                                • [ C ] VS2010 SP1 build 40219
                                • [C++] VS2010 SP1 build 40219
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [ASM] VS2010 SP1 build 40219
                                • [RES] VS2010 SP1 build 40219
                                • [LNK] VS2010 SP1 build 40219

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x54f8.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0xab0000x54f80x560038d65eb9c9554a7f8dbad7f7b066221aFalse0.2285610465116279data4.143084940351676IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0xab4480x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                RT_ICON0xab5700x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                RT_ICON0xab6980x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                RT_ICON0xab7c00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishGreat Britain0.1754149377593361
                                RT_MENU0xadd680x50dataEnglishGreat Britain0.9
                                RT_DIALOG0xaddb80xfcdataEnglishGreat Britain0.6507936507936508
                                RT_STRING0xadeb80x530dataEnglishGreat Britain0.33960843373493976
                                RT_STRING0xae3e80x690dataEnglishGreat Britain0.26964285714285713
                                RT_STRING0xaea780x4d0dataEnglishGreat Britain0.36363636363636365
                                RT_STRING0xaef480x5fcdataEnglishGreat Britain0.3087467362924282
                                RT_STRING0xaf5480x65cdataEnglishGreat Britain0.34336609336609336
                                RT_STRING0xafba80x388dataEnglishGreat Britain0.377212389380531
                                RT_STRING0xaff300x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                RT_GROUP_ICON0xb00880x14dataEnglishGreat Britain1.25
                                RT_GROUP_ICON0xb00a00x14dataEnglishGreat Britain1.15
                                RT_GROUP_ICON0xb00b80x14dataEnglishGreat Britain1.25
                                RT_GROUP_ICON0xb00d00x14dataEnglishGreat Britain1.25
                                RT_VERSION0xb00e80x19cdataEnglishGreat Britain0.5339805825242718
                                RT_MANIFEST0xb02880x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                Imports

                                DLLImport
                                WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishGreat Britain
                                EnglishUnited States

                                Network Behavior

                                Network Port Distribution

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 27, 2024 09:09:38.430039883 CEST6160753192.168.2.41.1.1.1
                                Sep 27, 2024 09:09:38.439132929 CEST53616071.1.1.1192.168.2.4
                                Sep 27, 2024 09:09:59.851912975 CEST5665353192.168.2.41.1.1.1
                                Sep 27, 2024 09:09:59.862009048 CEST53566531.1.1.1192.168.2.4
                                Sep 27, 2024 09:10:19.554713964 CEST5841353192.168.2.41.1.1.1
                                Sep 27, 2024 09:10:19.699814081 CEST53584131.1.1.1192.168.2.4
                                Sep 27, 2024 09:10:39.836055994 CEST5255053192.168.2.41.1.1.1
                                Sep 27, 2024 09:10:39.855403900 CEST53525501.1.1.1192.168.2.4
                                Sep 27, 2024 09:11:20.695457935 CEST5895853192.168.2.41.1.1.1
                                Sep 27, 2024 09:11:20.705465078 CEST53589581.1.1.1192.168.2.4
                                Sep 27, 2024 09:11:41.178774118 CEST6039653192.168.2.41.1.1.1
                                Sep 27, 2024 09:11:41.194607019 CEST53603961.1.1.1192.168.2.4
                                Sep 27, 2024 09:12:01.633327007 CEST5203353192.168.2.41.1.1.1
                                Sep 27, 2024 09:12:01.642910957 CEST53520331.1.1.1192.168.2.4
                                Sep 27, 2024 09:12:22.070461988 CEST5128853192.168.2.41.1.1.1
                                Sep 27, 2024 09:12:22.217696905 CEST53512881.1.1.1192.168.2.4
                                Sep 27, 2024 09:12:42.461097956 CEST6488353192.168.2.41.1.1.1
                                Sep 27, 2024 09:12:42.470052958 CEST53648831.1.1.1192.168.2.4
                                Sep 27, 2024 09:13:02.867250919 CEST6203353192.168.2.41.1.1.1
                                Sep 27, 2024 09:13:02.887295961 CEST53620331.1.1.1192.168.2.4
                                Sep 27, 2024 09:13:24.494604111 CEST5708653192.168.2.41.1.1.1
                                Sep 27, 2024 09:13:24.504415989 CEST53570861.1.1.1192.168.2.4

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Sep 27, 2024 09:09:38.430039883 CEST192.168.2.41.1.1.10xcbf0Standard query (0)www.ctivemail5-kagoya-com.infoA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:09:59.851912975 CEST192.168.2.41.1.1.10x3ed5Standard query (0)www.heirbuzzwords.buzzA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:10:19.554713964 CEST192.168.2.41.1.1.10x23b5Standard query (0)www.anatanwater.netA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:10:39.836055994 CEST192.168.2.41.1.1.10xab98Standard query (0)www.atangtoto4.clickA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:11:20.695457935 CEST192.168.2.41.1.1.10x48bdStandard query (0)www.ighrane.onlineA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:11:41.178774118 CEST192.168.2.41.1.1.10xfa7aStandard query (0)www.dneshima.todayA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:12:01.633327007 CEST192.168.2.41.1.1.10x8c05Standard query (0)www.uckyspinph.xyzA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:12:22.070461988 CEST192.168.2.41.1.1.10xe884Standard query (0)www.ampanyaak.clickA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:12:42.461097956 CEST192.168.2.41.1.1.10xed6bStandard query (0)www.6snf.shopA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:13:02.867250919 CEST192.168.2.41.1.1.10x3b92Standard query (0)www.rograma-de-almacen-2.onlineA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:13:24.494604111 CEST192.168.2.41.1.1.10xd6f8Standard query (0)www.orsaperevod.onlineA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Sep 27, 2024 09:09:38.439132929 CEST1.1.1.1192.168.2.40xcbf0Name error (3)www.ctivemail5-kagoya-com.infononenoneA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:09:59.862009048 CEST1.1.1.1192.168.2.40x3ed5Name error (3)www.heirbuzzwords.buzznonenoneA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:10:19.699814081 CEST1.1.1.1192.168.2.40x23b5Name error (3)www.anatanwater.netnonenoneA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:10:39.855403900 CEST1.1.1.1192.168.2.40xab98Name error (3)www.atangtoto4.clicknonenoneA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:11:20.705465078 CEST1.1.1.1192.168.2.40x48bdName error (3)www.ighrane.onlinenonenoneA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:11:41.194607019 CEST1.1.1.1192.168.2.40xfa7aName error (3)www.dneshima.todaynonenoneA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:12:01.642910957 CEST1.1.1.1192.168.2.40x8c05Name error (3)www.uckyspinph.xyznonenoneA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:12:22.217696905 CEST1.1.1.1192.168.2.40xe884Name error (3)www.ampanyaak.clicknonenoneA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:12:42.470052958 CEST1.1.1.1192.168.2.40xed6bName error (3)www.6snf.shopnonenoneA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:13:02.887295961 CEST1.1.1.1192.168.2.40x3b92Name error (3)www.rograma-de-almacen-2.onlinenonenoneA (IP address)IN (0x0001)false
                                Sep 27, 2024 09:13:24.504415989 CEST1.1.1.1192.168.2.40xd6f8Name error (3)www.orsaperevod.onlinenonenoneA (IP address)IN (0x0001)false

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:03:08:57
                                Start date:27/09/2024
                                Path:C:\Users\user\Desktop\SOA 89035673890.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\SOA 89035673890.exe"
                                Imagebase:0x400000
                                File size:1'111'823 bytes
                                MD5 hash:F2A9270835EF7D0DB0A287867CB98F6F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1725331810.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1725331810.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1725331810.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1725331810.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1725331810.00000000043F0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:1
                                Start time:03:09:01
                                Start date:27/09/2024
                                Path:C:\Windows\SysWOW64\svchost.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\SOA 89035673890.exe"
                                Imagebase:0x150000
                                File size:46'504 bytes
                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1776799246.0000000002E70000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1776763291.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1776763291.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1776763291.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1776763291.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1776763291.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1776288968.0000000002621000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1776288968.0000000002621000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1776288968.0000000002621000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1776288968.0000000002621000.00000020.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1776288968.0000000002621000.00000020.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:2
                                Start time:03:09:01
                                Start date:27/09/2024
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Explorer.EXE
                                Imagebase:0x7ff72b770000
                                File size:5'141'208 bytes
                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:3
                                Start time:03:09:03
                                Start date:27/09/2024
                                Path:C:\Windows\SysWOW64\autofmt.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\SysWOW64\autofmt.exe"
                                Imagebase:0x2e0000
                                File size:822'272 bytes
                                MD5 hash:C72D80A976B7EB40534E8464957A979F
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:4
                                Start time:03:09:03
                                Start date:27/09/2024
                                Path:C:\Windows\SysWOW64\autofmt.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\SysWOW64\autofmt.exe"
                                Imagebase:0x2e0000
                                File size:822'272 bytes
                                MD5 hash:C72D80A976B7EB40534E8464957A979F
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:5
                                Start time:03:09:03
                                Start date:27/09/2024
                                Path:C:\Windows\SysWOW64\systray.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\SysWOW64\systray.exe"
                                Imagebase:0x690000
                                File size:9'728 bytes
                                MD5 hash:28D565BB24D30E5E3DE8AFF6900AF098
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4137609395.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4137609395.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4137609395.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4137609395.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4137609395.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4137525602.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4137525602.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4137525602.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4137525602.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4137525602.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4136875397.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4136875397.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4136875397.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4136875397.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4136875397.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:moderate
                                Has exited:false

                                General

                                Target ID:6
                                Start time:03:09:07
                                Start date:27/09/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:/c del "C:\Windows\SysWOW64\svchost.exe"
                                Imagebase:0x240000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:7
                                Start time:03:09:07
                                Start date:27/09/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:3.5%
                                  Dynamic/Decrypted Code Coverage:0.4%
                                  Signature Coverage:8.8%
                                  Total number of Nodes:2000
                                  Total number of Limit Nodes:36
                                  execution_graph 84236 4010e0 84239 401100 84236->84239 84238 4010f8 84240 401113 84239->84240 84241 401184 84240->84241 84242 40114c 84240->84242 84244 401120 84240->84244 84271 401182 84240->84271 84277 401250 84241->84277 84245 401151 84242->84245 84246 40119d 84242->84246 84243 40112c DefWindowProcW 84243->84238 84244->84243 84298 401000 Shell_NotifyIconW setSBUpLow 84244->84298 84248 401219 84245->84248 84249 40115d 84245->84249 84251 4011a3 84246->84251 84252 42afb4 84246->84252 84248->84244 84255 401225 84248->84255 84253 401163 84249->84253 84254 42b01d 84249->84254 84250 401193 84250->84238 84251->84244 84261 4011b6 KillTimer 84251->84261 84262 4011db SetTimer RegisterWindowMessageW 84251->84262 84293 40f190 10 API calls 84252->84293 84258 42afe9 84253->84258 84259 40116c 84253->84259 84254->84243 84297 4370f4 52 API calls 84254->84297 84309 468b0e 74 API calls setSBUpLow 84255->84309 84295 40f190 10 API calls 84258->84295 84259->84244 84266 401174 84259->84266 84260 42b04f 84299 40e0c0 84260->84299 84292 401000 Shell_NotifyIconW setSBUpLow 84261->84292 84262->84250 84264 401204 CreatePopupMenu 84262->84264 84264->84238 84294 45fd57 65 API calls setSBUpLow 84266->84294 84270 4011c9 PostQuitMessage 84270->84238 84271->84243 84272 42afe4 84272->84250 84273 42b00e 84296 401a50 331 API calls 84273->84296 84276 42afdc 84276->84243 84276->84272 84278 401262 setSBUpLow 84277->84278 84279 4012e8 84277->84279 84310 401b80 84278->84310 84279->84250 84281 40128c 84282 4012d1 KillTimer SetTimer 84281->84282 84283 4012bb 84281->84283 84284 4272ec 84281->84284 84282->84279 84287 4012c5 84283->84287 84288 42733f 84283->84288 84285 4272f4 Shell_NotifyIconW 84284->84285 84286 42731a Shell_NotifyIconW 84284->84286 84285->84282 84286->84282 84287->84282 84291 427393 Shell_NotifyIconW 84287->84291 84289 427348 Shell_NotifyIconW 84288->84289 84290 42736e Shell_NotifyIconW 84288->84290 84289->84282 84290->84282 84291->84282 84292->84270 84293->84250 84294->84276 84295->84273 84296->84271 84297->84271 84298->84260 84301 40e0e7 setSBUpLow 84299->84301 84300 40e142 84307 40e184 84300->84307 84408 4341e6 63 API calls __wcsicoll 84300->84408 84301->84300 84302 42729f DestroyIcon 84301->84302 84302->84300 84304 40e1a0 Shell_NotifyIconW 84306 401b80 54 API calls 84304->84306 84305 4272db Shell_NotifyIconW 84308 40e1ba 84306->84308 84307->84304 84307->84305 84308->84271 84309->84272 84311 401b9c 84310->84311 84331 401c7e 84310->84331 84332 4013c0 84311->84332 84314 42722b LoadStringW 84317 427246 84314->84317 84315 401bb9 84337 402160 84315->84337 84351 40e0a0 84317->84351 84318 401bcd 84320 427258 84318->84320 84321 401bda 84318->84321 84355 40d200 52 API calls 2 library calls 84320->84355 84321->84317 84322 401be4 84321->84322 84350 40d200 52 API calls 2 library calls 84322->84350 84325 427267 84326 42727b 84325->84326 84327 401bf3 setSBUpLow _wcscpy _wcsncpy 84325->84327 84356 40d200 52 API calls 2 library calls 84326->84356 84330 401c62 Shell_NotifyIconW 84327->84330 84329 427289 84330->84331 84331->84281 84357 4115d7 84332->84357 84338 426daa 84337->84338 84339 40216b _wcslen 84337->84339 84395 40c600 84338->84395 84342 402180 84339->84342 84343 40219e 84339->84343 84341 426db5 84341->84318 84394 403bd0 52 API calls moneypunct 84342->84394 84344 4013a0 52 API calls 84343->84344 84346 4021a5 84344->84346 84348 426db7 84346->84348 84349 4115d7 52 API calls 84346->84349 84347 402187 _memmove 84347->84318 84349->84347 84350->84327 84352 40e0b2 84351->84352 84353 40e0a8 84351->84353 84352->84327 84407 403c30 52 API calls _memmove 84353->84407 84355->84325 84356->84329 84359 4115e1 _malloc 84357->84359 84360 4013e4 84359->84360 84361 4115fd std::exception::exception 84359->84361 84371 4135bb 84359->84371 84368 4013a0 84360->84368 84362 41163b 84361->84362 84385 41130a 51 API calls __cinit 84361->84385 84386 4180af 46 API calls std::exception::operator= 84362->84386 84364 411645 84387 418105 RaiseException 84364->84387 84367 411656 84369 4115d7 52 API calls 84368->84369 84370 4013a7 84369->84370 84370->84314 84370->84315 84372 413638 _malloc 84371->84372 84377 4135c9 _malloc 84371->84377 84393 417f77 46 API calls __getptd_noexit 84372->84393 84375 4135f7 RtlAllocateHeap 84375->84377 84384 413630 84375->84384 84377->84375 84378 413624 84377->84378 84381 4135d4 84377->84381 84382 413622 84377->84382 84391 417f77 46 API calls __getptd_noexit 84378->84391 84381->84377 84388 418901 46 API calls 2 library calls 84381->84388 84389 418752 46 API calls 8 library calls 84381->84389 84390 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84381->84390 84392 417f77 46 API calls __getptd_noexit 84382->84392 84384->84359 84385->84362 84386->84364 84387->84367 84388->84381 84389->84381 84391->84382 84392->84384 84393->84384 84394->84347 84396 40c619 84395->84396 84397 40c60a 84395->84397 84396->84341 84397->84396 84400 4026f0 84397->84400 84399 426d7a _memmove 84399->84341 84401 426873 84400->84401 84402 4026ff 84400->84402 84403 4013a0 52 API calls 84401->84403 84402->84399 84404 42687b 84403->84404 84405 4115d7 52 API calls 84404->84405 84406 42689e _memmove 84405->84406 84406->84399 84407->84352 84408->84307 84409 40bd20 84410 428194 84409->84410 84411 40bd2d 84409->84411 84412 40bd43 84410->84412 84414 4281bc 84410->84414 84416 4281b2 84410->84416 84413 40bd37 84411->84413 84432 4531b1 85 API calls 5 library calls 84411->84432 84421 40bd50 84413->84421 84431 45e987 86 API calls moneypunct 84414->84431 84430 40b510 VariantClear 84416->84430 84420 4281ba 84422 426cf1 84421->84422 84423 40bd63 84421->84423 84442 44cde9 52 API calls _memmove 84422->84442 84433 40bd80 84423->84433 84426 40bd73 84426->84412 84427 426cfc 84428 40e0a0 52 API calls 84427->84428 84429 426d02 84428->84429 84430->84420 84431->84411 84432->84413 84434 40bd8e 84433->84434 84441 40bdb7 _memmove 84433->84441 84435 40bded 84434->84435 84436 40bdad 84434->84436 84434->84441 84438 4115d7 52 API calls 84435->84438 84443 402f00 84436->84443 84439 40bdf6 84438->84439 84440 4115d7 52 API calls 84439->84440 84439->84441 84440->84441 84441->84426 84442->84427 84444 402f10 84443->84444 84445 402f0c 84443->84445 84446 4115d7 52 API calls 84444->84446 84447 4268c3 84444->84447 84445->84441 84448 402f51 moneypunct _memmove 84446->84448 84448->84441 84449 425ba2 84454 40e360 84449->84454 84451 425bb4 84470 41130a 51 API calls __cinit 84451->84470 84453 425bbe 84455 4115d7 52 API calls 84454->84455 84456 40e3ec GetModuleFileNameW 84455->84456 84471 413a0e 84456->84471 84458 40e421 _wcsncat 84474 413a9e 84458->84474 84461 4115d7 52 API calls 84462 40e45e _wcscpy 84461->84462 84477 40bc70 84462->84477 84466 40e4a9 84466->84451 84467 401c90 52 API calls 84469 40e4a1 _wcscat _wcslen _wcsncpy 84467->84469 84468 4115d7 52 API calls 84468->84469 84469->84466 84469->84467 84469->84468 84470->84453 84496 413801 84471->84496 84526 419efd 84474->84526 84478 4115d7 52 API calls 84477->84478 84479 40bc98 84478->84479 84480 4115d7 52 API calls 84479->84480 84481 40bca6 84480->84481 84482 40e4c0 84481->84482 84538 403350 84482->84538 84484 40e4cb RegOpenKeyExW 84485 427190 RegQueryValueExW 84484->84485 84486 40e4eb 84484->84486 84487 4271b0 84485->84487 84488 42721a RegCloseKey 84485->84488 84486->84469 84489 4115d7 52 API calls 84487->84489 84488->84469 84490 4271cb 84489->84490 84545 43652f 52 API calls 84490->84545 84492 4271d8 RegQueryValueExW 84493 42720e 84492->84493 84494 4271f7 84492->84494 84493->84488 84495 402160 52 API calls 84494->84495 84495->84493 84497 41389e 84496->84497 84501 41381a 84496->84501 84498 4139e8 84497->84498 84500 413a00 84497->84500 84523 417f77 46 API calls __getptd_noexit 84498->84523 84525 417f77 46 API calls __getptd_noexit 84500->84525 84501->84497 84510 41388a 84501->84510 84518 419e30 46 API calls __fptostr 84501->84518 84502 4139ed 84524 417f25 10 API calls __fptostr 84502->84524 84506 41396c 84506->84497 84508 413967 84506->84508 84511 41397a 84506->84511 84507 413929 84507->84497 84509 413945 84507->84509 84520 419e30 46 API calls __fptostr 84507->84520 84508->84458 84509->84497 84509->84508 84514 41395b 84509->84514 84510->84497 84517 413909 84510->84517 84519 419e30 46 API calls __fptostr 84510->84519 84522 419e30 46 API calls __fptostr 84511->84522 84521 419e30 46 API calls __fptostr 84514->84521 84517->84506 84517->84507 84518->84510 84519->84517 84520->84509 84521->84508 84522->84508 84523->84502 84524->84508 84525->84508 84527 419f13 84526->84527 84528 419f0e 84526->84528 84535 417f77 46 API calls __getptd_noexit 84527->84535 84528->84527 84532 419f2b 84528->84532 84530 419f18 84536 417f25 10 API calls __fptostr 84530->84536 84534 40e454 84532->84534 84537 417f77 46 API calls __getptd_noexit 84532->84537 84534->84461 84535->84530 84536->84534 84537->84530 84539 403367 84538->84539 84540 403358 84538->84540 84541 4115d7 52 API calls 84539->84541 84540->84484 84542 403370 84541->84542 84543 4115d7 52 API calls 84542->84543 84544 40339e 84543->84544 84544->84484 84545->84492 84546 416454 84583 416c70 84546->84583 84548 416460 GetStartupInfoW 84549 416474 84548->84549 84584 419d5a HeapCreate 84549->84584 84551 4164cd 84552 4164d8 84551->84552 84668 41642b 46 API calls 3 library calls 84551->84668 84585 417c20 GetModuleHandleW 84552->84585 84555 4164de 84557 4164e9 __RTC_Initialize 84555->84557 84669 41642b 46 API calls 3 library calls 84555->84669 84604 41aaa1 GetStartupInfoW 84557->84604 84560 416503 GetCommandLineW 84617 41f584 GetEnvironmentStringsW 84560->84617 84564 416513 84623 41f4d6 GetModuleFileNameW 84564->84623 84566 41651d 84567 416528 84566->84567 84671 411924 46 API calls 3 library calls 84566->84671 84627 41f2a4 84567->84627 84570 41652e 84571 416539 84570->84571 84672 411924 46 API calls 3 library calls 84570->84672 84641 411703 84571->84641 84574 416541 84576 41654c __wwincmdln 84574->84576 84673 411924 46 API calls 3 library calls 84574->84673 84645 40d6b0 84576->84645 84579 41657c 84675 411906 46 API calls _doexit 84579->84675 84582 416581 __wsopen_helper 84583->84548 84584->84551 84586 417c34 84585->84586 84587 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 84585->84587 84676 4178ff 49 API calls _free 84586->84676 84589 417c87 TlsAlloc 84587->84589 84592 417cd5 TlsSetValue 84589->84592 84593 417d96 84589->84593 84590 417c39 84590->84555 84592->84593 84594 417ce6 __init_pointers 84592->84594 84593->84555 84677 418151 InitializeCriticalSectionAndSpinCount 84594->84677 84596 417d91 84685 4178ff 49 API calls _free 84596->84685 84598 417d2a 84598->84596 84678 416b49 84598->84678 84601 417d76 84684 41793c 46 API calls 4 library calls 84601->84684 84603 417d7e GetCurrentThreadId 84603->84593 84605 416b49 __calloc_crt 46 API calls 84604->84605 84612 41aabf 84605->84612 84606 4164f7 84606->84560 84670 411924 46 API calls 3 library calls 84606->84670 84607 41ac34 84608 41ac6a GetStdHandle 84607->84608 84610 41acce SetHandleCount 84607->84610 84611 41ac7c GetFileType 84607->84611 84615 41aca2 InitializeCriticalSectionAndSpinCount 84607->84615 84608->84607 84609 416b49 __calloc_crt 46 API calls 84609->84612 84610->84606 84611->84607 84612->84606 84612->84607 84612->84609 84616 41abb4 84612->84616 84613 41abe0 GetFileType 84614 41abeb InitializeCriticalSectionAndSpinCount 84613->84614 84613->84616 84614->84606 84614->84616 84615->84606 84615->84607 84616->84607 84616->84613 84616->84614 84618 41f595 84617->84618 84619 41f599 84617->84619 84618->84564 84695 416b04 84619->84695 84621 41f5c2 FreeEnvironmentStringsW 84621->84564 84622 41f5bb _memmove 84622->84621 84624 41f50b _wparse_cmdline 84623->84624 84625 416b04 __malloc_crt 46 API calls 84624->84625 84626 41f54e _wparse_cmdline 84624->84626 84625->84626 84626->84566 84628 41f2bc _wcslen 84627->84628 84632 41f2b4 84627->84632 84629 416b49 __calloc_crt 46 API calls 84628->84629 84634 41f2e0 _wcslen 84629->84634 84630 41f336 84702 413748 84630->84702 84632->84570 84633 416b49 __calloc_crt 46 API calls 84633->84634 84634->84630 84634->84632 84634->84633 84635 41f35c 84634->84635 84638 41f373 84634->84638 84701 41ef12 46 API calls __fptostr 84634->84701 84636 413748 _free 46 API calls 84635->84636 84636->84632 84708 417ed3 84638->84708 84640 41f37f 84640->84570 84642 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 84641->84642 84644 411750 __IsNonwritableInCurrentImage 84642->84644 84727 41130a 51 API calls __cinit 84642->84727 84644->84574 84646 42e2f3 84645->84646 84647 40d6cc 84645->84647 84728 408f40 84647->84728 84649 40d707 84732 40ebb0 84649->84732 84652 40d737 84735 411951 84652->84735 84657 40d751 84747 40f4e0 SystemParametersInfoW SystemParametersInfoW 84657->84747 84659 40d75f 84748 40d590 GetCurrentDirectoryW 84659->84748 84661 40d767 SystemParametersInfoW 84662 40d794 84661->84662 84663 40d78d FreeLibrary 84661->84663 84664 408f40 VariantClear 84662->84664 84663->84662 84665 40d79d 84664->84665 84666 408f40 VariantClear 84665->84666 84667 40d7a6 84666->84667 84667->84579 84674 4118da 46 API calls _doexit 84667->84674 84668->84552 84669->84557 84674->84579 84675->84582 84676->84590 84677->84598 84680 416b52 84678->84680 84681 416b8f 84680->84681 84682 416b70 Sleep 84680->84682 84686 41f677 84680->84686 84681->84596 84681->84601 84683 416b85 84682->84683 84683->84680 84683->84681 84684->84603 84685->84593 84687 41f683 84686->84687 84693 41f69e _malloc 84686->84693 84688 41f68f 84687->84688 84687->84693 84694 417f77 46 API calls __getptd_noexit 84688->84694 84690 41f6b1 HeapAlloc 84692 41f6d8 84690->84692 84690->84693 84691 41f694 84691->84680 84692->84680 84693->84690 84693->84692 84694->84691 84698 416b0d 84695->84698 84696 4135bb _malloc 45 API calls 84696->84698 84697 416b43 84697->84622 84698->84696 84698->84697 84699 416b24 Sleep 84698->84699 84700 416b39 84699->84700 84700->84697 84700->84698 84701->84634 84703 41377c __dosmaperr 84702->84703 84704 413753 RtlFreeHeap 84702->84704 84703->84632 84704->84703 84705 413768 84704->84705 84711 417f77 46 API calls __getptd_noexit 84705->84711 84707 41376e GetLastError 84707->84703 84712 417daa 84708->84712 84711->84707 84713 417dc9 setSBUpLow __call_reportfault 84712->84713 84714 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 84713->84714 84717 417eb5 __call_reportfault 84714->84717 84716 417ed1 GetCurrentProcess TerminateProcess 84716->84640 84718 41a208 84717->84718 84719 41a210 84718->84719 84720 41a212 IsDebuggerPresent 84718->84720 84719->84716 84726 41fe19 84720->84726 84723 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 84724 421ff0 __call_reportfault 84723->84724 84725 421ff8 GetCurrentProcess TerminateProcess 84723->84725 84724->84725 84725->84716 84726->84723 84727->84644 84730 408f48 moneypunct 84728->84730 84729 4265c7 VariantClear 84731 408f55 moneypunct 84729->84731 84730->84729 84730->84731 84731->84649 84788 40ebd0 84732->84788 84792 4182cb 84735->84792 84737 41195e 84799 4181f2 LeaveCriticalSection 84737->84799 84739 40d748 84740 4119b0 84739->84740 84741 4119d6 84740->84741 84742 4119bc 84740->84742 84741->84657 84742->84741 84834 417f77 46 API calls __getptd_noexit 84742->84834 84744 4119c6 84835 417f25 10 API calls __fptostr 84744->84835 84746 4119d1 84746->84657 84747->84659 84836 401f20 84748->84836 84750 40d5b6 IsDebuggerPresent 84751 40d5c4 84750->84751 84752 42e1bb MessageBoxA 84750->84752 84753 42e1d4 84751->84753 84754 40d5e3 84751->84754 84752->84753 85008 403a50 52 API calls 3 library calls 84753->85008 84906 40f520 84754->84906 84758 40d5fd GetFullPathNameW 84918 401460 84758->84918 84760 40d63b 84761 40d643 84760->84761 84762 42e231 SetCurrentDirectoryW 84760->84762 84763 40d64c 84761->84763 85009 432fee 6 API calls 84761->85009 84762->84761 84933 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 84763->84933 84767 42e252 84767->84763 84769 42e25a GetModuleFileNameW 84767->84769 84770 42e274 84769->84770 84771 42e2cb GetForegroundWindow ShellExecuteW 84769->84771 85010 401b10 84770->85010 84775 40d688 84771->84775 84772 40d656 84774 40d669 84772->84774 84777 40e0c0 74 API calls 84772->84777 84941 4091e0 84774->84941 84781 40d692 SetCurrentDirectoryW 84775->84781 84777->84774 84781->84661 84782 42e28d 85017 40d200 52 API calls 2 library calls 84782->85017 84785 42e299 GetForegroundWindow ShellExecuteW 84786 42e2c6 84785->84786 84786->84775 84787 40ec00 LoadLibraryA GetProcAddress 84787->84652 84789 40d72e 84788->84789 84790 40ebd6 LoadLibraryA 84788->84790 84789->84652 84789->84787 84790->84789 84791 40ebe7 GetProcAddress 84790->84791 84791->84789 84793 4182e0 84792->84793 84794 4182f3 EnterCriticalSection 84792->84794 84800 418209 84793->84800 84794->84737 84796 4182e6 84796->84794 84827 411924 46 API calls 3 library calls 84796->84827 84799->84739 84801 418215 __wsopen_helper 84800->84801 84802 418225 84801->84802 84803 41823d 84801->84803 84828 418901 46 API calls 2 library calls 84802->84828 84805 416b04 __malloc_crt 45 API calls 84803->84805 84811 41824b __wsopen_helper 84803->84811 84807 418256 84805->84807 84806 41822a 84829 418752 46 API calls 8 library calls 84806->84829 84809 41825d 84807->84809 84810 41826c 84807->84810 84831 417f77 46 API calls __getptd_noexit 84809->84831 84814 4182cb __lock 45 API calls 84810->84814 84811->84796 84812 418231 84830 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84812->84830 84816 418273 84814->84816 84818 4182a6 84816->84818 84819 41827b InitializeCriticalSectionAndSpinCount 84816->84819 84820 413748 _free 45 API calls 84818->84820 84821 418297 84819->84821 84822 41828b 84819->84822 84820->84821 84833 4182c2 LeaveCriticalSection _doexit 84821->84833 84823 413748 _free 45 API calls 84822->84823 84825 418291 84823->84825 84832 417f77 46 API calls __getptd_noexit 84825->84832 84828->84806 84829->84812 84831->84811 84832->84821 84833->84811 84834->84744 84835->84746 85018 40e6e0 84836->85018 84840 401f41 GetModuleFileNameW 85036 410100 84840->85036 84842 401f5c 85048 410960 84842->85048 84845 401b10 52 API calls 84846 401f81 84845->84846 85051 401980 84846->85051 84848 401f8e 84849 408f40 VariantClear 84848->84849 84850 401f9d 84849->84850 84851 401b10 52 API calls 84850->84851 84852 401fb4 84851->84852 84853 401980 53 API calls 84852->84853 84854 401fc3 84853->84854 84855 401b10 52 API calls 84854->84855 84856 401fd2 84855->84856 85059 40c2c0 84856->85059 84858 401fe1 84859 40bc70 52 API calls 84858->84859 84860 401ff3 84859->84860 85077 401a10 84860->85077 84862 401ffe 85084 4114ab 84862->85084 84865 428b05 84867 401a10 52 API calls 84865->84867 84866 402017 84868 4114ab __wcsicoll 58 API calls 84866->84868 84869 428b18 84867->84869 84870 402022 84868->84870 84872 401a10 52 API calls 84869->84872 84870->84869 84871 40202d 84870->84871 84873 4114ab __wcsicoll 58 API calls 84871->84873 84874 428b33 84872->84874 84875 402038 84873->84875 84877 428b3b GetModuleFileNameW 84874->84877 84876 402043 84875->84876 84875->84877 84878 4114ab __wcsicoll 58 API calls 84876->84878 84879 401a10 52 API calls 84877->84879 84880 40204e 84878->84880 84881 428b6c 84879->84881 84882 402092 84880->84882 84887 401a10 52 API calls 84880->84887 84889 428b90 _wcscpy 84880->84889 84883 40e0a0 52 API calls 84881->84883 84885 4020a3 84882->84885 84882->84889 84884 428b7a 84883->84884 84888 401a10 52 API calls 84884->84888 84886 428bc6 84885->84886 85092 40e830 53 API calls 84885->85092 84891 402073 _wcscpy 84887->84891 84892 428b88 84888->84892 84893 401a10 52 API calls 84889->84893 84897 401a10 52 API calls 84891->84897 84892->84889 84901 4020d0 84893->84901 84894 4020bb 85093 40cf00 53 API calls 84894->85093 84896 4020c6 84898 408f40 VariantClear 84896->84898 84897->84882 84898->84901 84899 402110 84903 408f40 VariantClear 84899->84903 84901->84899 84904 401a10 52 API calls 84901->84904 85094 40cf00 53 API calls 84901->85094 85095 40e6a0 53 API calls 84901->85095 84905 402120 moneypunct 84903->84905 84904->84901 84905->84750 84907 4295c9 setSBUpLow 84906->84907 84908 40f53c 84906->84908 84910 4295d9 GetOpenFileNameW 84907->84910 85788 410120 84908->85788 84910->84908 84913 40d5f5 84910->84913 84911 40f545 85792 4102b0 SHGetMalloc 84911->85792 84913->84758 84913->84760 84914 40f54c 85797 410190 GetFullPathNameW 84914->85797 84916 40f559 85808 40f570 84916->85808 85864 402400 84918->85864 84920 40146f 84923 428c29 _wcscat 84920->84923 85873 401500 84920->85873 84922 40147c 84922->84923 85881 40d440 84922->85881 84925 401489 84925->84923 84926 401491 GetFullPathNameW 84925->84926 84927 402160 52 API calls 84926->84927 84928 4014bb 84927->84928 84929 402160 52 API calls 84928->84929 84930 4014c8 84929->84930 84930->84923 84931 402160 52 API calls 84930->84931 84932 4014ee 84931->84932 84932->84760 84934 428361 84933->84934 84935 4103fc LoadImageW RegisterClassExW 84933->84935 85901 44395e EnumResourceNamesW LoadImageW 84934->85901 85900 410490 7 API calls 84935->85900 84938 40d651 84940 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 84938->84940 84939 428368 84940->84772 84942 409202 84941->84942 84943 42d7ad 84941->84943 85002 409216 moneypunct 84942->85002 86173 410940 331 API calls 84942->86173 86176 45e737 90 API calls 3 library calls 84943->86176 84946 409386 84947 40939c 84946->84947 86174 40f190 10 API calls 84946->86174 84947->84775 85007 401000 Shell_NotifyIconW setSBUpLow 84947->85007 84949 4095b2 84949->84947 84951 4095bf 84949->84951 84950 409253 PeekMessageW 84950->85002 86175 401a50 331 API calls 84951->86175 84953 42d8cd Sleep 84953->85002 84954 4095c6 LockWindowUpdate DestroyWindow GetMessageW 84954->84947 84957 4095f9 84954->84957 84956 42e13b 86194 40d410 VariantClear 84956->86194 84959 42e158 TranslateMessage DispatchMessageW GetMessageW 84957->84959 84959->84959 84962 42e188 84959->84962 84961 409567 PeekMessageW 84961->85002 84962->84947 84965 44c29d 52 API calls 84996 4094e0 84965->84996 84966 46fdbf 108 API calls 84966->84996 84967 46f3c1 107 API calls 84967->85002 84968 40e0a0 52 API calls 84968->85002 84969 409551 TranslateMessage DispatchMessageW 84969->84961 84971 42dcd2 WaitForSingleObject 84972 42dcf0 GetExitCodeProcess CloseHandle 84971->84972 84971->85002 86183 40d410 VariantClear 84972->86183 84974 42dd3d Sleep 84974->84996 84977 4094cf Sleep 84977->84996 84979 42d94d timeGetTime 86179 465124 53 API calls 84979->86179 84981 40d410 VariantClear 84981->85002 84982 40c620 timeGetTime 84982->84996 84985 42dd89 CloseHandle 84985->84996 84986 47d33e 309 API calls 84986->85002 84988 408f40 VariantClear 84988->84996 84989 465124 53 API calls 84989->84996 84990 42de19 GetExitCodeProcess CloseHandle 84990->84996 84992 401b10 52 API calls 84992->84996 84994 42de88 Sleep 84994->85002 84996->84965 84996->84966 84996->84982 84996->84985 84996->84988 84996->84989 84996->84990 84996->84992 84996->84994 84996->85002 85005 401980 53 API calls 84996->85005 86180 45178a 54 API calls 84996->86180 86181 47d33e 331 API calls 84996->86181 86182 453bc6 54 API calls 84996->86182 86184 40d410 VariantClear 84996->86184 86185 443d19 67 API calls _wcslen 84996->86185 86186 4574b4 VariantClear 84996->86186 86187 403cd0 84996->86187 86191 4731e1 VariantClear 84996->86191 86192 4331a2 6 API calls 84996->86192 84998 45e737 90 API calls 84998->85002 85001 42e0cc VariantClear 85001->85002 85002->84946 85002->84950 85002->84953 85002->84956 85002->84961 85002->84967 85002->84968 85002->84969 85002->84971 85002->84974 85002->84977 85002->84979 85002->84981 85002->84986 85002->84996 85002->84998 85002->85001 85003 408f40 VariantClear 85002->85003 85902 4091b0 85002->85902 85960 40afa0 85002->85960 85986 408fc0 85002->85986 86021 408cc0 85002->86021 86035 40d150 85002->86035 86040 40d170 85002->86040 86046 4096a0 85002->86046 86177 465124 53 API calls 85002->86177 86178 40c620 timeGetTime 85002->86178 86193 40e270 VariantClear moneypunct 85002->86193 85003->85002 85005->84996 85007->84775 85008->84760 85009->84767 85011 401b16 _wcslen 85010->85011 85012 4115d7 52 API calls 85011->85012 85013 401b63 85011->85013 85014 401b4b _memmove 85012->85014 85016 40d200 52 API calls 2 library calls 85013->85016 85015 4115d7 52 API calls 85014->85015 85015->85013 85016->84782 85017->84785 85019 40bc70 52 API calls 85018->85019 85020 401f31 85019->85020 85021 402560 85020->85021 85022 40256d __write_nolock 85021->85022 85023 402160 52 API calls 85022->85023 85025 402593 85023->85025 85035 4025bd 85025->85035 85096 401c90 85025->85096 85026 4026f0 52 API calls 85026->85035 85027 4026a7 85028 401b10 52 API calls 85027->85028 85034 4026db 85027->85034 85030 4026d1 85028->85030 85029 401b10 52 API calls 85029->85035 85100 40d7c0 52 API calls 2 library calls 85030->85100 85032 401c90 52 API calls 85032->85035 85034->84840 85035->85026 85035->85027 85035->85029 85035->85032 85099 40d7c0 52 API calls 2 library calls 85035->85099 85101 40f760 85036->85101 85039 410118 85039->84842 85041 42805d 85042 42806a 85041->85042 85157 431e58 85041->85157 85044 413748 _free 46 API calls 85042->85044 85045 428078 85044->85045 85046 431e58 82 API calls 85045->85046 85047 428084 85046->85047 85047->84842 85049 4115d7 52 API calls 85048->85049 85050 401f74 85049->85050 85050->84845 85052 4019a3 85051->85052 85058 401985 85051->85058 85053 4019b8 85052->85053 85052->85058 85777 403e10 53 API calls 85053->85777 85055 40199f 85055->84848 85057 4019c4 85057->84848 85058->85055 85776 403e10 53 API calls 85058->85776 85060 40c2c7 85059->85060 85061 40c30e 85059->85061 85062 40c2d3 85060->85062 85070 426c79 85060->85070 85063 40c315 85061->85063 85064 426c2b 85061->85064 85778 403ea0 52 API calls __cinit 85062->85778 85067 40c321 85063->85067 85068 426c5a 85063->85068 85066 426c4b 85064->85066 85071 426c2e 85064->85071 85781 4534e3 52 API calls 85066->85781 85779 403ea0 52 API calls __cinit 85067->85779 85782 4534e3 52 API calls 85068->85782 85783 4534e3 52 API calls 85070->85783 85076 40c2de 85071->85076 85780 4534e3 52 API calls 85071->85780 85076->84858 85078 401a30 85077->85078 85079 401a17 85077->85079 85081 402160 52 API calls 85078->85081 85080 401a2d 85079->85080 85784 403c30 52 API calls _memmove 85079->85784 85080->84862 85083 401a3d 85081->85083 85083->84862 85085 411523 85084->85085 85086 4114ba 85084->85086 85787 4113a8 58 API calls 3 library calls 85085->85787 85091 40200c 85086->85091 85785 417f77 46 API calls __getptd_noexit 85086->85785 85089 4114c6 85786 417f25 10 API calls __fptostr 85089->85786 85091->84865 85091->84866 85092->84894 85093->84896 85094->84901 85095->84901 85097 4026f0 52 API calls 85096->85097 85098 401c97 85097->85098 85098->85025 85099->85035 85100->85034 85161 40f6f0 85101->85161 85103 40f77b _strcat moneypunct 85169 40f850 85103->85169 85108 427c2a 85198 414d04 85108->85198 85110 40f7fc 85110->85108 85111 40f804 85110->85111 85185 414a46 85111->85185 85115 40f80e 85115->85039 85120 4528bd 85115->85120 85117 427c59 85204 414fe2 85117->85204 85119 427c79 85121 4150d1 _fseek 81 API calls 85120->85121 85122 452930 85121->85122 85701 452719 85122->85701 85125 452948 85125->85041 85126 414d04 __fread_nolock 61 API calls 85127 452966 85126->85127 85128 414d04 __fread_nolock 61 API calls 85127->85128 85129 452976 85128->85129 85130 414d04 __fread_nolock 61 API calls 85129->85130 85131 45298f 85130->85131 85132 414d04 __fread_nolock 61 API calls 85131->85132 85133 4529aa 85132->85133 85134 4150d1 _fseek 81 API calls 85133->85134 85135 4529c4 85134->85135 85136 4135bb _malloc 46 API calls 85135->85136 85137 4529cf 85136->85137 85138 4135bb _malloc 46 API calls 85137->85138 85139 4529db 85138->85139 85140 414d04 __fread_nolock 61 API calls 85139->85140 85141 4529ec 85140->85141 85142 44afef GetSystemTimeAsFileTime 85141->85142 85143 452a00 85142->85143 85144 452a36 85143->85144 85145 452a13 85143->85145 85147 452aa5 85144->85147 85148 452a3c 85144->85148 85146 413748 _free 46 API calls 85145->85146 85150 452a1c 85146->85150 85149 413748 _free 46 API calls 85147->85149 85707 44b1a9 85148->85707 85152 452aa3 85149->85152 85153 413748 _free 46 API calls 85150->85153 85152->85041 85155 452a25 85153->85155 85154 452a9d 85156 413748 _free 46 API calls 85154->85156 85155->85041 85156->85152 85158 431e64 85157->85158 85160 431e6a 85157->85160 85159 414a46 __fcloseall 82 API calls 85158->85159 85159->85160 85160->85042 85162 425de2 85161->85162 85163 40f6fc _wcslen 85161->85163 85162->85103 85164 40f710 WideCharToMultiByte 85163->85164 85165 40f756 85164->85165 85166 40f728 85164->85166 85165->85103 85167 4115d7 52 API calls 85166->85167 85168 40f735 WideCharToMultiByte 85167->85168 85168->85103 85171 40f85d setSBUpLow _strlen 85169->85171 85172 40f7ab 85171->85172 85217 414db8 85171->85217 85173 4149c2 85172->85173 85229 414904 85173->85229 85175 40f7e9 85175->85108 85176 40f5c0 85175->85176 85177 40f5cd _strcat __write_nolock _memmove 85176->85177 85178 414d04 __fread_nolock 61 API calls 85177->85178 85179 40f691 __tzset_nolock 85177->85179 85181 425d11 85177->85181 85317 4150d1 85177->85317 85178->85177 85179->85110 85182 4150d1 _fseek 81 API calls 85181->85182 85183 425d33 85182->85183 85184 414d04 __fread_nolock 61 API calls 85183->85184 85184->85179 85186 414a52 __wsopen_helper 85185->85186 85187 414a64 85186->85187 85188 414a79 85186->85188 85457 417f77 46 API calls __getptd_noexit 85187->85457 85191 415471 __lock_file 47 API calls 85188->85191 85195 414a74 __wsopen_helper 85188->85195 85190 414a69 85458 417f25 10 API calls __fptostr 85190->85458 85193 414a92 85191->85193 85441 4149d9 85193->85441 85195->85115 85526 414c76 85198->85526 85200 414d1c 85201 44afef 85200->85201 85694 442c5a 85201->85694 85203 44b00d 85203->85117 85205 414fee __wsopen_helper 85204->85205 85206 414ffa 85205->85206 85207 41500f 85205->85207 85698 417f77 46 API calls __getptd_noexit 85206->85698 85208 415471 __lock_file 47 API calls 85207->85208 85210 415017 85208->85210 85212 414e4e __ftell_nolock 51 API calls 85210->85212 85211 414fff 85699 417f25 10 API calls __fptostr 85211->85699 85214 415024 85212->85214 85700 41503d LeaveCriticalSection LeaveCriticalSection __wfsopen 85214->85700 85215 41500a __wsopen_helper 85215->85119 85218 414dd6 85217->85218 85219 414deb 85217->85219 85226 417f77 46 API calls __getptd_noexit 85218->85226 85219->85218 85221 414df2 85219->85221 85225 414de6 85221->85225 85228 418f98 77 API calls 7 library calls 85221->85228 85222 414ddb 85227 417f25 10 API calls __fptostr 85222->85227 85225->85171 85226->85222 85227->85225 85228->85225 85231 414910 __wsopen_helper 85229->85231 85230 414923 85285 417f77 46 API calls __getptd_noexit 85230->85285 85231->85230 85233 414951 85231->85233 85248 41d4d1 85233->85248 85234 414928 85286 417f25 10 API calls __fptostr 85234->85286 85237 414956 85238 41496a 85237->85238 85239 41495d 85237->85239 85241 414992 85238->85241 85242 414972 85238->85242 85287 417f77 46 API calls __getptd_noexit 85239->85287 85265 41d218 85241->85265 85288 417f77 46 API calls __getptd_noexit 85242->85288 85243 414933 __wsopen_helper @_EH4_CallFilterFunc@8 85243->85175 85249 41d4dd __wsopen_helper 85248->85249 85250 4182cb __lock 46 API calls 85249->85250 85256 41d4eb 85250->85256 85251 41d567 85253 416b04 __malloc_crt 46 API calls 85251->85253 85255 41d56e 85253->85255 85254 41d5f0 __wsopen_helper 85254->85237 85257 41d57c InitializeCriticalSectionAndSpinCount 85255->85257 85263 41d560 85255->85263 85256->85251 85260 418209 __mtinitlocknum 46 API calls 85256->85260 85256->85263 85293 4154b2 47 API calls __lock 85256->85293 85294 415520 LeaveCriticalSection LeaveCriticalSection _doexit 85256->85294 85258 41d59c 85257->85258 85259 41d5af EnterCriticalSection 85257->85259 85262 413748 _free 46 API calls 85258->85262 85259->85263 85260->85256 85262->85263 85290 41d5fb 85263->85290 85266 41d23a 85265->85266 85267 41d255 85266->85267 85278 41d26c __wopenfile 85266->85278 85299 417f77 46 API calls __getptd_noexit 85267->85299 85269 41d25a 85300 417f25 10 API calls __fptostr 85269->85300 85271 41d47a 85304 417f77 46 API calls __getptd_noexit 85271->85304 85272 41d48c 85296 422bf9 85272->85296 85275 41d47f 85305 417f25 10 API calls __fptostr 85275->85305 85277 41499d 85289 4149b8 LeaveCriticalSection LeaveCriticalSection __wfsopen 85277->85289 85278->85271 85284 41d421 85278->85284 85301 41341f 58 API calls 2 library calls 85278->85301 85280 41d41a 85280->85284 85302 41341f 58 API calls 2 library calls 85280->85302 85282 41d439 85282->85284 85303 41341f 58 API calls 2 library calls 85282->85303 85284->85271 85284->85272 85285->85234 85286->85243 85287->85243 85288->85243 85289->85243 85295 4181f2 LeaveCriticalSection 85290->85295 85292 41d602 85292->85254 85293->85256 85294->85256 85295->85292 85306 422b35 85296->85306 85298 422c14 85298->85277 85299->85269 85300->85277 85301->85280 85302->85282 85303->85284 85304->85275 85305->85277 85309 422b41 __wsopen_helper 85306->85309 85307 422b54 85308 417f77 __fptostr 46 API calls 85307->85308 85310 422b59 85308->85310 85309->85307 85311 422b8a 85309->85311 85313 417f25 __fptostr 10 API calls 85310->85313 85312 422400 __tsopen_nolock 109 API calls 85311->85312 85314 422ba4 85312->85314 85316 422b63 __wsopen_helper 85313->85316 85315 422bcb __wsopen_helper LeaveCriticalSection 85314->85315 85315->85316 85316->85298 85319 4150dd __wsopen_helper 85317->85319 85318 4150e9 85348 417f77 46 API calls __getptd_noexit 85318->85348 85319->85318 85320 41510f 85319->85320 85330 415471 85320->85330 85323 4150ee 85349 417f25 10 API calls __fptostr 85323->85349 85329 4150f9 __wsopen_helper 85329->85177 85331 415483 85330->85331 85332 4154a5 EnterCriticalSection 85330->85332 85331->85332 85333 41548b 85331->85333 85334 415117 85332->85334 85335 4182cb __lock 46 API calls 85333->85335 85336 415047 85334->85336 85335->85334 85337 415067 85336->85337 85338 415057 85336->85338 85343 415079 85337->85343 85351 414e4e 85337->85351 85406 417f77 46 API calls __getptd_noexit 85338->85406 85342 41505c 85350 415143 LeaveCriticalSection LeaveCriticalSection __wfsopen 85342->85350 85368 41443c 85343->85368 85346 4150b9 85381 41e1f4 85346->85381 85348->85323 85349->85329 85350->85329 85352 414e61 85351->85352 85353 414e79 85351->85353 85407 417f77 46 API calls __getptd_noexit 85352->85407 85355 414139 __fseek_nolock 46 API calls 85353->85355 85357 414e80 85355->85357 85356 414e66 85408 417f25 10 API calls __fptostr 85356->85408 85359 41e1f4 __write 51 API calls 85357->85359 85360 414e97 85359->85360 85361 414f09 85360->85361 85363 414ec9 85360->85363 85367 414e71 85360->85367 85409 417f77 46 API calls __getptd_noexit 85361->85409 85364 41e1f4 __write 51 API calls 85363->85364 85363->85367 85365 414f64 85364->85365 85366 41e1f4 __write 51 API calls 85365->85366 85365->85367 85366->85367 85367->85343 85369 414477 85368->85369 85370 414455 85368->85370 85374 414139 85369->85374 85370->85369 85371 414139 __fseek_nolock 46 API calls 85370->85371 85372 414470 85371->85372 85410 41b7b2 77 API calls 6 library calls 85372->85410 85375 414145 85374->85375 85376 41415a 85374->85376 85411 417f77 46 API calls __getptd_noexit 85375->85411 85376->85346 85378 41414a 85412 417f25 10 API calls __fptostr 85378->85412 85380 414155 85380->85346 85382 41e200 __wsopen_helper 85381->85382 85383 41e223 85382->85383 85384 41e208 85382->85384 85386 41e22f 85383->85386 85389 41e269 85383->85389 85433 417f8a 46 API calls __getptd_noexit 85384->85433 85435 417f8a 46 API calls __getptd_noexit 85386->85435 85387 41e20d 85434 417f77 46 API calls __getptd_noexit 85387->85434 85413 41ae56 85389->85413 85391 41e234 85436 417f77 46 API calls __getptd_noexit 85391->85436 85394 41e26f 85396 41e291 85394->85396 85397 41e27d 85394->85397 85395 41e23c 85437 417f25 10 API calls __fptostr 85395->85437 85438 417f77 46 API calls __getptd_noexit 85396->85438 85423 41e17f 85397->85423 85399 41e215 __wsopen_helper 85399->85342 85402 41e289 85440 41e2c0 LeaveCriticalSection __unlock_fhandle 85402->85440 85403 41e296 85439 417f8a 46 API calls __getptd_noexit 85403->85439 85406->85342 85407->85356 85408->85367 85409->85367 85410->85369 85411->85378 85412->85380 85414 41ae62 __wsopen_helper 85413->85414 85415 41aebc 85414->85415 85417 4182cb __lock 46 API calls 85414->85417 85416 41aec1 EnterCriticalSection 85415->85416 85418 41aede __wsopen_helper 85415->85418 85416->85418 85419 41ae8e 85417->85419 85418->85394 85420 41aeaa 85419->85420 85421 41ae97 InitializeCriticalSectionAndSpinCount 85419->85421 85422 41aeec ___lock_fhandle LeaveCriticalSection 85420->85422 85421->85420 85422->85415 85424 41aded __commit 46 API calls 85423->85424 85425 41e18e 85424->85425 85426 41e1a4 SetFilePointer 85425->85426 85427 41e194 85425->85427 85428 41e1c3 85426->85428 85429 41e1bb GetLastError 85426->85429 85430 417f77 __fptostr 46 API calls 85427->85430 85431 41e199 85428->85431 85432 417f9d __dosmaperr 46 API calls 85428->85432 85429->85428 85430->85431 85431->85402 85432->85431 85433->85387 85434->85399 85435->85391 85436->85395 85437->85399 85438->85403 85439->85402 85440->85399 85442 4149ea 85441->85442 85443 4149fe 85441->85443 85487 417f77 46 API calls __getptd_noexit 85442->85487 85445 41443c __flush 77 API calls 85443->85445 85450 4149fa 85443->85450 85447 414a0a 85445->85447 85446 4149ef 85488 417f25 10 API calls __fptostr 85446->85488 85460 41d8c2 85447->85460 85459 414ab2 LeaveCriticalSection LeaveCriticalSection __wfsopen 85450->85459 85452 414139 __fseek_nolock 46 API calls 85453 414a18 85452->85453 85464 41d7fe 85453->85464 85455 414a1e 85455->85450 85456 413748 _free 46 API calls 85455->85456 85456->85450 85457->85190 85458->85195 85459->85195 85461 41d8d2 85460->85461 85463 414a12 85460->85463 85462 413748 _free 46 API calls 85461->85462 85461->85463 85462->85463 85463->85452 85465 41d80a __wsopen_helper 85464->85465 85466 41d812 85465->85466 85467 41d82d 85465->85467 85504 417f8a 46 API calls __getptd_noexit 85466->85504 85468 41d839 85467->85468 85473 41d873 85467->85473 85506 417f8a 46 API calls __getptd_noexit 85468->85506 85471 41d817 85505 417f77 46 API calls __getptd_noexit 85471->85505 85472 41d83e 85507 417f77 46 API calls __getptd_noexit 85472->85507 85476 41ae56 ___lock_fhandle 48 API calls 85473->85476 85478 41d879 85476->85478 85477 41d846 85508 417f25 10 API calls __fptostr 85477->85508 85480 41d893 85478->85480 85481 41d887 85478->85481 85509 417f77 46 API calls __getptd_noexit 85480->85509 85489 41d762 85481->85489 85484 41d81f __wsopen_helper 85484->85455 85485 41d88d 85510 41d8ba LeaveCriticalSection __unlock_fhandle 85485->85510 85487->85446 85488->85450 85511 41aded 85489->85511 85491 41d7c8 85524 41ad67 47 API calls 2 library calls 85491->85524 85493 41d772 85493->85491 85495 41aded __commit 46 API calls 85493->85495 85503 41d7a6 85493->85503 85494 41aded __commit 46 API calls 85497 41d7b2 CloseHandle 85494->85497 85496 41d79d 85495->85496 85500 41aded __commit 46 API calls 85496->85500 85497->85491 85501 41d7be GetLastError 85497->85501 85498 41d7f2 85498->85485 85499 41d7d0 85499->85498 85525 417f9d 46 API calls 3 library calls 85499->85525 85500->85503 85501->85491 85503->85491 85503->85494 85504->85471 85505->85484 85506->85472 85507->85477 85508->85484 85509->85485 85510->85484 85512 41ae12 85511->85512 85513 41adfa 85511->85513 85516 417f8a __read 46 API calls 85512->85516 85519 41ae51 85512->85519 85514 417f8a __read 46 API calls 85513->85514 85515 41adff 85514->85515 85517 417f77 __fptostr 46 API calls 85515->85517 85518 41ae23 85516->85518 85523 41ae07 85517->85523 85520 417f77 __fptostr 46 API calls 85518->85520 85519->85493 85521 41ae2b 85520->85521 85522 417f25 __fptostr 10 API calls 85521->85522 85522->85523 85523->85493 85524->85499 85525->85498 85527 414c82 __wsopen_helper 85526->85527 85528 414cc3 85527->85528 85529 414c96 setSBUpLow 85527->85529 85530 414cbb __wsopen_helper 85527->85530 85531 415471 __lock_file 47 API calls 85528->85531 85553 417f77 46 API calls __getptd_noexit 85529->85553 85530->85200 85533 414ccb 85531->85533 85539 414aba 85533->85539 85534 414cb0 85554 417f25 10 API calls __fptostr 85534->85554 85543 414ad8 setSBUpLow 85539->85543 85545 414af2 85539->85545 85540 414ae2 85606 417f77 46 API calls __getptd_noexit 85540->85606 85542 414ae7 85607 417f25 10 API calls __fptostr 85542->85607 85543->85540 85543->85545 85550 414b2d 85543->85550 85555 414cfa LeaveCriticalSection LeaveCriticalSection __wfsopen 85545->85555 85547 414c38 setSBUpLow 85609 417f77 46 API calls __getptd_noexit 85547->85609 85548 414139 __fseek_nolock 46 API calls 85548->85550 85550->85545 85550->85547 85550->85548 85556 41dfcc 85550->85556 85586 41d8f3 85550->85586 85608 41e0c2 46 API calls 3 library calls 85550->85608 85553->85534 85554->85530 85555->85530 85557 41dfd8 __wsopen_helper 85556->85557 85558 41dfe0 85557->85558 85559 41dffb 85557->85559 85679 417f8a 46 API calls __getptd_noexit 85558->85679 85560 41e007 85559->85560 85565 41e041 85559->85565 85681 417f8a 46 API calls __getptd_noexit 85560->85681 85563 41dfe5 85680 417f77 46 API calls __getptd_noexit 85563->85680 85564 41e00c 85682 417f77 46 API calls __getptd_noexit 85564->85682 85568 41e063 85565->85568 85569 41e04e 85565->85569 85570 41ae56 ___lock_fhandle 48 API calls 85568->85570 85684 417f8a 46 API calls __getptd_noexit 85569->85684 85572 41e069 85570->85572 85575 41e077 85572->85575 85576 41e08b 85572->85576 85573 41e053 85685 417f77 46 API calls __getptd_noexit 85573->85685 85610 41da15 85575->85610 85686 417f77 46 API calls __getptd_noexit 85576->85686 85578 41e014 85683 417f25 10 API calls __fptostr 85578->85683 85581 41dfed __wsopen_helper 85581->85550 85582 41e083 85688 41e0ba LeaveCriticalSection __unlock_fhandle 85582->85688 85583 41e090 85687 417f8a 46 API calls __getptd_noexit 85583->85687 85587 41d900 85586->85587 85591 41d915 85586->85591 85692 417f77 46 API calls __getptd_noexit 85587->85692 85589 41d905 85693 417f25 10 API calls __fptostr 85589->85693 85592 41d94a 85591->85592 85600 41d910 85591->85600 85689 420603 85591->85689 85594 414139 __fseek_nolock 46 API calls 85592->85594 85595 41d95e 85594->85595 85596 41dfcc __read 59 API calls 85595->85596 85597 41d965 85596->85597 85598 414139 __fseek_nolock 46 API calls 85597->85598 85597->85600 85599 41d988 85598->85599 85599->85600 85601 414139 __fseek_nolock 46 API calls 85599->85601 85600->85550 85602 41d994 85601->85602 85602->85600 85603 414139 __fseek_nolock 46 API calls 85602->85603 85604 41d9a1 85603->85604 85605 414139 __fseek_nolock 46 API calls 85604->85605 85605->85600 85606->85542 85607->85545 85608->85550 85609->85542 85611 41da31 85610->85611 85612 41da4c 85610->85612 85614 417f8a __read 46 API calls 85611->85614 85613 41da5b 85612->85613 85615 41da7a 85612->85615 85616 417f8a __read 46 API calls 85613->85616 85617 41da36 85614->85617 85619 41da98 85615->85619 85631 41daac 85615->85631 85618 41da60 85616->85618 85620 417f77 __fptostr 46 API calls 85617->85620 85623 417f77 __fptostr 46 API calls 85618->85623 85624 417f8a __read 46 API calls 85619->85624 85621 41da3e 85620->85621 85621->85582 85622 41db02 85626 417f8a __read 46 API calls 85622->85626 85625 41da67 85623->85625 85627 41da9d 85624->85627 85628 417f25 __fptostr 10 API calls 85625->85628 85629 41db07 85626->85629 85630 417f77 __fptostr 46 API calls 85627->85630 85628->85621 85632 417f77 __fptostr 46 API calls 85629->85632 85633 41daa4 85630->85633 85631->85621 85631->85622 85634 41dae1 85631->85634 85637 41db1b 85631->85637 85632->85633 85635 417f25 __fptostr 10 API calls 85633->85635 85634->85622 85636 41daec ReadFile 85634->85636 85635->85621 85641 41dc17 85636->85641 85642 41df8f GetLastError 85636->85642 85639 416b04 __malloc_crt 46 API calls 85637->85639 85640 41db31 85639->85640 85645 41db59 85640->85645 85646 41db3b 85640->85646 85641->85642 85649 41dc2b 85641->85649 85643 41de16 85642->85643 85644 41df9c 85642->85644 85653 417f9d __dosmaperr 46 API calls 85643->85653 85658 41dd9b 85643->85658 85647 417f77 __fptostr 46 API calls 85644->85647 85650 420494 __lseeki64_nolock 48 API calls 85645->85650 85648 417f77 __fptostr 46 API calls 85646->85648 85651 41dfa1 85647->85651 85652 41db40 85648->85652 85649->85658 85659 41dc47 85649->85659 85662 41de5b 85649->85662 85654 41db67 85650->85654 85655 417f8a __read 46 API calls 85651->85655 85656 417f8a __read 46 API calls 85652->85656 85653->85658 85654->85636 85655->85658 85656->85621 85657 413748 _free 46 API calls 85657->85621 85658->85621 85658->85657 85660 41dcab ReadFile 85659->85660 85667 41dd28 85659->85667 85665 41dcc9 GetLastError 85660->85665 85670 41dcd3 85660->85670 85661 41ded0 ReadFile 85663 41deef GetLastError 85661->85663 85671 41def9 85661->85671 85662->85658 85662->85661 85663->85662 85663->85671 85664 41ddec MultiByteToWideChar 85664->85658 85666 41de10 GetLastError 85664->85666 85665->85659 85665->85670 85666->85643 85667->85658 85668 41dda3 85667->85668 85669 41dd96 85667->85669 85675 41dd60 85667->85675 85668->85675 85676 41ddda 85668->85676 85672 417f77 __fptostr 46 API calls 85669->85672 85670->85659 85673 420494 __lseeki64_nolock 48 API calls 85670->85673 85671->85662 85674 420494 __lseeki64_nolock 48 API calls 85671->85674 85672->85658 85673->85670 85674->85671 85675->85664 85677 420494 __lseeki64_nolock 48 API calls 85676->85677 85678 41dde9 85677->85678 85678->85664 85679->85563 85680->85581 85681->85564 85682->85578 85683->85581 85684->85573 85685->85578 85686->85583 85687->85582 85688->85581 85690 416b04 __malloc_crt 46 API calls 85689->85690 85691 420618 85690->85691 85691->85592 85692->85589 85693->85600 85697 4148b3 GetSystemTimeAsFileTime __aulldiv 85694->85697 85696 442c6b 85696->85203 85697->85696 85698->85211 85699->85215 85700->85215 85706 45272f __tzset_nolock _wcscpy 85701->85706 85702 414d04 61 API calls __fread_nolock 85702->85706 85703 44afef GetSystemTimeAsFileTime 85703->85706 85704 4528a4 85704->85125 85704->85126 85705 4150d1 81 API calls _fseek 85705->85706 85706->85702 85706->85703 85706->85704 85706->85705 85708 44b1bc 85707->85708 85710 44b1ca 85707->85710 85709 4149c2 116 API calls 85708->85709 85709->85710 85711 44b1d8 85710->85711 85712 44b1e1 85710->85712 85713 4149c2 116 API calls 85710->85713 85711->85154 85742 4321a4 85712->85742 85715 44b2db 85713->85715 85715->85712 85717 44b2e9 85715->85717 85716 44b224 85719 44b253 85716->85719 85720 44b228 85716->85720 85718 44b2f6 85717->85718 85721 414a46 __fcloseall 82 API calls 85717->85721 85718->85154 85746 43213d 85719->85746 85723 44b235 85720->85723 85725 414a46 __fcloseall 82 API calls 85720->85725 85721->85718 85726 44b245 85723->85726 85729 414a46 __fcloseall 82 API calls 85723->85729 85724 44b25a 85727 44b260 85724->85727 85728 44b289 85724->85728 85725->85723 85726->85154 85730 44b26d 85727->85730 85732 414a46 __fcloseall 82 API calls 85727->85732 85756 44b0bf 85728->85756 85729->85726 85733 44b27d 85730->85733 85736 414a46 __fcloseall 82 API calls 85730->85736 85732->85730 85733->85154 85734 44b28f 85765 4320f8 85734->85765 85736->85733 85738 44b2a2 85740 44b2b2 85738->85740 85741 414a46 __fcloseall 82 API calls 85738->85741 85739 414a46 __fcloseall 82 API calls 85739->85738 85740->85154 85741->85740 85743 4321cb 85742->85743 85745 4321b4 __tzset_nolock _memmove 85742->85745 85744 414d04 __fread_nolock 61 API calls 85743->85744 85744->85745 85745->85716 85747 4135bb _malloc 46 API calls 85746->85747 85748 432150 85747->85748 85749 4135bb _malloc 46 API calls 85748->85749 85750 432162 85749->85750 85751 4135bb _malloc 46 API calls 85750->85751 85752 432174 85751->85752 85753 4320f8 46 API calls 85752->85753 85754 432189 85752->85754 85755 432198 85753->85755 85754->85724 85755->85724 85757 44b18e 85756->85757 85763 44b0da 85756->85763 85775 43206e 79 API calls 85757->85775 85759 44b194 85759->85734 85760 442caf 61 API calls 85760->85763 85763->85757 85763->85760 85764 44b19d 85763->85764 85773 44b040 61 API calls 85763->85773 85774 442d48 79 API calls 85763->85774 85764->85734 85766 432109 85765->85766 85769 43210f 85765->85769 85767 413748 _free 46 API calls 85766->85767 85767->85769 85768 432122 85771 432135 85768->85771 85772 413748 _free 46 API calls 85768->85772 85769->85768 85770 413748 _free 46 API calls 85769->85770 85770->85768 85771->85738 85771->85739 85772->85771 85773->85763 85774->85763 85775->85759 85776->85055 85777->85057 85778->85076 85779->85076 85780->85076 85781->85068 85782->85076 85783->85076 85784->85080 85785->85089 85786->85091 85787->85091 85837 410160 85788->85837 85790 41012f GetFullPathNameW 85791 410147 moneypunct 85790->85791 85791->84911 85793 4102cb SHGetDesktopFolder 85792->85793 85796 410333 _wcsncpy 85792->85796 85794 4102e0 _wcsncpy 85793->85794 85793->85796 85795 41031c SHGetPathFromIDListW 85794->85795 85794->85796 85795->85796 85796->84914 85798 4101bb 85797->85798 85803 425f4a 85797->85803 85799 410160 52 API calls 85798->85799 85801 4101c7 85799->85801 85800 4114ab __wcsicoll 58 API calls 85800->85803 85841 410200 52 API calls 2 library calls 85801->85841 85803->85800 85806 425f6e 85803->85806 85804 4101d6 85842 410200 52 API calls 2 library calls 85804->85842 85806->84916 85807 4101e9 85807->84916 85809 40f760 126 API calls 85808->85809 85810 40f584 85809->85810 85811 429335 85810->85811 85812 40f58c 85810->85812 85815 4528bd 118 API calls 85811->85815 85813 40f598 85812->85813 85814 429358 85812->85814 85860 4033c0 113 API calls 7 library calls 85813->85860 85861 434034 86 API calls _wprintf 85814->85861 85818 42934b 85815->85818 85821 429373 85818->85821 85822 42934f 85818->85822 85819 429369 85819->85821 85820 40f5b4 85820->84913 85824 4115d7 52 API calls 85821->85824 85823 431e58 82 API calls 85822->85823 85823->85814 85836 4293c5 moneypunct 85824->85836 85825 42959c 85826 413748 _free 46 API calls 85825->85826 85827 4295a5 85826->85827 85828 431e58 82 API calls 85827->85828 85829 4295b1 85828->85829 85833 401b10 52 API calls 85833->85836 85836->85825 85836->85833 85843 444af8 85836->85843 85846 402780 85836->85846 85854 4022d0 85836->85854 85862 44c7dd 64 API calls 3 library calls 85836->85862 85863 44b41c 52 API calls 85836->85863 85838 410167 _wcslen 85837->85838 85839 4115d7 52 API calls 85838->85839 85840 41017e _wcscpy 85839->85840 85840->85790 85841->85804 85842->85807 85844 4115d7 52 API calls 85843->85844 85845 444b27 _memmove 85844->85845 85845->85836 85847 402827 85846->85847 85852 402790 moneypunct _memmove 85846->85852 85849 4115d7 52 API calls 85847->85849 85848 4115d7 52 API calls 85850 402797 85848->85850 85849->85852 85851 4115d7 52 API calls 85850->85851 85853 4027bd 85850->85853 85851->85853 85852->85848 85853->85836 85855 4022e0 85854->85855 85857 40239d 85854->85857 85856 4115d7 52 API calls 85855->85856 85855->85857 85858 402320 moneypunct 85855->85858 85856->85858 85857->85836 85858->85857 85859 4115d7 52 API calls 85858->85859 85859->85858 85860->85820 85861->85819 85862->85836 85863->85836 85865 402417 85864->85865 85869 402539 moneypunct 85864->85869 85866 4115d7 52 API calls 85865->85866 85865->85869 85867 402443 85866->85867 85868 4115d7 52 API calls 85867->85868 85871 4024b4 85868->85871 85869->84920 85871->85869 85872 4022d0 52 API calls 85871->85872 85893 402880 95 API calls 2 library calls 85871->85893 85872->85871 85878 401566 85873->85878 85874 401794 85894 40e9a0 90 API calls 85874->85894 85877 4010a0 52 API calls 85877->85878 85878->85874 85878->85877 85879 40167a 85878->85879 85880 4017c0 85879->85880 85895 45e737 90 API calls 3 library calls 85879->85895 85880->84922 85882 40bc70 52 API calls 85881->85882 85887 40d451 85882->85887 85883 40d50f 85898 410600 52 API calls 85883->85898 85885 427c01 85899 45e737 90 API calls 3 library calls 85885->85899 85886 40e0a0 52 API calls 85886->85887 85887->85883 85887->85885 85887->85886 85889 401b10 52 API calls 85887->85889 85890 40d519 85887->85890 85896 40f310 53 API calls 85887->85896 85897 40d860 91 API calls 85887->85897 85889->85887 85890->84925 85893->85871 85894->85879 85895->85880 85896->85887 85897->85887 85898->85890 85899->85890 85900->84938 85901->84939 85903 42c5fe 85902->85903 85917 4091c6 85902->85917 85904 40bc70 52 API calls 85903->85904 85903->85917 85905 42c64e InterlockedIncrement 85904->85905 85906 42c665 85905->85906 85910 42c697 85905->85910 85909 42c672 InterlockedDecrement Sleep InterlockedIncrement 85906->85909 85906->85910 85907 42c737 InterlockedDecrement 85908 42c74a 85907->85908 85911 408f40 VariantClear 85908->85911 85909->85906 85909->85910 85910->85907 85931 42c731 85910->85931 86195 408e80 85910->86195 85913 42c752 85911->85913 86204 410c60 VariantClear moneypunct 85913->86204 85917->85002 85918 42c6db 85919 402160 52 API calls 85918->85919 85920 42c6e5 85919->85920 86200 45340c 85 API calls 85920->86200 85922 42c6f1 86201 40d200 52 API calls 2 library calls 85922->86201 85924 42c6fb 86202 465124 53 API calls 85924->86202 85926 42c715 85927 42c76a 85926->85927 85928 42c719 85926->85928 85929 401b10 52 API calls 85927->85929 86203 46fe32 VariantClear 85928->86203 85932 42c77e 85929->85932 85931->85907 85933 401980 53 API calls 85932->85933 85939 42c796 85933->85939 85934 42c812 86206 46fe32 VariantClear 85934->86206 85936 42c82a InterlockedDecrement 86207 46ff07 54 API calls 85936->86207 85938 42c864 86208 45e737 90 API calls 3 library calls 85938->86208 85939->85934 85939->85938 86205 40ba10 52 API calls 2 library calls 85939->86205 85940 42c9ec 86251 47d33e 331 API calls 85940->86251 85944 42c9fe 86252 46feb1 VariantClear VariantClear 85944->86252 85946 408f40 VariantClear 85957 42c849 85946->85957 85947 42ca08 85948 401b10 52 API calls 85947->85948 85951 42ca15 85948->85951 85949 408f40 VariantClear 85952 42c891 85949->85952 85950 402780 52 API calls 85950->85957 85954 40c2c0 52 API calls 85951->85954 86209 410c60 VariantClear moneypunct 85952->86209 85953 401980 53 API calls 85953->85957 85956 42c874 85954->85956 85956->85949 85959 42ca59 85956->85959 85957->85940 85957->85946 85957->85950 85957->85953 86210 40a780 85957->86210 85959->85959 85961 40afc4 85960->85961 85962 40b156 85960->85962 85963 40afd5 85961->85963 85964 42d1e3 85961->85964 86262 45e737 90 API calls 3 library calls 85962->86262 85968 40a780 194 API calls 85963->85968 85985 40b11a moneypunct 85963->85985 86263 45e737 90 API calls 3 library calls 85964->86263 85967 40b143 85967->85002 85970 40b00a 85968->85970 85969 42d1f8 85973 408f40 VariantClear 85969->85973 85970->85969 85974 40b012 85970->85974 85972 42d4db 85972->85972 85973->85967 85975 40b04a 85974->85975 85976 42d231 VariantClear 85974->85976 85977 40b094 moneypunct 85974->85977 85984 40b05c moneypunct 85975->85984 86264 40e270 VariantClear moneypunct 85975->86264 85976->85984 85978 40b108 85977->85978 85981 42d425 moneypunct 85977->85981 85978->85985 86265 40e270 VariantClear moneypunct 85978->86265 85979 42d45a VariantClear 85979->85985 85981->85979 85981->85985 85982 4115d7 52 API calls 85982->85977 85984->85977 85984->85982 85985->85967 86266 45e737 90 API calls 3 library calls 85985->86266 85987 408fff 85986->85987 85999 40900d 85986->85999 86267 403ea0 52 API calls __cinit 85987->86267 85990 42c3f6 86270 45e737 90 API calls 3 library calls 85990->86270 85992 40a780 194 API calls 85992->85999 85993 42c44a 86272 45e737 90 API calls 3 library calls 85993->86272 85995 42c47b 86273 451b42 61 API calls 85995->86273 85997 42c4cb 86275 47faae 233 API calls 85997->86275 85998 42c564 86003 408f40 VariantClear 85998->86003 85999->85990 85999->85992 85999->85993 85999->85995 85999->85997 85999->85998 86002 42c548 85999->86002 86006 409112 85999->86006 86008 4090df 85999->86008 86010 42c528 85999->86010 86013 4090ea 85999->86013 86019 4090f2 moneypunct 85999->86019 86269 4534e3 52 API calls 85999->86269 86271 40c4e0 194 API calls 85999->86271 86278 45e737 90 API calls 3 library calls 86002->86278 86003->86019 86004 42c491 86004->86019 86274 45e737 90 API calls 3 library calls 86004->86274 86005 42c4da 86005->86019 86276 45e737 90 API calls 3 library calls 86005->86276 86006->86002 86011 40912b 86006->86011 86008->86013 86014 408e80 VariantClear 86008->86014 86277 45e737 90 API calls 3 library calls 86010->86277 86011->86019 86268 403e10 53 API calls 86011->86268 86016 408f40 VariantClear 86013->86016 86014->86013 86016->86019 86018 40914b 86020 408f40 VariantClear 86018->86020 86019->85002 86020->86019 86279 408d90 86021->86279 86023 429778 86306 410c60 VariantClear moneypunct 86023->86306 86025 429780 86026 408cf9 86026->86023 86027 42976c 86026->86027 86029 408d2d 86026->86029 86305 45e737 90 API calls 3 library calls 86027->86305 86295 403d10 86029->86295 86032 408d71 moneypunct 86032->85002 86033 408f40 VariantClear 86034 408d45 moneypunct 86033->86034 86034->86032 86034->86033 86036 425c87 86035->86036 86037 40d15f 86035->86037 86038 425cc7 86036->86038 86039 425ca1 TranslateAcceleratorW 86036->86039 86037->85002 86039->86037 86041 42602f 86040->86041 86042 40d17f 86040->86042 86041->85002 86043 40d18c 86042->86043 86044 42608e IsDialogMessageW 86042->86044 86582 430c46 GetClassLongW 86042->86582 86043->85002 86044->86042 86044->86043 86047 4096c6 _wcslen 86046->86047 86048 4115d7 52 API calls 86047->86048 86110 40a70c moneypunct _memmove 86047->86110 86049 4096fa _memmove 86048->86049 86050 4115d7 52 API calls 86049->86050 86052 40971b 86050->86052 86051 4013a0 52 API calls 86053 4297aa 86051->86053 86054 409749 CharUpperBuffW 86052->86054 86057 40976a moneypunct 86052->86057 86052->86110 86055 4115d7 52 API calls 86053->86055 86054->86057 86096 4297d1 _memmove 86055->86096 86105 4097e5 moneypunct 86057->86105 86584 47dcbb 196 API calls 86057->86584 86059 408f40 VariantClear 86060 42ae92 86059->86060 86611 410c60 VariantClear moneypunct 86060->86611 86062 42aea4 86063 409aa2 86065 4115d7 52 API calls 86063->86065 86070 409afe 86063->86070 86063->86096 86064 40a689 86067 4115d7 52 API calls 86064->86067 86065->86070 86066 4115d7 52 API calls 86066->86105 86083 40a6af moneypunct _memmove 86067->86083 86068 409b2a 86072 429dbe 86068->86072 86134 409b4d moneypunct _memmove 86068->86134 86592 40b400 VariantClear VariantClear moneypunct 86068->86592 86069 40c2c0 52 API calls 86069->86105 86070->86068 86071 4115d7 52 API calls 86070->86071 86073 429d31 86071->86073 86078 429dd3 86072->86078 86593 40b400 VariantClear VariantClear moneypunct 86072->86593 86077 429d42 86073->86077 86589 44a801 52 API calls 86073->86589 86074 429a46 VariantClear 86074->86105 86075 409fd2 86081 40a045 86075->86081 86133 42a3f5 86075->86133 86087 40e0a0 52 API calls 86077->86087 86078->86134 86594 40e1c0 VariantClear moneypunct 86078->86594 86085 4115d7 52 API calls 86081->86085 86082 408f40 VariantClear 86082->86105 86090 4115d7 52 API calls 86083->86090 86091 40a04c 86085->86091 86092 429d57 86087->86092 86090->86110 86095 40a0a7 86091->86095 86099 4091e0 317 API calls 86091->86099 86590 453443 52 API calls 86092->86590 86094 42a42f 86598 45e737 90 API calls 3 library calls 86094->86598 86117 40a0af 86095->86117 86599 40c790 VariantClear moneypunct 86095->86599 86610 45e737 90 API calls 3 library calls 86096->86610 86097 4299d9 86101 408f40 VariantClear 86097->86101 86099->86095 86100 429abd 86100->85002 86106 4299e2 86101->86106 86102 429d88 86591 453443 52 API calls 86102->86591 86105->86063 86105->86064 86105->86066 86105->86069 86105->86074 86105->86082 86105->86083 86105->86096 86105->86097 86105->86100 86108 42a452 86105->86108 86112 40a780 194 API calls 86105->86112 86585 40c4e0 194 API calls 86105->86585 86587 40ba10 52 API calls 2 library calls 86105->86587 86588 40e270 VariantClear moneypunct 86105->86588 86586 410c60 VariantClear moneypunct 86106->86586 86108->86059 86110->86051 86112->86105 86113 402780 52 API calls 86113->86134 86115 408f40 VariantClear 86146 40a162 moneypunct _memmove 86115->86146 86116 41130a 51 API calls __cinit 86116->86134 86118 40a11b 86117->86118 86121 42a4b4 VariantClear 86117->86121 86117->86146 86126 40a12d moneypunct 86118->86126 86600 40e270 VariantClear moneypunct 86118->86600 86119 40a780 194 API calls 86119->86134 86120 4115d7 52 API calls 86120->86134 86121->86126 86123 401980 53 API calls 86123->86134 86124 408e80 VariantClear 86124->86134 86125 4115d7 52 API calls 86125->86146 86126->86125 86126->86146 86127 408e80 VariantClear 86127->86146 86129 44a801 52 API calls 86129->86134 86130 42a74d VariantClear 86130->86146 86131 40a368 86132 42aad4 86131->86132 86141 40a397 86131->86141 86603 46fe90 VariantClear VariantClear moneypunct 86132->86603 86597 47390f VariantClear 86133->86597 86134->86075 86134->86094 86134->86110 86134->86113 86134->86116 86134->86119 86134->86120 86134->86123 86134->86124 86134->86129 86134->86133 86138 409c95 86134->86138 86595 45f508 52 API calls 86134->86595 86596 403e10 53 API calls 86134->86596 86135 42a7e4 VariantClear 86135->86146 86136 42a886 VariantClear 86136->86146 86138->85002 86139 40a3ce 86153 40a3d9 moneypunct 86139->86153 86604 40b400 VariantClear VariantClear moneypunct 86139->86604 86140 40e270 VariantClear 86140->86146 86141->86139 86166 40a42c moneypunct 86141->86166 86583 40b400 VariantClear VariantClear moneypunct 86141->86583 86144 42abaf 86149 42abd4 VariantClear 86144->86149 86160 40a4ee moneypunct 86144->86160 86145 4115d7 52 API calls 86145->86146 86146->86115 86146->86127 86146->86130 86146->86131 86146->86132 86146->86135 86146->86136 86146->86140 86146->86145 86148 4115d7 52 API calls 86146->86148 86601 470870 52 API calls 86146->86601 86602 44ccf1 VariantClear moneypunct 86146->86602 86147 40a4dc 86147->86160 86606 40e270 VariantClear moneypunct 86147->86606 86150 42a5a6 VariantInit VariantCopy 86148->86150 86149->86160 86150->86146 86155 42a5c6 VariantClear 86150->86155 86151 42ac4f 86159 42ac79 VariantClear 86151->86159 86164 40a546 moneypunct 86151->86164 86154 40a41a 86153->86154 86157 42ab44 VariantClear 86153->86157 86153->86166 86154->86166 86605 40e270 VariantClear moneypunct 86154->86605 86155->86146 86156 40a534 86156->86164 86607 40e270 VariantClear moneypunct 86156->86607 86157->86166 86159->86164 86160->86151 86160->86156 86161 42ad28 86167 42ad4e VariantClear 86161->86167 86172 40a583 moneypunct 86161->86172 86164->86161 86165 40a571 86164->86165 86165->86172 86608 40e270 VariantClear moneypunct 86165->86608 86166->86144 86166->86147 86167->86172 86169 40a650 moneypunct 86169->85002 86170 42ae0e VariantClear 86170->86172 86172->86169 86172->86170 86609 40e270 VariantClear moneypunct 86172->86609 86173->85002 86174->84949 86175->84954 86176->85002 86177->85002 86178->85002 86179->85002 86180->84996 86181->84996 86182->84996 86183->84996 86184->84996 86185->84996 86186->84996 86188 403cdf 86187->86188 86189 408f40 VariantClear 86188->86189 86190 403ce7 86189->86190 86190->84994 86191->84996 86192->84996 86193->85002 86194->84946 86196 408e88 86195->86196 86198 408e94 86195->86198 86197 408f40 VariantClear 86196->86197 86197->86198 86199 45340c 85 API calls 86198->86199 86199->85918 86200->85922 86201->85924 86202->85926 86203->85931 86204->85917 86205->85939 86206->85936 86207->85957 86208->85956 86209->85917 86211 40a7a6 86210->86211 86212 40ae8c 86210->86212 86214 4115d7 52 API calls 86211->86214 86253 41130a 51 API calls __cinit 86212->86253 86228 40a7c6 moneypunct _memmove 86214->86228 86215 40a86d 86216 40abd1 86215->86216 86234 40a878 moneypunct 86215->86234 86258 45e737 90 API calls 3 library calls 86216->86258 86218 401b10 52 API calls 86218->86228 86219 42b791 VariantClear 86219->86228 86220 40b5f0 89 API calls 86220->86228 86221 408e80 VariantClear 86221->86228 86222 42ba2d VariantClear 86222->86228 86223 408f40 VariantClear 86223->86234 86224 40e270 VariantClear 86224->86228 86225 42b459 VariantClear 86225->86228 86226 40a884 moneypunct 86226->85957 86227 40bc10 53 API calls 86227->86228 86228->86215 86228->86216 86228->86218 86228->86219 86228->86220 86228->86221 86228->86222 86228->86224 86228->86225 86228->86227 86229 408cc0 187 API calls 86228->86229 86231 42b6f6 VariantClear 86228->86231 86232 4530c9 VariantClear 86228->86232 86235 42bbf5 86228->86235 86236 42bb6a 86228->86236 86237 4115d7 52 API calls 86228->86237 86238 4115d7 52 API calls 86228->86238 86242 408f40 VariantClear 86228->86242 86246 42bc37 86228->86246 86254 45308a 53 API calls 86228->86254 86255 470870 52 API calls 86228->86255 86256 457f66 87 API calls __write_nolock 86228->86256 86257 472f47 127 API calls 86228->86257 86229->86228 86231->86228 86232->86228 86233 42bc5b 86233->85957 86234->86223 86234->86226 86259 45e737 90 API calls 3 library calls 86235->86259 86261 44b92d VariantClear 86236->86261 86237->86228 86240 42b5b3 VariantInit VariantCopy 86238->86240 86240->86228 86243 42b5d7 VariantClear 86240->86243 86242->86228 86243->86228 86260 45e737 90 API calls 3 library calls 86246->86260 86249 42bc48 86249->86236 86250 408f40 VariantClear 86249->86250 86250->86236 86251->85944 86252->85947 86253->86228 86254->86228 86255->86228 86256->86228 86257->86228 86258->86236 86259->86236 86260->86249 86261->86233 86262->85964 86263->85969 86264->85984 86265->85985 86266->85972 86267->85999 86268->86018 86269->85999 86270->86019 86271->85999 86272->86019 86273->86004 86274->86019 86275->86005 86276->86019 86277->86019 86278->85998 86280 4289d2 86279->86280 86281 408db3 86279->86281 86309 45e737 90 API calls 3 library calls 86280->86309 86307 40bec0 90 API calls 86281->86307 86284 408dc9 86285 4289e5 86284->86285 86288 428a05 86284->86288 86290 40a780 194 API calls 86284->86290 86291 408e64 86284->86291 86293 408f40 VariantClear 86284->86293 86294 408e5a 86284->86294 86308 40ba10 52 API calls 2 library calls 86284->86308 86310 45e737 90 API calls 3 library calls 86285->86310 86289 408f40 VariantClear 86288->86289 86289->86294 86290->86284 86292 408f40 VariantClear 86291->86292 86292->86294 86293->86284 86294->86026 86296 408f40 VariantClear 86295->86296 86297 403d20 86296->86297 86298 403cd0 VariantClear 86297->86298 86299 403d4d 86298->86299 86311 4755ad 86299->86311 86314 467897 86299->86314 86358 45e17d 86299->86358 86368 46e91c 86299->86368 86300 403d76 86300->86023 86300->86034 86305->86023 86306->86025 86307->86284 86308->86284 86309->86285 86310->86288 86371 475077 86311->86371 86313 4755c0 86313->86300 86315 4678bb 86314->86315 86343 467954 86315->86343 86489 45340c 85 API calls 86315->86489 86316 4115d7 52 API calls 86318 467989 86316->86318 86320 467995 86318->86320 86493 40da60 53 API calls 86318->86493 86319 4678f6 86321 413a0e __wsplitpath 46 API calls 86319->86321 86323 4533eb 85 API calls 86320->86323 86324 4678fc 86321->86324 86325 4679b7 86323->86325 86326 401b10 52 API calls 86324->86326 86477 40de40 86325->86477 86328 46790c 86326->86328 86490 40d200 52 API calls 2 library calls 86328->86490 86331 4679c7 GetLastError 86334 403cd0 VariantClear 86331->86334 86332 467a05 86335 467a2c 86332->86335 86336 467a4b 86332->86336 86333 467917 86333->86343 86491 4339fa GetFileAttributesW FindFirstFileW FindClose 86333->86491 86337 4679dc 86334->86337 86339 4115d7 52 API calls 86335->86339 86340 4115d7 52 API calls 86336->86340 86341 4679e6 86337->86341 86494 44ae3e 86337->86494 86345 467a31 86339->86345 86346 467a49 86340->86346 86342 467928 86342->86343 86348 46792f 86342->86348 86343->86316 86344 467964 86343->86344 86344->86300 86492 4335cd 56 API calls 3 library calls 86348->86492 86354 467939 86354->86343 86356 408f40 VariantClear 86354->86356 86357 467947 86356->86357 86357->86343 86359 45e198 86358->86359 86360 45e19c 86359->86360 86361 45e1b8 86359->86361 86362 408f40 VariantClear 86360->86362 86363 45e1cc 86361->86363 86364 45e1db FindClose 86361->86364 86365 45e1a4 86362->86365 86366 45e1d9 moneypunct 86363->86366 86367 44ae3e CloseHandle 86363->86367 86364->86366 86365->86300 86366->86300 86367->86366 86522 46e785 86368->86522 86370 46e92f 86370->86300 86424 4533eb 86371->86424 86374 4750ee 86376 408f40 VariantClear 86374->86376 86375 475129 86428 4646e0 86375->86428 86382 4750f5 86376->86382 86378 47515e 86379 475162 86378->86379 86412 47518e 86378->86412 86381 408f40 VariantClear 86379->86381 86380 475357 86383 475365 86380->86383 86384 4754ea 86380->86384 86398 475169 86381->86398 86382->86313 86462 44b3ac 57 API calls 86383->86462 86468 464812 92 API calls 86384->86468 86388 475374 86441 430d31 86388->86441 86389 4754fc 86389->86388 86391 475508 86389->86391 86390 4533eb 85 API calls 86390->86412 86392 408f40 VariantClear 86391->86392 86394 47550f 86392->86394 86394->86398 86395 475388 86448 4577e9 86395->86448 86398->86313 86399 47539e 86456 410cfc 86399->86456 86400 475480 86402 408f40 VariantClear 86400->86402 86402->86398 86410 4754b5 86411 408f40 VariantClear 86410->86411 86411->86398 86412->86380 86412->86390 86412->86400 86412->86410 86460 436299 52 API calls 2 library calls 86412->86460 86461 463ad5 64 API calls __wcsicoll 86412->86461 86425 453404 86424->86425 86426 4533f8 86424->86426 86425->86374 86425->86375 86426->86425 86471 4531b1 85 API calls 5 library calls 86426->86471 86472 4536f7 53 API calls 86428->86472 86430 4646fc 86473 4426cd 59 API calls _wcslen 86430->86473 86432 464711 86434 40bc70 52 API calls 86432->86434 86440 46474b 86432->86440 86435 46472c 86434->86435 86474 461465 52 API calls _memmove 86435->86474 86437 464741 86438 40c600 52 API calls 86437->86438 86438->86440 86439 464793 86439->86378 86440->86439 86475 463ad5 64 API calls __wcsicoll 86440->86475 86442 430db2 86441->86442 86443 430d54 86441->86443 86442->86395 86444 4115d7 52 API calls 86443->86444 86445 430d74 86444->86445 86446 430da9 86445->86446 86447 4115d7 52 API calls 86445->86447 86446->86395 86447->86445 86449 457a84 86448->86449 86450 45780c _strcat moneypunct _wcslen _wcscpy 86448->86450 86449->86399 86450->86449 86451 443006 57 API calls 86450->86451 86453 4135bb 46 API calls _malloc 86450->86453 86454 45340c 85 API calls 86450->86454 86455 40f6f0 54 API calls 86450->86455 86476 44b3ac 57 API calls 86450->86476 86451->86450 86453->86450 86454->86450 86455->86450 86460->86412 86461->86412 86462->86388 86468->86389 86471->86425 86472->86430 86473->86432 86474->86437 86475->86439 86476->86450 86498 40da20 86477->86498 86479 40de4e 86502 40f110 86479->86502 86481 4264fa 86484 40de84 86511 40e080 SetFilePointerEx SetFilePointerEx 86484->86511 86486 40de8b 86512 40f160 SetFilePointerEx SetFilePointerEx WriteFile 86486->86512 86488 40de90 86488->86331 86488->86332 86489->86319 86490->86333 86491->86342 86492->86354 86493->86320 86499 40da37 86498->86499 86500 40da29 86498->86500 86499->86500 86501 40da3c CloseHandle 86499->86501 86500->86479 86501->86479 86503 40f125 CreateFileW 86502->86503 86504 42630c 86502->86504 86506 40de74 86503->86506 86505 426311 CreateFileW 86504->86505 86504->86506 86505->86506 86507 426337 86505->86507 86506->86481 86510 40dea0 55 API calls moneypunct 86506->86510 86513 40df90 SetFilePointerEx SetFilePointerEx 86507->86513 86509 426342 86509->86506 86510->86484 86511->86486 86512->86488 86513->86509 86523 46e7a2 86522->86523 86524 4115d7 52 API calls 86523->86524 86526 46e802 86523->86526 86525 46e7ad 86524->86525 86528 46e7b9 86525->86528 86570 40da60 53 API calls 86525->86570 86527 46e7e5 86526->86527 86531 46e82f 86526->86531 86530 408f40 VariantClear 86527->86530 86532 4533eb 85 API calls 86528->86532 86533 46e7ea 86530->86533 86535 46e8b5 86531->86535 86537 46e845 86531->86537 86534 46e7ca 86532->86534 86533->86370 86536 40de40 60 API calls 86534->86536 86563 4680ed 86535->86563 86538 46e7d7 86536->86538 86541 4533eb 85 API calls 86537->86541 86538->86531 86542 46e7db 86538->86542 86540 46e8bb 86567 443fbe 86540->86567 86550 46e84b 86541->86550 86542->86527 86544 44ae3e CloseHandle 86542->86544 86543 46e87a 86571 4689f4 59 API calls 86543->86571 86544->86527 86547 46e883 86549 4013c0 52 API calls 86547->86549 86551 46e88f 86549->86551 86550->86543 86550->86547 86553 40e0a0 52 API calls 86551->86553 86552 408f40 VariantClear 86561 46e881 86552->86561 86554 46e899 86553->86554 86572 40d200 52 API calls 2 library calls 86554->86572 86556 46e911 86556->86370 86557 46e8a5 86573 4689f4 59 API calls 86557->86573 86558 40da20 CloseHandle 86560 46e903 86558->86560 86562 44ae3e CloseHandle 86560->86562 86561->86556 86561->86558 86562->86556 86564 468100 86563->86564 86565 4680fa 86563->86565 86564->86540 86574 467ac4 55 API calls 2 library calls 86565->86574 86575 443e36 86567->86575 86569 443fd3 86569->86552 86569->86561 86570->86528 86571->86561 86572->86557 86573->86561 86574->86564 86578 443e19 86575->86578 86579 443e26 86578->86579 86580 443e32 WriteFile 86578->86580 86581 443db4 SetFilePointerEx SetFilePointerEx 86579->86581 86580->86569 86581->86580 86582->86042 86583->86139 86584->86057 86585->86105 86586->86169 86587->86105 86588->86105 86589->86077 86590->86102 86591->86068 86592->86072 86593->86078 86594->86134 86595->86134 86596->86134 86597->86094 86598->86108 86599->86095 86600->86126 86601->86146 86602->86146 86603->86139 86604->86153 86605->86166 86606->86160 86607->86164 86608->86172 86609->86172 86610->86108 86611->86062 86612 42d154 86616 480a8d 86612->86616 86614 42d161 86615 480a8d 194 API calls 86614->86615 86615->86614 86617 480ae4 86616->86617 86618 480b26 86616->86618 86620 480aeb 86617->86620 86621 480b15 86617->86621 86619 40bc70 52 API calls 86618->86619 86640 480b2e 86619->86640 86623 480aee 86620->86623 86624 480b04 86620->86624 86649 4805bf 194 API calls 86621->86649 86623->86618 86625 480af3 86623->86625 86648 47fea2 194 API calls __itow_s 86624->86648 86647 47f135 194 API calls 86625->86647 86628 40e0a0 52 API calls 86628->86640 86630 408f40 VariantClear 86632 481156 86630->86632 86631 480aff 86631->86630 86633 408f40 VariantClear 86632->86633 86634 48115e 86633->86634 86634->86614 86635 401980 53 API calls 86635->86640 86637 40c2c0 52 API calls 86637->86640 86638 40e710 53 API calls 86638->86640 86639 40a780 194 API calls 86639->86640 86640->86628 86640->86631 86640->86635 86640->86637 86640->86638 86640->86639 86642 408e80 VariantClear 86640->86642 86643 480ff5 86640->86643 86650 45377f 52 API calls 86640->86650 86651 45e951 53 API calls 86640->86651 86652 40e830 53 API calls 86640->86652 86653 47925f 53 API calls 86640->86653 86654 47fcff 194 API calls 86640->86654 86642->86640 86655 45e737 90 API calls 3 library calls 86643->86655 86647->86631 86648->86631 86649->86631 86650->86640 86651->86640 86652->86640 86653->86640 86654->86640 86655->86631 86656 3f684d0 86670 3f66120 86656->86670 86658 3f6859e 86673 3f683c0 86658->86673 86676 3f695d0 GetPEB 86670->86676 86672 3f667ab 86672->86658 86674 3f683c9 Sleep 86673->86674 86675 3f683d7 86674->86675 86677 3f695fa 86676->86677 86677->86672 86678 42b14b 86685 40bc10 86678->86685 86680 42b159 86681 4096a0 331 API calls 86680->86681 86682 42b177 86681->86682 86696 44b92d VariantClear 86682->86696 86684 42bc5b 86686 40bc24 86685->86686 86687 40bc17 86685->86687 86689 40bc2a 86686->86689 86690 40bc3c 86686->86690 86688 408e80 VariantClear 86687->86688 86691 40bc1f 86688->86691 86692 408e80 VariantClear 86689->86692 86693 4115d7 52 API calls 86690->86693 86691->86680 86694 40bc33 86692->86694 86695 40bc43 86693->86695 86694->86680 86695->86680 86696->86684 86697 425b2b 86702 40f000 86697->86702 86701 425b3a 86703 4115d7 52 API calls 86702->86703 86704 40f007 86703->86704 86705 4276ea 86704->86705 86711 40f030 86704->86711 86710 41130a 51 API calls __cinit 86710->86701 86712 40f039 86711->86712 86714 40f01a 86711->86714 86741 41130a 51 API calls __cinit 86712->86741 86715 40e500 86714->86715 86716 40bc70 52 API calls 86715->86716 86717 40e515 GetVersionExW 86716->86717 86718 402160 52 API calls 86717->86718 86719 40e557 86718->86719 86742 40e660 86719->86742 86724 427674 86729 4276c6 GetSystemInfo 86724->86729 86727 40e5e0 86730 4276d5 GetSystemInfo 86727->86730 86756 40efd0 86727->86756 86728 40e5cd GetCurrentProcess 86763 40ef20 LoadLibraryA GetProcAddress 86728->86763 86729->86730 86734 40e629 86760 40ef90 86734->86760 86737 40e641 FreeLibrary 86738 40e644 86737->86738 86739 40e653 FreeLibrary 86738->86739 86740 40e656 86738->86740 86739->86740 86740->86710 86741->86714 86743 40e667 86742->86743 86744 42761d 86743->86744 86745 40c600 52 API calls 86743->86745 86746 40e55c 86745->86746 86747 40e680 86746->86747 86748 40e687 86747->86748 86749 427616 86748->86749 86750 40c600 52 API calls 86748->86750 86751 40e566 86750->86751 86751->86724 86752 40ef60 86751->86752 86753 40e5c8 86752->86753 86754 40ef66 LoadLibraryA 86752->86754 86753->86727 86753->86728 86754->86753 86755 40ef77 GetProcAddress 86754->86755 86755->86753 86757 40e620 86756->86757 86758 40efd6 LoadLibraryA 86756->86758 86757->86729 86757->86734 86758->86757 86759 40efe7 GetProcAddress 86758->86759 86759->86757 86764 40efb0 LoadLibraryA GetProcAddress 86760->86764 86762 40e632 GetNativeSystemInfo 86762->86737 86762->86738 86763->86727 86764->86762 86765 425b5e 86770 40c7f0 86765->86770 86769 425b6d 86805 40db10 52 API calls 86770->86805 86772 40c82a 86806 410ab0 6 API calls 86772->86806 86774 40c86d 86775 40bc70 52 API calls 86774->86775 86776 40c877 86775->86776 86777 40bc70 52 API calls 86776->86777 86778 40c881 86777->86778 86779 40bc70 52 API calls 86778->86779 86780 40c88b 86779->86780 86781 40bc70 52 API calls 86780->86781 86782 40c8d1 86781->86782 86783 40bc70 52 API calls 86782->86783 86784 40c991 86783->86784 86807 40d2c0 52 API calls 86784->86807 86786 40c99b 86808 40d0d0 53 API calls 86786->86808 86788 40c9c1 86789 40bc70 52 API calls 86788->86789 86790 40c9cb 86789->86790 86809 40e310 53 API calls 86790->86809 86792 40ca28 86793 408f40 VariantClear 86792->86793 86794 40ca30 86793->86794 86795 408f40 VariantClear 86794->86795 86796 40ca38 GetStdHandle 86795->86796 86797 429630 86796->86797 86798 40ca87 86796->86798 86797->86798 86799 429639 86797->86799 86804 41130a 51 API calls __cinit 86798->86804 86810 4432c0 57 API calls 86799->86810 86801 429641 86811 44b6ab CreateThread 86801->86811 86803 42964f CloseHandle 86803->86798 86804->86769 86805->86772 86806->86774 86807->86786 86808->86788 86809->86792 86810->86801 86811->86803 86812 44b5cb 58 API calls 86811->86812 86813 425b6f 86818 40dc90 86813->86818 86817 425b7e 86819 40bc70 52 API calls 86818->86819 86820 40dd03 86819->86820 86827 40f210 86820->86827 86822 426a97 86824 40dd96 86824->86822 86825 40ddb7 86824->86825 86830 40dc00 52 API calls 2 library calls 86824->86830 86826 41130a 51 API calls __cinit 86825->86826 86826->86817 86831 40f250 RegOpenKeyExW 86827->86831 86829 40f230 86829->86824 86830->86824 86832 425e17 86831->86832 86833 40f275 RegQueryValueExW 86831->86833 86832->86829 86834 40f2c3 RegCloseKey 86833->86834 86835 40f298 86833->86835 86834->86829 86836 40f2a9 RegCloseKey 86835->86836 86837 425e1d 86835->86837 86836->86829

                                  Executed Functions

                                  Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 004096C1
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • _memmove.LIBCMT ref: 0040970C
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                  • _memmove.LIBCMT ref: 00409D96
                                  • _memmove.LIBCMT ref: 0040A6C4
                                  • _memmove.LIBCMT ref: 004297E5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                  • String ID:
                                  • API String ID: 2383988440-0
                                  • Opcode ID: 0c7f704c1111840706a6f5d41559473282fc5ae19e9abcecf6c32e7dc2e8fb44
                                  • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                  • Opcode Fuzzy Hash: 0c7f704c1111840706a6f5d41559473282fc5ae19e9abcecf6c32e7dc2e8fb44
                                  • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                  Function 0040D590 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                    • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SOA 89035673890.exe,00000104,?), ref: 00401F4C
                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                    • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                  • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                  • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\SOA 89035673890.exe,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                    • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                  • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                  • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                  • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                    • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                    • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                    • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                    • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                    • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                    • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                    • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                    • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                    • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                    • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                    • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                    • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                  • String ID: C:\Users\user\Desktop\SOA 89035673890.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                  • API String ID: 2495805114-509565873
                                  • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                  • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                  • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                  • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                  Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1904 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1913 40e582-40e583 1904->1913 1914 427674-427679 1904->1914 1917 40e585-40e596 1913->1917 1918 40e5ba-40e5cb call 40ef60 1913->1918 1915 427683-427686 1914->1915 1916 42767b-427681 1914->1916 1920 427693-427696 1915->1920 1921 427688-427691 1915->1921 1919 4276b4-4276be 1916->1919 1922 427625-427629 1917->1922 1923 40e59c-40e59f 1917->1923 1935 40e5ec-40e60c 1918->1935 1936 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1918->1936 1937 4276c6-4276ca GetSystemInfo 1919->1937 1920->1919 1927 427698-4276a8 1920->1927 1921->1919 1929 427636-427640 1922->1929 1930 42762b-427631 1922->1930 1925 40e5a5-40e5ae 1923->1925 1926 427654-427657 1923->1926 1931 40e5b4 1925->1931 1932 427645-42764f 1925->1932 1926->1918 1938 42765d-42766f 1926->1938 1933 4276b0 1927->1933 1934 4276aa-4276ae 1927->1934 1929->1918 1930->1918 1931->1918 1932->1918 1933->1919 1934->1919 1939 40e612-40e623 call 40efd0 1935->1939 1940 4276d5-4276df GetSystemInfo 1935->1940 1936->1935 1948 40e5e8 1936->1948 1937->1940 1938->1918 1939->1937 1945 40e629-40e63f call 40ef90 GetNativeSystemInfo 1939->1945 1950 40e641-40e642 FreeLibrary 1945->1950 1951 40e644-40e651 1945->1951 1948->1935 1950->1951 1952 40e653-40e654 FreeLibrary 1951->1952 1953 40e656-40e65d 1951->1953 1952->1953
                                  APIs
                                  • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                  • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                  • FreeLibrary.KERNEL32(?), ref: 0040E642
                                  • FreeLibrary.KERNEL32(?), ref: 0040E654
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                  • String ID: 0SH
                                  • API String ID: 3363477735-851180471
                                  • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                  • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                  • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                  • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                  Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                  • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: IsThemeActive$uxtheme.dll
                                  • API String ID: 2574300362-3542929980
                                  • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                  • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                  • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                  • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                  Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                  • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                  • TranslateMessage.USER32(?), ref: 00409556
                                  • DispatchMessageW.USER32(?), ref: 00409561
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Message$Peek$DispatchSleepTranslate
                                  • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                  • API String ID: 1762048999-758534266
                                  • Opcode ID: 23d079a985ba2b1b40b9133d067a4c416b55a71ed9da253c2d941bd9d0d29544
                                  • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                  • Opcode Fuzzy Hash: 23d079a985ba2b1b40b9133d067a4c416b55a71ed9da253c2d941bd9d0d29544
                                  • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                  Function 00401F20 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 214COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SOA 89035673890.exe,00000104,?), ref: 00401F4C
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • __wcsicoll.LIBCMT ref: 00402007
                                  • __wcsicoll.LIBCMT ref: 0040201D
                                  • __wcsicoll.LIBCMT ref: 00402033
                                    • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                  • __wcsicoll.LIBCMT ref: 00402049
                                  • _wcscpy.LIBCMT ref: 0040207C
                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SOA 89035673890.exe,00000104), ref: 00428B5B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                  • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\SOA 89035673890.exe$CMDLINE$CMDLINERAW
                                  • API String ID: 3948761352-2347268251
                                  • Opcode ID: de7630e39462d0d30620e5d386b824db2ab2692deedf796b652438eb031e1025
                                  • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                  • Opcode Fuzzy Hash: de7630e39462d0d30620e5d386b824db2ab2692deedf796b652438eb031e1025
                                  • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                  Function 00452719 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 147COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __fread_nolock$_fseek_wcscpy
                                  • String ID: D)E$D)E$FILE
                                  • API String ID: 3888824918-361185794
                                  • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                  • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                  • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                  • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                  Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                  • __wsplitpath.LIBCMT ref: 0040E41C
                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                  • _wcsncat.LIBCMT ref: 0040E433
                                  • __wmakepath.LIBCMT ref: 0040E44F
                                    • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                  • _wcscpy.LIBCMT ref: 0040E487
                                    • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                  • _wcscat.LIBCMT ref: 00427541
                                  • _wcslen.LIBCMT ref: 00427551
                                  • _wcslen.LIBCMT ref: 00427562
                                  • _wcscat.LIBCMT ref: 0042757C
                                  • _wcsncpy.LIBCMT ref: 004275BC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                  • String ID: Include$\
                                  • API String ID: 3173733714-3429789819
                                  • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                  • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                  • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                  • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                  Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • _fseek.LIBCMT ref: 0045292B
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                  • __fread_nolock.LIBCMT ref: 00452961
                                  • __fread_nolock.LIBCMT ref: 00452971
                                  • __fread_nolock.LIBCMT ref: 0045298A
                                  • __fread_nolock.LIBCMT ref: 004529A5
                                  • _fseek.LIBCMT ref: 004529BF
                                  • _malloc.LIBCMT ref: 004529CA
                                  • _malloc.LIBCMT ref: 004529D6
                                  • __fread_nolock.LIBCMT ref: 004529E7
                                  • _free.LIBCMT ref: 00452A17
                                  • _free.LIBCMT ref: 00452A20
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                  • String ID:
                                  • API String ID: 1255752989-0
                                  • Opcode ID: 3f43f4209565cf9930803292f55859f81113a3883ec0e7be7bac3bff720706a2
                                  • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                  • Opcode Fuzzy Hash: 3f43f4209565cf9930803292f55859f81113a3883ec0e7be7bac3bff720706a2
                                  • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                  Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                  • RegisterClassExW.USER32(00000030), ref: 004104ED
                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                  • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                  • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                  • ImageList_ReplaceIcon.COMCTL32(009A15D8,000000FF,00000000), ref: 00410552
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                  • API String ID: 2914291525-1005189915
                                  • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                  • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                  • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                  • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                  Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                  • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                  • LoadIconW.USER32(?,00000063), ref: 004103C0
                                  • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                  • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                  • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                  • RegisterClassExW.USER32(?), ref: 0041045D
                                    • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                    • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                    • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                    • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                    • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                    • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                    • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(009A15D8,000000FF,00000000), ref: 00410552
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                  • String ID: #$0$AutoIt v3
                                  • API String ID: 423443420-4155596026
                                  • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                  • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                  • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                  • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                  Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _malloc
                                  • String ID: Default
                                  • API String ID: 1579825452-753088835
                                  • Opcode ID: 443df2c3c68efbd16d3948df002b7be0acb455de1234585f427717e2e3840c69
                                  • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                  • Opcode Fuzzy Hash: 443df2c3c68efbd16d3948df002b7be0acb455de1234585f427717e2e3840c69
                                  • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                  Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1954 40f5c0-40f5cf call 422240 1957 40f5d0-40f5e8 1954->1957 1957->1957 1958 40f5ea-40f613 call 413650 call 410e60 1957->1958 1963 40f614-40f633 call 414d04 1958->1963 1966 40f691 1963->1966 1967 40f635-40f63c 1963->1967 1968 40f696-40f69c 1966->1968 1969 40f660-40f674 call 4150d1 1967->1969 1970 40f63e 1967->1970 1973 40f679-40f67c 1969->1973 1971 40f640 1970->1971 1974 40f642-40f650 1971->1974 1973->1963 1975 40f652-40f655 1974->1975 1976 40f67e-40f68c 1974->1976 1979 40f65b-40f65e 1975->1979 1980 425d1e-425d3e call 4150d1 call 414d04 1975->1980 1977 40f68e-40f68f 1976->1977 1978 40f69f-40f6ad 1976->1978 1977->1975 1982 40f6b4-40f6c2 1978->1982 1983 40f6af-40f6b2 1978->1983 1979->1969 1979->1971 1990 425d43-425d5f call 414d30 1980->1990 1985 425d16 1982->1985 1986 40f6c8-40f6d6 1982->1986 1983->1975 1985->1980 1988 425d05-425d0b 1986->1988 1989 40f6dc-40f6df 1986->1989 1988->1974 1991 425d11 1988->1991 1989->1975 1990->1968 1991->1985
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __fread_nolock_fseek_memmove_strcat
                                  • String ID: AU3!$EA06
                                  • API String ID: 1268643489-2658333250
                                  • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                  • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                  • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                  • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                  Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1994 401100-401111 1995 401113-401119 1994->1995 1996 401179-401180 1994->1996 1998 401144-40114a 1995->1998 1999 40111b-40111e 1995->1999 1996->1995 1997 401182 1996->1997 2002 40112c-401141 DefWindowProcW 1997->2002 2000 401184-40118e call 401250 1998->2000 2001 40114c-40114f 1998->2001 1999->1998 2003 401120-401126 1999->2003 2011 401193-40119a 2000->2011 2004 401151-401157 2001->2004 2005 40119d 2001->2005 2003->2002 2007 42b038-42b03f 2003->2007 2008 401219-40121f 2004->2008 2009 40115d 2004->2009 2012 4011a3-4011a9 2005->2012 2013 42afb4-42afc5 call 40f190 2005->2013 2007->2002 2010 42b045-42b059 call 401000 call 40e0c0 2007->2010 2008->2003 2016 401225-42b06d call 468b0e 2008->2016 2014 401163-401166 2009->2014 2015 42b01d-42b024 2009->2015 2010->2002 2012->2003 2019 4011af 2012->2019 2013->2011 2021 42afe9-42b018 call 40f190 call 401a50 2014->2021 2022 40116c-401172 2014->2022 2015->2002 2020 42b02a-42b033 call 4370f4 2015->2020 2016->2011 2019->2003 2026 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2019->2026 2027 4011db-401202 SetTimer RegisterWindowMessageW 2019->2027 2020->2002 2021->2002 2022->2003 2031 401174-42afde call 45fd57 2022->2031 2027->2011 2029 401204-401216 CreatePopupMenu 2027->2029 2031->2002 2045 42afe4 2031->2045 2045->2011
                                  APIs
                                  • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                  • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                  • PostQuitMessage.USER32(00000000), ref: 004011CB
                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                  • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                  • CreatePopupMenu.USER32 ref: 00401204
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                  • String ID: TaskbarCreated
                                  • API String ID: 129472671-2362178303
                                  • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                  • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                  • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                  • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                  Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2046 4115d7-4115df 2047 4115ee-4115f9 call 4135bb 2046->2047 2050 4115e1-4115ec call 411988 2047->2050 2051 4115fb-4115fc 2047->2051 2050->2047 2054 4115fd-41160e 2050->2054 2055 411610-41163b call 417fc0 call 41130a 2054->2055 2056 41163c-411656 call 4180af call 418105 2054->2056 2055->2056
                                  APIs
                                  • _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                    • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                    • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                  • std::exception::exception.LIBCMT ref: 00411626
                                  • std::exception::exception.LIBCMT ref: 00411640
                                  • __CxxThrowException@8.LIBCMT ref: 00411651
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                  • String ID: ,*H$4*H$@fI
                                  • API String ID: 615853336-1459471987
                                  • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                  • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                  • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                  • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                  Function 03F68720 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2065 3f68720-3f687ce call 3f66120 2068 3f687d5-3f687fb call 3f69630 CreateFileW 2065->2068 2071 3f68802-3f68812 2068->2071 2072 3f687fd 2068->2072 2080 3f68814 2071->2080 2081 3f68819-3f68833 VirtualAlloc 2071->2081 2073 3f6894d-3f68951 2072->2073 2074 3f68993-3f68996 2073->2074 2075 3f68953-3f68957 2073->2075 2077 3f68999-3f689a0 2074->2077 2078 3f68963-3f68967 2075->2078 2079 3f68959-3f6895c 2075->2079 2082 3f689f5-3f68a0a 2077->2082 2083 3f689a2-3f689ad 2077->2083 2084 3f68977-3f6897b 2078->2084 2085 3f68969-3f68973 2078->2085 2079->2078 2080->2073 2086 3f68835 2081->2086 2087 3f6883a-3f68851 ReadFile 2081->2087 2090 3f68a0c-3f68a17 VirtualFree 2082->2090 2091 3f68a1a-3f68a22 2082->2091 2088 3f689b1-3f689bd 2083->2088 2089 3f689af 2083->2089 2092 3f6897d-3f68987 2084->2092 2093 3f6898b 2084->2093 2085->2084 2086->2073 2094 3f68853 2087->2094 2095 3f68858-3f68898 VirtualAlloc 2087->2095 2098 3f689d1-3f689dd 2088->2098 2099 3f689bf-3f689cf 2088->2099 2089->2082 2090->2091 2092->2093 2093->2074 2094->2073 2096 3f6889f-3f688ba call 3f69880 2095->2096 2097 3f6889a 2095->2097 2105 3f688c5-3f688cf 2096->2105 2097->2073 2102 3f689df-3f689e8 2098->2102 2103 3f689ea-3f689f0 2098->2103 2101 3f689f3 2099->2101 2101->2077 2102->2101 2103->2101 2106 3f68902-3f68916 call 3f69690 2105->2106 2107 3f688d1-3f68900 call 3f69880 2105->2107 2113 3f6891a-3f6891e 2106->2113 2114 3f68918 2106->2114 2107->2105 2115 3f68920-3f68924 CloseHandle 2113->2115 2116 3f6892a-3f6892e 2113->2116 2114->2073 2115->2116 2117 3f68930-3f6893b VirtualFree 2116->2117 2118 3f6893e-3f68947 2116->2118 2117->2118 2118->2068 2118->2073
                                  APIs
                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03F687F1
                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03F68A17
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1725231197.0000000003F66000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F66000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3f66000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CreateFileFreeVirtual
                                  • String ID:
                                  • API String ID: 204039940-0
                                  • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                  • Instruction ID: 0be1bf58c6390ff1350dc5eb226be65e3b093458e04d21086466860fbd07c6aa
                                  • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                  • Instruction Fuzzy Hash: 78A11475E00209EBDB14CFA4C994BEEBBB5FF48704F24819DE101BB280D7759A80CBA5
                                  Function 004102B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2119 4102b0-4102c5 SHGetMalloc 2120 4102cb-4102da SHGetDesktopFolder 2119->2120 2121 425dfd-425e0e call 433244 2119->2121 2122 4102e0-41031a call 412fba 2120->2122 2123 41036b-410379 2120->2123 2131 410360-410368 2122->2131 2132 41031c-410331 SHGetPathFromIDListW 2122->2132 2123->2121 2129 41037f-410384 2123->2129 2131->2123 2133 410351-41035d 2132->2133 2134 410333-41034a call 412fba 2132->2134 2133->2131 2134->2133
                                  APIs
                                  • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                  • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                  • _wcsncpy.LIBCMT ref: 004102ED
                                  • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                  • _wcsncpy.LIBCMT ref: 00410340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                  • String ID: C:\Users\user\Desktop\SOA 89035673890.exe
                                  • API String ID: 3170942423-3079810132
                                  • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                  • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                  • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                  • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                  Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2137 401250-40125c 2138 401262-401293 call 412f40 call 401b80 2137->2138 2139 4012e8-4012ed 2137->2139 2144 4012d1-4012e2 KillTimer SetTimer 2138->2144 2145 401295-4012b5 2138->2145 2144->2139 2146 4012bb-4012bf 2145->2146 2147 4272ec-4272f2 2145->2147 2150 4012c5-4012cb 2146->2150 2151 42733f-427346 2146->2151 2148 4272f4-427315 Shell_NotifyIconW 2147->2148 2149 42731a-42733a Shell_NotifyIconW 2147->2149 2148->2144 2149->2144 2150->2144 2154 427393-4273b4 Shell_NotifyIconW 2150->2154 2152 427348-427369 Shell_NotifyIconW 2151->2152 2153 42736e-42738e Shell_NotifyIconW 2151->2153 2152->2144 2153->2144 2154->2144
                                  APIs
                                    • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                    • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                    • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                  • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                  • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                  • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                  • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                  • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                  • String ID:
                                  • API String ID: 3300667738-0
                                  • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                  • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                  • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                  • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                  Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2155 40e4c0-40e4e5 call 403350 RegOpenKeyExW 2158 427190-4271ae RegQueryValueExW 2155->2158 2159 40e4eb-40e4f0 2155->2159 2160 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 2158->2160 2161 42721a-42722a RegCloseKey 2158->2161 2166 427210-427219 call 436508 2160->2166 2167 4271f7-42720e call 402160 2160->2167 2166->2161 2167->2166
                                  APIs
                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                  • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: QueryValue$CloseOpen
                                  • String ID: Include$Software\AutoIt v3\AutoIt
                                  • API String ID: 1586453840-614718249
                                  • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                  • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                  • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                  • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                  Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                  • ShowWindow.USER32(?,00000000), ref: 004105E4
                                  • ShowWindow.USER32(?,00000000), ref: 004105EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window$CreateShow
                                  • String ID: AutoIt v3$edit
                                  • API String ID: 1584632944-3779509399
                                  • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                  • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                  • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                  • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                  Function 03F684D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 03F683C0: Sleep.KERNELBASE(000001F4), ref: 03F683D1
                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03F6860A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1725231197.0000000003F66000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F66000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3f66000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CreateFileSleep
                                  • String ID: NX2FUAMZPRLQGRA3OGNUHEOW291OJ
                                  • API String ID: 2694422964-1576985519
                                  • Opcode ID: 511dff9995b90f9ec2abc2910fdc0359ffc8d7b9a87b8146258bd8f839f699a2
                                  • Instruction ID: 3944ca38eb85bed3adfab8dbe8659b62a52b0f4f41222e9b58f3c63b545a6857
                                  • Opcode Fuzzy Hash: 511dff9995b90f9ec2abc2910fdc0359ffc8d7b9a87b8146258bd8f839f699a2
                                  • Instruction Fuzzy Hash: 6C618371D1428CDAEF11DBB4C858BDEBBB8AF15304F044599E6487B2C1C7BA0B48CB66
                                  Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • _wcsncpy.LIBCMT ref: 00401C41
                                  • _wcscpy.LIBCMT ref: 00401C5D
                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                  • String ID: Line:
                                  • API String ID: 1874344091-1585850449
                                  • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                  • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                  • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                  • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                  Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                  • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                  • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                  • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Close$OpenQueryValue
                                  • String ID: Control Panel\Mouse
                                  • API String ID: 1607946009-824357125
                                  • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                  • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                  • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                  • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                  Function 03F673C0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 03F67B7B
                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03F67C11
                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03F67C33
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1725231197.0000000003F66000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F66000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3f66000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                  • String ID:
                                  • API String ID: 2438371351-0
                                  • Opcode ID: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
                                  • Instruction ID: d770629f06abaf517a8850f87fd7a5654fec8818c1907890ed5ca09c48b7df87
                                  • Opcode Fuzzy Hash: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
                                  • Instruction Fuzzy Hash: 41622A30A14258DBEB24DFA4C840BEEB376EF58304F1091A9D10DEB390E7799E85CB59
                                  Function 0040F570 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                  • _free.LIBCMT ref: 004295A0
                                    • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                    • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                    • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                    • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                    • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                    • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                  • String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\Desktop\SOA 89035673890.exe
                                  • API String ID: 3938964917-4006538826
                                  • Opcode ID: 04a933f2bae5c84e1ec678a83764c5dff2752dbbd219a3b8ffd94249686463e6
                                  • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                  • Opcode Fuzzy Hash: 04a933f2bae5c84e1ec678a83764c5dff2752dbbd219a3b8ffd94249686463e6
                                  • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                  Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: Error:
                                  • API String ID: 4104443479-232661952
                                  • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                  • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                  • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                  • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                  Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\SOA 89035673890.exe,0040F545,C:\Users\user\Desktop\SOA 89035673890.exe,004A90E8,C:\Users\user\Desktop\SOA 89035673890.exe,?,0040F545), ref: 0041013C
                                    • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                    • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                    • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                    • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                    • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                    • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                  • String ID: X$pWH
                                  • API String ID: 85490731-941433119
                                  • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                  • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                  • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                  • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                  Function 00410100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                  Download Yara Rule
                                  Strings
                                  • C:\Users\user\Desktop\SOA 89035673890.exe, xrefs: 00410107
                                  • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _strcat
                                  • String ID: >>>AUTOIT NO CMDEXECUTE<<<$C:\Users\user\Desktop\SOA 89035673890.exe
                                  • API String ID: 1765576173-3805307041
                                  • Opcode ID: afbcd64a5de9b9cf0401a7756764eed502eca04e8b93ddfb1cf174919bef9872
                                  • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                  • Opcode Fuzzy Hash: afbcd64a5de9b9cf0401a7756764eed502eca04e8b93ddfb1cf174919bef9872
                                  • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                  Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                  • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                  • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                  • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                  Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                  • String ID:
                                  • API String ID: 1794320848-0
                                  • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                  • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                  • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                  • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                  Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                  • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Process$CurrentTerminate
                                  • String ID:
                                  • API String ID: 2429186680-0
                                  • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                  • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                  • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                  • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                  Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: IconNotifyShell_
                                  • String ID:
                                  • API String ID: 1144537725-0
                                  • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                  • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                                  • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                  • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                                  Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                  Download Yara Rule
                                  APIs
                                  • _malloc.LIBCMT ref: 0043214B
                                    • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                    • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                    • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                  • _malloc.LIBCMT ref: 0043215D
                                  • _malloc.LIBCMT ref: 0043216F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _malloc$AllocateHeap
                                  • String ID:
                                  • API String ID: 680241177-0
                                  • Opcode ID: f71c381a9a4e64bea8472010c286ed0a2169748a03ca4327bb91778eef0474c7
                                  • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                  • Opcode Fuzzy Hash: f71c381a9a4e64bea8472010c286ed0a2169748a03ca4327bb91778eef0474c7
                                  • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                  Function 00409519 Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • TranslateMessage.USER32(?), ref: 00409556
                                  • DispatchMessageW.USER32(?), ref: 00409561
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Message$DispatchPeekTranslate
                                  • String ID:
                                  • API String ID: 4217535847-0
                                  • Opcode ID: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                  • Instruction ID: 9fbe2eaaa5ffb99098057fa667d4f29c0aa55754a5137076743fac66577e99fa
                                  • Opcode Fuzzy Hash: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                  • Instruction Fuzzy Hash: D8F05431554300AAE624D7A18D41F9B76A89F98784F40482EB641962E1EB78D444CB5A
                                  Function 004320F8 Relevance: 4.5, APIs: 3, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 0043210A
                                    • Part of subcall function 00413748: RtlFreeHeap.NTDLL(00000000,00000000,?,00417A5A,00000000), ref: 0041375E
                                    • Part of subcall function 00413748: GetLastError.KERNEL32(00000000,?,00417A5A,00000000), ref: 00413770
                                  • _free.LIBCMT ref: 0043211D
                                  • _free.LIBCMT ref: 00432130
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 471d261c1978e8fd492efb66726f25644d258391566ce7e49abf025be84b45d1
                                  • Instruction ID: d08fe22c6a524c27e4c6c7bcf1019f14b9a5eff3fc739cf1d41fcb720108e0a5
                                  • Opcode Fuzzy Hash: 471d261c1978e8fd492efb66726f25644d258391566ce7e49abf025be84b45d1
                                  • Instruction Fuzzy Hash: 29E092F290071433CD1099219941A87F38C4B15B11F08402AFA15A3301E969FA40C1E9
                                  Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID:
                                  • API String ID: 1473721057-0
                                  • Opcode ID: f800691a6c58702cf5a996edc2c5780f63a8d9386b34bd2a46259168d6db88b9
                                  • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                                  • Opcode Fuzzy Hash: f800691a6c58702cf5a996edc2c5780f63a8d9386b34bd2a46259168d6db88b9
                                  • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                                  Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                  Download Yara Rule
                                  APIs
                                  • __wsplitpath.LIBCMT ref: 004678F7
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ErrorLast__wsplitpath_malloc
                                  • String ID:
                                  • API String ID: 4163294574-0
                                  • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                  • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                                  • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                  • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                                  Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                    • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                    • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                  • _strcat.LIBCMT ref: 0040F786
                                    • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                    • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                  • String ID:
                                  • API String ID: 3199840319-0
                                  • Opcode ID: bd3755d61cabc1630a419da0a5008bdf21fb0fae9682b7453e2f960da4ed9882
                                  • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                  • Opcode Fuzzy Hash: bd3755d61cabc1630a419da0a5008bdf21fb0fae9682b7453e2f960da4ed9882
                                  • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                  Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                  Download Yara Rule
                                  APIs
                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                  • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: FreeInfoLibraryParametersSystem
                                  • String ID:
                                  • API String ID: 3403648963-0
                                  • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                  • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                  • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                  • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                  Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                                  • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                  • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                                  • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                  • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                                  Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                  • __lock_file.LIBCMT ref: 00414A8D
                                    • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                  • __fclose_nolock.LIBCMT ref: 00414A98
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                  • String ID:
                                  • API String ID: 2800547568-0
                                  • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                  • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                  • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                  • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                  Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • __lock_file.LIBCMT ref: 00415012
                                  • __ftell_nolock.LIBCMT ref: 0041501F
                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __ftell_nolock__getptd_noexit__lock_file
                                  • String ID:
                                  • API String ID: 2999321469-0
                                  • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                  • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                  • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                  • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                  Function 03F673BD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 03F67B7B
                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03F67C11
                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03F67C33
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1725231197.0000000003F66000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F66000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3f66000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                  • String ID:
                                  • API String ID: 2438371351-0
                                  • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                  • Instruction ID: 96d818722fa4e78a0168c3ecb2a278349e18251fb81146c4705968ed9e7b00cc
                                  • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                  • Instruction Fuzzy Hash: B812DE24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4E85CF5A
                                  Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID:
                                  • API String ID: 4104443479-0
                                  • Opcode ID: 6d743864f950f4e8dd6af4daa6c332586bf39a41c922c31670318adef7ff7de3
                                  • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                  • Opcode Fuzzy Hash: 6d743864f950f4e8dd6af4daa6c332586bf39a41c922c31670318adef7ff7de3
                                  • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                  Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ProtectVirtual
                                  • String ID:
                                  • API String ID: 544645111-0
                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                  • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                  • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                  Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b88f9543b806201cae42d4d121fbe4b2eaeb6b479e9688354450343e49ff2077
                                  • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                  • Opcode Fuzzy Hash: b88f9543b806201cae42d4d121fbe4b2eaeb6b479e9688354450343e49ff2077
                                  • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                  Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 53ac66c0a220e583b8bd8a833cb4d0ab2488ecf71834bb63135a5f6edfec8b4a
                                  • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                                  • Opcode Fuzzy Hash: 53ac66c0a220e583b8bd8a833cb4d0ab2488ecf71834bb63135a5f6edfec8b4a
                                  • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                                  Function 00444AF8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • _memmove.LIBCMT ref: 00444B34
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _malloc_memmove
                                  • String ID:
                                  • API String ID: 1183979061-0
                                  • Opcode ID: 5456aa698ccb66e472ad2dc6bdf94112e2600af6ff6d776df7a489d92d6f0097
                                  • Instruction ID: 1ab6fe9f530497837eb86deb75815884a9af672873ccf792f11a5e6f6739e6df
                                  • Opcode Fuzzy Hash: 5456aa698ccb66e472ad2dc6bdf94112e2600af6ff6d776df7a489d92d6f0097
                                  • Instruction Fuzzy Hash: E0016D3220410AAFD714DF2CC882DA7B3EDEF88318711492FE996C7251EA74F9508B94
                                  Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __lock_file
                                  • String ID:
                                  • API String ID: 3031932315-0
                                  • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                  • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                  • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                  • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                  Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                  • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                                  • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                  • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                                  Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __wfsopen
                                  • String ID:
                                  • API String ID: 197181222-0
                                  • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                  • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                  • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                  • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                  Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                  • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                                  • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                  • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                                  Function 03F683C0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(000001F4), ref: 03F683D1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1725231197.0000000003F66000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F66000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3f66000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                  • Instruction ID: ba07fd88dfb209e68e05b10f0edc6c1ad8ae765033566006da4bb7d88d879460
                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                  • Instruction Fuzzy Hash: D7E0E67494010DDFDB00EFB8D54D69E7FB4EF04302F1001A5FD05D2280D6309D508A62

                                  Non-executed Functions

                                  Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                  • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                  • GetKeyState.USER32(00000011), ref: 0047C92D
                                  • GetKeyState.USER32(00000009), ref: 0047C936
                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                  • GetKeyState.USER32(00000010), ref: 0047C953
                                  • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                  • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                  • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                  • _wcsncpy.LIBCMT ref: 0047CA29
                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                  • SendMessageW.USER32 ref: 0047CA7F
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                  • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                  • ImageList_SetDragCursorImage.COMCTL32(009A15D8,00000000,00000000,00000000), ref: 0047CB9B
                                  • ImageList_BeginDrag.COMCTL32(009A15D8,00000000,000000F8,000000F0), ref: 0047CBAC
                                  • SetCapture.USER32(?), ref: 0047CBB6
                                  • ClientToScreen.USER32(?,?), ref: 0047CC17
                                  • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                  • ReleaseCapture.USER32 ref: 0047CC3A
                                  • GetCursorPos.USER32(?), ref: 0047CC72
                                  • ScreenToClient.USER32(?,?), ref: 0047CC80
                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                  • SendMessageW.USER32 ref: 0047CD12
                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                  • SendMessageW.USER32 ref: 0047CD80
                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                  • GetCursorPos.USER32(?), ref: 0047CDC8
                                  • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                  • GetParent.USER32(00000000), ref: 0047CDF7
                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                  • SendMessageW.USER32 ref: 0047CE93
                                  • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,00911A60,00000000,?,?,?,?), ref: 0047CF1C
                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                  • SendMessageW.USER32 ref: 0047CF6B
                                  • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,00911A60,00000000,?,?,?,?), ref: 0047CFE6
                                  • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                  • String ID: @GUI_DRAGID$F
                                  • API String ID: 3100379633-4164748364
                                  • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                  • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                  • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                  • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                  Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32 ref: 00434420
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                  • IsIconic.USER32(?), ref: 0043444F
                                  • ShowWindow.USER32(?,00000009), ref: 0043445C
                                  • SetForegroundWindow.USER32(?), ref: 0043446A
                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                  • GetCurrentThreadId.KERNEL32 ref: 00434485
                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                  • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                  • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                  • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                  • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                  • keybd_event.USER32(00000012,00000000), ref: 00434514
                                  • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                  • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 2889586943-2988720461
                                  • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                  • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                  • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                  • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                  Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                  • CloseHandle.KERNEL32(?), ref: 004463A0
                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                  • GetProcessWindowStation.USER32 ref: 004463D1
                                  • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                  • _wcslen.LIBCMT ref: 00446498
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • _wcsncpy.LIBCMT ref: 004464C0
                                  • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                  • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                  • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                  • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                  • CloseWindowStation.USER32(00000000), ref: 0044656C
                                  • CloseDesktop.USER32(?), ref: 0044657A
                                  • SetProcessWindowStation.USER32(?), ref: 00446588
                                  • CloseHandle.KERNEL32(?), ref: 00446592
                                  • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                  • String ID: $@OH$default$winsta0
                                  • API String ID: 3324942560-3791954436
                                  • Opcode ID: b5525f1ade2b057c7f9e31d74da72dff15b4031de69b799d2ab87430ccd2f155
                                  • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                  • Opcode Fuzzy Hash: b5525f1ade2b057c7f9e31d74da72dff15b4031de69b799d2ab87430ccd2f155
                                  • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                  Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\SOA 89035673890.exe,0040F545,C:\Users\user\Desktop\SOA 89035673890.exe,004A90E8,C:\Users\user\Desktop\SOA 89035673890.exe,?,0040F545), ref: 0041013C
                                    • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                    • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                    • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                  • _wcscat.LIBCMT ref: 0044BD94
                                  • _wcscat.LIBCMT ref: 0044BDBD
                                  • __wsplitpath.LIBCMT ref: 0044BDEA
                                  • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                                  • _wcscpy.LIBCMT ref: 0044BE71
                                  • _wcscat.LIBCMT ref: 0044BE83
                                  • _wcscat.LIBCMT ref: 0044BE95
                                  • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                                  • DeleteFileW.KERNEL32(?), ref: 0044BED3
                                  • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                                  • DeleteFileW.KERNEL32(?), ref: 0044BF15
                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                                  • FindClose.KERNEL32(00000000), ref: 0044BF33
                                  • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                                  • FindClose.KERNEL32(00000000), ref: 0044BF7C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                  • String ID: \*.*
                                  • API String ID: 2188072990-1173974218
                                  • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                  • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                                  • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                  • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                                  Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                  • FindClose.KERNEL32(00000000), ref: 00478924
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                  • __swprintf.LIBCMT ref: 004789D3
                                  • __swprintf.LIBCMT ref: 00478A1D
                                  • __swprintf.LIBCMT ref: 00478A4B
                                  • __swprintf.LIBCMT ref: 00478A79
                                    • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                    • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                  • __swprintf.LIBCMT ref: 00478AA7
                                  • __swprintf.LIBCMT ref: 00478AD5
                                  • __swprintf.LIBCMT ref: 00478B03
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                  • API String ID: 999945258-2428617273
                                  • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                  • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                  • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                  • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                  Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                  • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                  • __wsplitpath.LIBCMT ref: 00403492
                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                  • _wcscpy.LIBCMT ref: 004034A7
                                  • _wcscat.LIBCMT ref: 004034BC
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                    • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                    • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                  • _wcscpy.LIBCMT ref: 004035A0
                                  • _wcslen.LIBCMT ref: 00403623
                                  • _wcslen.LIBCMT ref: 0040367D
                                  Strings
                                  • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                  • _, xrefs: 0040371C
                                  • Error opening the file, xrefs: 00428231
                                  • Unterminated string, xrefs: 00428348
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                  • API String ID: 3393021363-188983378
                                  • Opcode ID: 7ca9ad7ef7208bb045d11657cd721343b767352ed1bccac0ebefd6c576abac4e
                                  • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                  • Opcode Fuzzy Hash: 7ca9ad7ef7208bb045d11657cd721343b767352ed1bccac0ebefd6c576abac4e
                                  • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                  Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                  • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                  • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                  • FindClose.KERNEL32(00000000), ref: 00431B20
                                  • FindClose.KERNEL32(00000000), ref: 00431B34
                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                  • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                  • FindClose.KERNEL32(00000000), ref: 00431BCD
                                  • FindClose.KERNEL32(00000000), ref: 00431BDB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                  • String ID: *.*
                                  • API String ID: 1409584000-438819550
                                  • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                  • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                  • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                  • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                  Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                  • __swprintf.LIBCMT ref: 00431C2E
                                  • _wcslen.LIBCMT ref: 00431C3A
                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                  • String ID: :$\$\??\%s
                                  • API String ID: 2192556992-3457252023
                                  • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                  • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                  • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                  • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                  Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?), ref: 004722A2
                                  • __swprintf.LIBCMT ref: 004722B9
                                  • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                  • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                  • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                  • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                  • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                  • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                  • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                  • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                  • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: FolderPath$LocalTime__swprintf
                                  • String ID: %.3d
                                  • API String ID: 3337348382-986655627
                                  • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                  • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                  • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                  • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                  Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                  • FindClose.KERNEL32(00000000), ref: 0044291C
                                  • FindClose.KERNEL32(00000000), ref: 00442930
                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                  • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                  • FindClose.KERNEL32(00000000), ref: 004429D4
                                    • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                  • FindClose.KERNEL32(00000000), ref: 004429E2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                  • String ID: *.*
                                  • API String ID: 2640511053-438819550
                                  • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                  • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                  • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                  • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                  Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                  • GetLastError.KERNEL32 ref: 00433414
                                  • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                  • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                  • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                  • String ID: SeShutdownPrivilege
                                  • API String ID: 2938487562-3733053543
                                  • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                  • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                  • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                  • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                  Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                    • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                    • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                    • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                  • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                  • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                  • GetLengthSid.ADVAPI32(?), ref: 00446241
                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                  • CopySid.ADVAPI32(00000000), ref: 00446271
                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                  • String ID:
                                  • API String ID: 1255039815-0
                                  • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                  • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                  • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                  • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                  Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                  Download Yara Rule
                                  APIs
                                  • __swprintf.LIBCMT ref: 00433073
                                  • __swprintf.LIBCMT ref: 00433085
                                  • __wcsicoll.LIBCMT ref: 00433092
                                  • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                  • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                  • LockResource.KERNEL32(00000000), ref: 004330CA
                                  • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                  • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                  • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                  • LockResource.KERNEL32(?), ref: 00433120
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                  • String ID:
                                  • API String ID: 1158019794-0
                                  • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                  • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                  • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                  • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                  Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                  • String ID:
                                  • API String ID: 1737998785-0
                                  • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                  • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                  • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                  • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                  Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                  • GetLastError.KERNEL32 ref: 0045D6BF
                                  • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Error$Mode$DiskFreeLastSpace
                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                  • API String ID: 4194297153-14809454
                                  • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                  • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                  • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                  • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                  Function 0044EB59 Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 645COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memmove$_strncmp
                                  • String ID: @oH$\$^$h
                                  • API String ID: 2175499884-3701065813
                                  • Opcode ID: f002cf83b61508de9c211a0f0d172e3a132fb63b457bb46fdb7389c8079d7204
                                  • Instruction ID: d0725f23cfd3ca281eac06f76a82abe5967bc3f30214560d9089fed7748fa16d
                                  • Opcode Fuzzy Hash: f002cf83b61508de9c211a0f0d172e3a132fb63b457bb46fdb7389c8079d7204
                                  • Instruction Fuzzy Hash: C642E270E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD855AB351D7399946CF55
                                  Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                  • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                  • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                  • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                  • listen.WSOCK32(00000000,00000005), ref: 00465381
                                  • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                  • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ErrorLast$closesocket$bindlistensocket
                                  • String ID:
                                  • API String ID: 540024437-0
                                  • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                  • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                  • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                  • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                  Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                  • API String ID: 0-2872873767
                                  • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                  • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                  • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                  • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                  Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                  • __wsplitpath.LIBCMT ref: 00475644
                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                  • _wcscat.LIBCMT ref: 00475657
                                  • __wcsicoll.LIBCMT ref: 0047567B
                                  • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                  • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                  • String ID:
                                  • API String ID: 2547909840-0
                                  • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                  • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                  • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                  • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                  Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                  • Sleep.KERNEL32(0000000A), ref: 0045250B
                                  • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                  • FindClose.KERNEL32(?), ref: 004525FF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                  • String ID: *.*$\VH
                                  • API String ID: 2786137511-2657498754
                                  • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                  • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                  • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                  • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                  Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                  • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                  • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                  • String ID: pqI
                                  • API String ID: 2579439406-2459173057
                                  • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                  • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                  • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                  • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                  Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  APIs
                                  • __wcsicoll.LIBCMT ref: 00433349
                                  • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                  • __wcsicoll.LIBCMT ref: 00433375
                                  • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __wcsicollmouse_event
                                  • String ID: DOWN
                                  • API String ID: 1033544147-711622031
                                  • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                  • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                  • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                  • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                  Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 0044C3D2
                                  • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                  • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                  • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                  • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: KeyboardMessagePostState$InputSend
                                  • String ID:
                                  • API String ID: 3031425849-0
                                  • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                  • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                  • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                  • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                  Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                  • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                  • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ErrorLastinet_addrsocket
                                  • String ID:
                                  • API String ID: 4170576061-0
                                  • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                  • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                  • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                  • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                  Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                  • IsWindowVisible.USER32 ref: 0047A368
                                  • IsWindowEnabled.USER32 ref: 0047A378
                                  • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                  • IsIconic.USER32 ref: 0047A393
                                  • IsZoomed.USER32 ref: 0047A3A1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                  • String ID:
                                  • API String ID: 292994002-0
                                  • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                  • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                  • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                  • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                  Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                  • CoInitialize.OLE32(00000000), ref: 00478442
                                  • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                  • CoUninitialize.OLE32 ref: 0047863C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                  • String ID: .lnk
                                  • API String ID: 886957087-24824748
                                  • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                  • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                  • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                  • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                  Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32(?), ref: 0046DCE7
                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                  • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                  • CloseClipboard.USER32 ref: 0046DD0D
                                  • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                  • CloseClipboard.USER32 ref: 0046DD41
                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                  • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                  • CloseClipboard.USER32 ref: 0046DD99
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                  • String ID:
                                  • API String ID: 15083398-0
                                  • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                  • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                  • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                  • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                  Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: U$\
                                  • API String ID: 4104443479-100911408
                                  • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                  • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                  • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                  • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                  Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Find$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 3541575487-0
                                  • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                  • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                  • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                  • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                  Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                  • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                  • FindClose.KERNEL32(00000000), ref: 004339EB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: FileFind$AttributesCloseFirst
                                  • String ID:
                                  • API String ID: 48322524-0
                                  • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                  • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                  • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                  • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                  Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                  • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                    • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                  • String ID:
                                  • API String ID: 901099227-0
                                  • Opcode ID: a84f1234d60d0bfd4ae1c18445e4b4f4e353c9d3ff10812a8b0aa1e25e6dfae4
                                  • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                  • Opcode Fuzzy Hash: a84f1234d60d0bfd4ae1c18445e4b4f4e353c9d3ff10812a8b0aa1e25e6dfae4
                                  • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                  Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                  Download Yara Rule
                                  APIs
                                  • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Proc
                                  • String ID:
                                  • API String ID: 2346855178-0
                                  • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                  • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                  • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                  • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                  Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • BlockInput.USER32(00000001), ref: 0045A38B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: BlockInput
                                  • String ID:
                                  • API String ID: 3456056419-0
                                  • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                  • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                  • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                  • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                  Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: LogonUser
                                  • String ID:
                                  • API String ID: 1244722697-0
                                  • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                  • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                  • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                  • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                  Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: NameUser
                                  • String ID:
                                  • API String ID: 2645101109-0
                                  • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                  • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                  • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                  • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                  Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                  • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                  • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                  • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                  Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: N@
                                  • API String ID: 0-1509896676
                                  • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                  • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                  • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                  • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                  Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                  • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                  • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                  • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                  Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                  • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                  • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                  • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                  Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                  • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                  • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                  • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                  Function 00412216 Relevance: .3, Instructions: 332COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                  • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                  • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                  • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                  Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteObject.GDI32(?), ref: 0045953B
                                  • DeleteObject.GDI32(?), ref: 00459551
                                  • DestroyWindow.USER32(?), ref: 00459563
                                  • GetDesktopWindow.USER32 ref: 00459581
                                  • GetWindowRect.USER32(00000000), ref: 00459588
                                  • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                  • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                  • GetClientRect.USER32(00000000,?), ref: 004596F8
                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                  • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                  • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                  • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                  • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                  • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                  • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                  • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                  • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                  • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                  • ShowWindow.USER32(?,00000004), ref: 00459865
                                  • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                  • GetStockObject.GDI32(00000011), ref: 004598CD
                                  • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                  • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                  • DeleteDC.GDI32(00000000), ref: 004598F8
                                  • _wcslen.LIBCMT ref: 00459916
                                  • _wcscpy.LIBCMT ref: 0045993A
                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                  • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                  • GetDC.USER32(00000000), ref: 004599FC
                                  • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                  • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                  • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                  • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                  • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                  • String ID: $AutoIt v3$DISPLAY$static
                                  • API String ID: 4040870279-2373415609
                                  • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                  • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                  • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                  • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                  Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSysColor.USER32(00000012), ref: 0044181E
                                  • SetTextColor.GDI32(?,?), ref: 00441826
                                  • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                  • GetSysColor.USER32(0000000F), ref: 00441849
                                  • SetBkColor.GDI32(?,?), ref: 00441864
                                  • SelectObject.GDI32(?,?), ref: 00441874
                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                  • GetSysColor.USER32(00000010), ref: 004418B2
                                  • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                  • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                  • DeleteObject.GDI32(?), ref: 004418D5
                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                  • FillRect.USER32(?,?,?), ref: 00441970
                                    • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                    • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                    • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                    • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                    • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                    • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                    • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                    • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                    • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                    • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                    • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                    • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                    • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                  • String ID:
                                  • API String ID: 69173610-0
                                  • Opcode ID: 0916c3cf28f962cebf3c58740b3ff5bfe8190551d5af4ba49c76a685ec03c0b9
                                  • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                  • Opcode Fuzzy Hash: 0916c3cf28f962cebf3c58740b3ff5bfe8190551d5af4ba49c76a685ec03c0b9
                                  • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                  Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DestroyWindow.USER32(?), ref: 004590F2
                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                  • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                  • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                  • GetClientRect.USER32(00000000,?), ref: 0045924E
                                  • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                  • GetStockObject.GDI32(00000011), ref: 004592AC
                                  • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                  • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                  • DeleteDC.GDI32(00000000), ref: 004592D6
                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                  • GetStockObject.GDI32(00000011), ref: 004593D3
                                  • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                  • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                  • API String ID: 2910397461-517079104
                                  • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                  • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                  • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                  • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                  Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __wcsnicmp
                                  • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                  • API String ID: 1038674560-3360698832
                                  • Opcode ID: 60e7c0ccc2de36542d37a783a5f9e034653244a609c45985bfd1ff28648e5169
                                  • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                  • Opcode Fuzzy Hash: 60e7c0ccc2de36542d37a783a5f9e034653244a609c45985bfd1ff28648e5169
                                  • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                  Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                  • SetCursor.USER32(00000000), ref: 0043075B
                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                  • SetCursor.USER32(00000000), ref: 00430773
                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                  • SetCursor.USER32(00000000), ref: 0043078B
                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                  • SetCursor.USER32(00000000), ref: 004307A3
                                  • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                  • SetCursor.USER32(00000000), ref: 004307BB
                                  • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                  • SetCursor.USER32(00000000), ref: 004307D3
                                  • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                  • SetCursor.USER32(00000000), ref: 004307EB
                                  • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                  • SetCursor.USER32(00000000), ref: 00430803
                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                  • SetCursor.USER32(00000000), ref: 0043081B
                                  • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                  • SetCursor.USER32(00000000), ref: 00430833
                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                  • SetCursor.USER32(00000000), ref: 0043084B
                                  • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                  • SetCursor.USER32(00000000), ref: 00430863
                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                  • SetCursor.USER32(00000000), ref: 0043087B
                                  • SetCursor.USER32(00000000), ref: 00430887
                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                  • SetCursor.USER32(00000000), ref: 0043089F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Cursor$Load
                                  • String ID:
                                  • API String ID: 1675784387-0
                                  • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                  • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                  • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                  • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                  Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSysColor.USER32(0000000E), ref: 00430913
                                  • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                  • GetSysColor.USER32(00000012), ref: 00430933
                                  • SetTextColor.GDI32(?,?), ref: 0043093B
                                  • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                  • GetSysColor.USER32(0000000F), ref: 00430959
                                  • CreateSolidBrush.GDI32(?), ref: 00430962
                                  • GetSysColor.USER32(00000011), ref: 00430979
                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                  • SelectObject.GDI32(?,00000000), ref: 0043099C
                                  • SetBkColor.GDI32(?,?), ref: 004309A6
                                  • SelectObject.GDI32(?,?), ref: 004309B4
                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                  • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                  • DrawFocusRect.USER32(?,?), ref: 00430A91
                                  • GetSysColor.USER32(00000011), ref: 00430A9F
                                  • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                  • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                  • SelectObject.GDI32(?,?), ref: 00430AD0
                                  • DeleteObject.GDI32(00000105), ref: 00430ADC
                                  • SelectObject.GDI32(?,?), ref: 00430AE3
                                  • DeleteObject.GDI32(?), ref: 00430AE9
                                  • SetTextColor.GDI32(?,?), ref: 00430AF0
                                  • SetBkColor.GDI32(?,?), ref: 00430AFB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                  • String ID:
                                  • API String ID: 1582027408-0
                                  • Opcode ID: 86b869e5b8bb6c2dba163effb8278b4f001f0824fd106c928e18bea154194c17
                                  • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                  • Opcode Fuzzy Hash: 86b869e5b8bb6c2dba163effb8278b4f001f0824fd106c928e18bea154194c17
                                  • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                  Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                  • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CloseConnectCreateRegistry
                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                  • API String ID: 3217815495-966354055
                                  • Opcode ID: cce921d97e24dbf253ef9f1627752c5d4fb6d5c9aca8633edc33abbdd9bc0d54
                                  • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                  • Opcode Fuzzy Hash: cce921d97e24dbf253ef9f1627752c5d4fb6d5c9aca8633edc33abbdd9bc0d54
                                  • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                  Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 004566AE
                                  • GetDesktopWindow.USER32 ref: 004566C3
                                  • GetWindowRect.USER32(00000000), ref: 004566CA
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                  • DestroyWindow.USER32(?), ref: 00456746
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                  • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                  • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                  • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                  • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                  • IsWindowVisible.USER32(?), ref: 0045682C
                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                  • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                  • GetWindowRect.USER32(?,?), ref: 00456873
                                  • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                  • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                  • CopyRect.USER32(?,?), ref: 004568BE
                                  • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                  • String ID: ($,$tooltips_class32
                                  • API String ID: 225202481-3320066284
                                  • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                  • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                  • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                  • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                  Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32(?), ref: 0046DCE7
                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                  • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                  • CloseClipboard.USER32 ref: 0046DD0D
                                  • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                  • CloseClipboard.USER32 ref: 0046DD41
                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                  • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                  • CloseClipboard.USER32 ref: 0046DD99
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                  • String ID:
                                  • API String ID: 15083398-0
                                  • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                  • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                  • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                  • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                  Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • GetWindowRect.USER32(?,?), ref: 00471CF7
                                  • GetClientRect.USER32(?,?), ref: 00471D05
                                  • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                  • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                  • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                  • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                  • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                  • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                  • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                  • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                  • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                  • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                  • GetClientRect.USER32(?,?), ref: 00471E8A
                                  • GetStockObject.GDI32(00000011), ref: 00471EA6
                                  • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                  • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                  • String ID: @$AutoIt v3 GUI
                                  • API String ID: 867697134-3359773793
                                  • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                  • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                  • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                  • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                  Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __wcsicoll$__wcsnicmp
                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                  • API String ID: 790654849-32604322
                                  • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                  • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                  • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                  • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                  Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 37a5c787a7b2188dc8d5479775b41731b0c96863aaa01ab20318fba061c3c2a8
                                  • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                  • Opcode Fuzzy Hash: 37a5c787a7b2188dc8d5479775b41731b0c96863aaa01ab20318fba061c3c2a8
                                  • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                  Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                  • _fseek.LIBCMT ref: 00452B3B
                                  • __wsplitpath.LIBCMT ref: 00452B9B
                                  • _wcscpy.LIBCMT ref: 00452BB0
                                  • _wcscat.LIBCMT ref: 00452BC5
                                  • __wsplitpath.LIBCMT ref: 00452BEF
                                  • _wcscat.LIBCMT ref: 00452C07
                                  • _wcscat.LIBCMT ref: 00452C1C
                                  • __fread_nolock.LIBCMT ref: 00452C53
                                  • __fread_nolock.LIBCMT ref: 00452C64
                                  • __fread_nolock.LIBCMT ref: 00452C83
                                  • __fread_nolock.LIBCMT ref: 00452C94
                                  • __fread_nolock.LIBCMT ref: 00452CB5
                                  • __fread_nolock.LIBCMT ref: 00452CC6
                                  • __fread_nolock.LIBCMT ref: 00452CD7
                                  • __fread_nolock.LIBCMT ref: 00452CE8
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                  • __fread_nolock.LIBCMT ref: 00452D78
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                  • String ID:
                                  • API String ID: 2054058615-0
                                  • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                  • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                  • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                  • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                  Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window
                                  • String ID: 0
                                  • API String ID: 2353593579-4108050209
                                  • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                  • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                  • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                  • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                  Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSysColor.USER32(0000000F), ref: 0044A05E
                                  • GetClientRect.USER32(?,?), ref: 0044A0D1
                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                  • GetWindowDC.USER32(?), ref: 0044A0F6
                                  • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                  • ReleaseDC.USER32(?,?), ref: 0044A11B
                                  • GetSysColor.USER32(0000000F), ref: 0044A131
                                  • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                  • GetSysColor.USER32(0000000F), ref: 0044A14F
                                  • GetSysColor.USER32(00000005), ref: 0044A15B
                                  • GetWindowDC.USER32(?), ref: 0044A1BE
                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                  • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                  • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                  • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                  • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                  • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                  • GetSysColor.USER32(00000008), ref: 0044A265
                                  • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                  • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                  • GetStockObject.GDI32(00000005), ref: 0044A28A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                  • String ID:
                                  • API String ID: 1744303182-0
                                  • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                  • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                  • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                  • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                  Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                  • __mtterm.LIBCMT ref: 00417C34
                                    • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                    • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                    • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                    • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                  • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                  • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                  • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                  • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                  • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                  • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                  • __init_pointers.LIBCMT ref: 00417CE6
                                  • __calloc_crt.LIBCMT ref: 00417D54
                                  • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                  • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                  • API String ID: 4163708885-3819984048
                                  • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                  • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                  • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                  • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                  Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __wcsicoll$IconLoad
                                  • String ID: blank$info$question$stop$warning
                                  • API String ID: 2485277191-404129466
                                  • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                  • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                  • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                  • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                  Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadIconW.USER32(?,00000063), ref: 0045464C
                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                  • SetWindowTextW.USER32(?,?), ref: 00454678
                                  • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                  • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                  • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                  • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                  • GetWindowRect.USER32(?,?), ref: 004546F5
                                  • SetWindowTextW.USER32(?,?), ref: 00454765
                                  • GetDesktopWindow.USER32 ref: 0045476F
                                  • GetWindowRect.USER32(00000000), ref: 00454776
                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                  • GetClientRect.USER32(?,?), ref: 004547D2
                                  • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                  • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                  • String ID:
                                  • API String ID: 3869813825-0
                                  • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                  • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                  • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                  • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                  Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00464B28
                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                  • _wcslen.LIBCMT ref: 00464C28
                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                  • _wcslen.LIBCMT ref: 00464CBA
                                  • _wcslen.LIBCMT ref: 00464CD0
                                  • _wcslen.LIBCMT ref: 00464CEF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _wcslen$Directory$CurrentSystem
                                  • String ID: D
                                  • API String ID: 1914653954-2746444292
                                  • Opcode ID: 0d94b415f8f4be32da9437a4562fd2ea9250d6af123b13f45aceadf0defadff8
                                  • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                  • Opcode Fuzzy Hash: 0d94b415f8f4be32da9437a4562fd2ea9250d6af123b13f45aceadf0defadff8
                                  • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                  Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcsncpy.LIBCMT ref: 0045CE39
                                  • __wsplitpath.LIBCMT ref: 0045CE78
                                  • _wcscat.LIBCMT ref: 0045CE8B
                                  • _wcscat.LIBCMT ref: 0045CE9E
                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                  • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                  • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                  • _wcscpy.LIBCMT ref: 0045CF61
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                  • String ID: *.*
                                  • API String ID: 1153243558-438819550
                                  • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                  • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                  • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                  • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                  Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __wcsicoll
                                  • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                  • API String ID: 3832890014-4202584635
                                  • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                  • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                  • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                  • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                  Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                  • GetFocus.USER32 ref: 0046A0DD
                                  • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessagePost$CtrlFocus
                                  • String ID: 0
                                  • API String ID: 1534620443-4108050209
                                  • Opcode ID: 5cb98421042f455ec4000b61dd51e58b9a21b7b09c176f3470d706b88b7d88ce
                                  • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                  • Opcode Fuzzy Hash: 5cb98421042f455ec4000b61dd51e58b9a21b7b09c176f3470d706b88b7d88ce
                                  • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                  Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                  Download Yara Rule
                                  APIs
                                  • DestroyWindow.USER32(?), ref: 004558E3
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window$CreateDestroy
                                  • String ID: ,$tooltips_class32
                                  • API String ID: 1109047481-3856767331
                                  • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                  • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                  • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                  • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                  Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                  • GetMenuItemCount.USER32(?), ref: 00468C45
                                  • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                  • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                  • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                  • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                  • GetMenuItemCount.USER32 ref: 00468CFD
                                  • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                  • GetCursorPos.USER32(?), ref: 00468D3F
                                  • SetForegroundWindow.USER32(?), ref: 00468D49
                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                  • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                  • String ID: 0
                                  • API String ID: 1441871840-4108050209
                                  • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                  • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                  • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                  • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                  Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                  • __swprintf.LIBCMT ref: 00460915
                                  • __swprintf.LIBCMT ref: 0046092D
                                  • _wprintf.LIBCMT ref: 004609E1
                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                  • API String ID: 3631882475-2268648507
                                  • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                  • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                  • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                  • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                  Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                  • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                  • SendMessageW.USER32 ref: 00471740
                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                  • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                  • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                  • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                  • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                  • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                  • SendMessageW.USER32 ref: 0047184F
                                  • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                  • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                  • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                  • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                  • String ID:
                                  • API String ID: 4116747274-0
                                  • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                  • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                  • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                  • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                  Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                  • _wcslen.LIBCMT ref: 00461683
                                  • __swprintf.LIBCMT ref: 00461721
                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                  • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                  • GetDlgCtrlID.USER32(?), ref: 00461869
                                  • GetWindowRect.USER32(?,?), ref: 004618A4
                                  • GetParent.USER32(?), ref: 004618C3
                                  • ScreenToClient.USER32(00000000), ref: 004618CA
                                  • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                  • String ID: %s%u
                                  • API String ID: 1899580136-679674701
                                  • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                  • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                  • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                  • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                  Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                  • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                  • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: InfoItemMenu$Sleep
                                  • String ID: 0
                                  • API String ID: 1196289194-4108050209
                                  • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                  • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                  • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                  • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                  Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDC.USER32(00000000), ref: 0043143E
                                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                  • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                  • SelectObject.GDI32(00000000,?), ref: 00431466
                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                  • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                  • String ID: (
                                  • API String ID: 3300687185-3887548279
                                  • Opcode ID: 7cf8b5f06cf9837a80c5bf18f75efab984d242103ae75fea6cfb4fef03d4f8e7
                                  • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                  • Opcode Fuzzy Hash: 7cf8b5f06cf9837a80c5bf18f75efab984d242103ae75fea6cfb4fef03d4f8e7
                                  • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                  Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                    • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                  • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                  • API String ID: 1976180769-4113822522
                                  • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                  • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                  • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                  • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                  Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                  • String ID:
                                  • API String ID: 461458858-0
                                  • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                  • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                  • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                  • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                  Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                  • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                  • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                  • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                  • CloseHandle.KERNEL32(00000000), ref: 00430113
                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                  • GlobalFree.KERNEL32(00000000), ref: 00430150
                                  • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                  • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                  • DeleteObject.GDI32(?), ref: 004301D0
                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                  • String ID:
                                  • API String ID: 3969911579-0
                                  • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                  • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                  • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                  • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                  Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                  • String ID: 0
                                  • API String ID: 956284711-4108050209
                                  • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                  • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                  • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                  • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                  Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                  • String ID: 0.0.0.0
                                  • API String ID: 1965227024-3771769585
                                  • Opcode ID: 076f4e753302d8e1360c69636e2804f45f3b9e513b8bc5fd0a6f442411ef1df6
                                  • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                  • Opcode Fuzzy Hash: 076f4e753302d8e1360c69636e2804f45f3b9e513b8bc5fd0a6f442411ef1df6
                                  • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                  Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: SendString$_memmove_wcslen
                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                  • API String ID: 369157077-1007645807
                                  • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                  • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                  • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                  • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                  Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32 ref: 00445BF8
                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                  • __wcsicoll.LIBCMT ref: 00445C33
                                  • __wcsicoll.LIBCMT ref: 00445C4F
                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __wcsicoll$ClassMessageNameParentSend
                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                  • API String ID: 3125838495-3381328864
                                  • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                  • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                  • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                  • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                  Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                  • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                  • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                  • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                  • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend$CharNext
                                  • String ID:
                                  • API String ID: 1350042424-0
                                  • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                  • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                  • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                  • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                  Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                    • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                  • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                  • _wcscpy.LIBCMT ref: 004787E5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                  • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                  • API String ID: 3052893215-2127371420
                                  • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                  • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                  • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                  • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                  Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                  • __swprintf.LIBCMT ref: 0045E7F7
                                  • _wprintf.LIBCMT ref: 0045E8B3
                                  • _wprintf.LIBCMT ref: 0045E8D7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                  • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                  • API String ID: 2295938435-2354261254
                                  • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                  • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                  • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                  • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                  Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __swprintf_wcscpy$__i64tow__itow
                                  • String ID: %.15g$0x%p$False$True
                                  • API String ID: 3038501623-2263619337
                                  • Opcode ID: 1bd516ca49f477e8a3ed3b5693b6511736bfb32664ccdf6525c3e88e5b2a74d5
                                  • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                  • Opcode Fuzzy Hash: 1bd516ca49f477e8a3ed3b5693b6511736bfb32664ccdf6525c3e88e5b2a74d5
                                  • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                  Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                  • __swprintf.LIBCMT ref: 0045E5F6
                                  • _wprintf.LIBCMT ref: 0045E6A3
                                  • _wprintf.LIBCMT ref: 0045E6C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                  • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                  • API String ID: 2295938435-8599901
                                  • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                  • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                  • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                  • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                  Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • timeGetTime.WINMM ref: 00443B67
                                    • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                  • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00443BC8
                                  • SetActiveWindow.USER32(00000000), ref: 00443BEC
                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                  • SendMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00443C22
                                  • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                  • IsWindow.USER32(00000000), ref: 00443C3A
                                  • EndDialog.USER32(00000000,00000000), ref: 00443C4C
                                    • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                    • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                    • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                  • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                  • String ID: BUTTON
                                  • API String ID: 1834419854-3405671355
                                  • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                  • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                  • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                  • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                  Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                  • LoadStringW.USER32(00000000), ref: 00454040
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • _wprintf.LIBCMT ref: 00454074
                                  • __swprintf.LIBCMT ref: 004540A3
                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                  • API String ID: 455036304-4153970271
                                  • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                  • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                  • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                  • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                  Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                  • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                  • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                  • _memmove.LIBCMT ref: 00467EB8
                                  • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                  • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                  • _memmove.LIBCMT ref: 00467F6C
                                  • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                  • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                  • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                  • String ID:
                                  • API String ID: 2170234536-0
                                  • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                  • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                  • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                  • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                  Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 00453CE0
                                  • SetKeyboardState.USER32(?), ref: 00453D3B
                                  • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                  • GetKeyState.USER32(000000A0), ref: 00453D75
                                  • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                  • GetKeyState.USER32(000000A1), ref: 00453DB5
                                  • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                  • GetKeyState.USER32(00000011), ref: 00453DEF
                                  • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                  • GetKeyState.USER32(00000012), ref: 00453E26
                                  • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                  • GetKeyState.USER32(0000005B), ref: 00453E5D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: State$Async$Keyboard
                                  • String ID:
                                  • API String ID: 541375521-0
                                  • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                  • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                  • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                  • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                  Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                  • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                  • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                  • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                  • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                  • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                  • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                  • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                  • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                  • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window$ItemMoveRect$Invalidate
                                  • String ID:
                                  • API String ID: 3096461208-0
                                  • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                  • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                  • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                  • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                  Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                  • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                  • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                  • DeleteObject.GDI32(?), ref: 0047151E
                                  • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                  • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                  • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                  • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                  • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                  • DeleteObject.GDI32(?), ref: 004715EA
                                  • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                  • String ID:
                                  • API String ID: 3218148540-0
                                  • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                  • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                  • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                  • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                  Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                  • String ID:
                                  • API String ID: 136442275-0
                                  • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                  • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                  • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                  • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                  Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcsncpy.LIBCMT ref: 00467490
                                  • _wcsncpy.LIBCMT ref: 004674BC
                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                  • _wcstok.LIBCMT ref: 004674FF
                                    • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                  • _wcstok.LIBCMT ref: 004675B2
                                  • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                  • _wcslen.LIBCMT ref: 00467793
                                  • _wcscpy.LIBCMT ref: 00467641
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • _wcslen.LIBCMT ref: 004677BD
                                  • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                    • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                  • String ID: X
                                  • API String ID: 3104067586-3081909835
                                  • Opcode ID: eb9283ffadc70d7ae5f0b14c33a6b36f7734343f68681e5f3ce0481c1d9d9f7d
                                  • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                  • Opcode Fuzzy Hash: eb9283ffadc70d7ae5f0b14c33a6b36f7734343f68681e5f3ce0481c1d9d9f7d
                                  • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                  Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                  • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                  • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                  • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                  • _wcslen.LIBCMT ref: 0046CDB0
                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                  • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                  • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                    • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                    • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                    • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                  Strings
                                  • NULL Pointer assignment, xrefs: 0046CEA6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                  • String ID: NULL Pointer assignment
                                  • API String ID: 440038798-2785691316
                                  • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                  • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                  • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                  • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                  Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                  • _wcslen.LIBCMT ref: 004610A3
                                  • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                  • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                  • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                  • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                  • GetWindowRect.USER32(?,?), ref: 00461248
                                    • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                  • String ID: ThumbnailClass
                                  • API String ID: 4136854206-1241985126
                                  • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                  • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                  • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                  • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                  Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                  • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                  • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                  • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                  • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                  • GetClientRect.USER32(?,?), ref: 00471A1A
                                  • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                  • DestroyIcon.USER32(?), ref: 00471AF4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                  • String ID: 2
                                  • API String ID: 1331449709-450215437
                                  • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                  • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                  • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                  • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                  Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                  • __swprintf.LIBCMT ref: 00460915
                                  • __swprintf.LIBCMT ref: 0046092D
                                  • _wprintf.LIBCMT ref: 004609E1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                  • API String ID: 3054410614-2561132961
                                  • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                  • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                  • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                  • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                  Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                  • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                  • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                  • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                  • API String ID: 600699880-22481851
                                  • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                  • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                  • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                  • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                  Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: DestroyWindow
                                  • String ID: static
                                  • API String ID: 3375834691-2160076837
                                  • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                  • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                  • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                  • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                  Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                  • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DriveType
                                  • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                  • API String ID: 2907320926-3566645568
                                  • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                  • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                  • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                  • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                  Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                  • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                  • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                  • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                  • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                  • DeleteObject.GDI32(00620000), ref: 00470A04
                                  • DestroyIcon.USER32(0069006C), ref: 00470A1C
                                  • DeleteObject.GDI32(0CB7BBA5), ref: 00470A34
                                  • DestroyWindow.USER32(003A0043), ref: 00470A4C
                                  • DestroyIcon.USER32(?), ref: 00470A73
                                  • DestroyIcon.USER32(?), ref: 00470A81
                                  • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                  • String ID:
                                  • API String ID: 1237572874-0
                                  • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                  • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                  • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                  • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                  Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                  • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                  • VariantInit.OLEAUT32(?), ref: 004793E1
                                  • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                  • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                  • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                  • VariantClear.OLEAUT32(?), ref: 00479489
                                  • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                  • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                  • VariantClear.OLEAUT32(?), ref: 004794CA
                                  • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                  • String ID:
                                  • API String ID: 2706829360-0
                                  • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                  • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                  • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                  • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                  Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 0044480E
                                  • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                  • GetKeyState.USER32(000000A0), ref: 004448AA
                                  • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                  • GetKeyState.USER32(000000A1), ref: 004448D9
                                  • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                  • GetKeyState.USER32(00000011), ref: 00444903
                                  • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                  • GetKeyState.USER32(00000012), ref: 0044492D
                                  • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                  • GetKeyState.USER32(0000005B), ref: 00444958
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: State$Async$Keyboard
                                  • String ID:
                                  • API String ID: 541375521-0
                                  • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                  • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                  • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                  • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                  Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: InitVariant$_malloc_wcscpy_wcslen
                                  • String ID:
                                  • API String ID: 3413494760-0
                                  • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                  • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                  • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                  • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                  Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: AddressProc_free_malloc$_strcat_strlen
                                  • String ID: AU3_FreeVar
                                  • API String ID: 2634073740-771828931
                                  • Opcode ID: 0205934085a73e828eb836af54efcf0b2f745960cf3f8f52847b126bcd632882
                                  • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                  • Opcode Fuzzy Hash: 0205934085a73e828eb836af54efcf0b2f745960cf3f8f52847b126bcd632882
                                  • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                  Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitialize.OLE32 ref: 0046C63A
                                  • CoUninitialize.OLE32 ref: 0046C645
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                    • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                  • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                  • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                  • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                  • IIDFromString.OLE32(?,?), ref: 0046C705
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                  • API String ID: 2294789929-1287834457
                                  • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                  • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                  • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                  • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                  Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                    • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                    • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                    • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                  • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                  • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                  • ImageList_EndDrag.COMCTL32 ref: 00471169
                                  • ReleaseCapture.USER32 ref: 0047116F
                                  • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                  • API String ID: 2483343779-2107944366
                                  • Opcode ID: 20a5a3ce7c175183900f948b12cd71fc676271c7bfbce6bb48b8262f94f29e03
                                  • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                  • Opcode Fuzzy Hash: 20a5a3ce7c175183900f948b12cd71fc676271c7bfbce6bb48b8262f94f29e03
                                  • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                  Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                  • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                  • _wcslen.LIBCMT ref: 00450720
                                  • _wcscat.LIBCMT ref: 00450733
                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                  • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window_wcscat_wcslen
                                  • String ID: -----$SysListView32
                                  • API String ID: 4008455318-3975388722
                                  • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                  • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                  • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                  • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                  Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                  • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                  • GetParent.USER32 ref: 00469C98
                                  • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                  • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                  • GetParent.USER32 ref: 00469CBC
                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 2360848162-1403004172
                                  • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                  • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                  • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                  • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                  Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                  • String ID:
                                  • API String ID: 262282135-0
                                  • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                  • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                  • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                  • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                  Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                  • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                  • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                  • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                  • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                  • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                  • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend$LongWindow
                                  • String ID:
                                  • API String ID: 312131281-0
                                  • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                  • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                  • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                  • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                  Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                  • SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00448E16
                                  • SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00448E25
                                    • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                  • String ID:
                                  • API String ID: 3771399671-0
                                  • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                  • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                  • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                  • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                  Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00434643
                                  • GetForegroundWindow.USER32(00000000), ref: 00434655
                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                  • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                  • String ID:
                                  • API String ID: 2156557900-0
                                  • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                  • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                  • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                  • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                  Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                  • API String ID: 0-1603158881
                                  • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                  • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                  • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                  • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                  Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMenu.USER32 ref: 00448603
                                  • SetMenu.USER32(?,00000000), ref: 00448613
                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                  • IsMenu.USER32(?), ref: 004486AB
                                  • CreatePopupMenu.USER32 ref: 004486B5
                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                  • DrawMenuBar.USER32 ref: 004486F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                  • String ID: 0
                                  • API String ID: 161812096-4108050209
                                  • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                  • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                  • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                  • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                  Function 00434034 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,C:\Users\user\Desktop\SOA 89035673890.exe), ref: 00434057
                                  • LoadStringW.USER32(00000000), ref: 00434060
                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                  • LoadStringW.USER32(00000000), ref: 00434078
                                  • _wprintf.LIBCMT ref: 004340A1
                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                  Strings
                                  • C:\Users\user\Desktop\SOA 89035673890.exe, xrefs: 00434040
                                  • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: HandleLoadModuleString$Message_wprintf
                                  • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\SOA 89035673890.exe
                                  • API String ID: 3648134473-1356466194
                                  • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                  • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                  • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                  • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                  Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b34b3a5b5d670eb49a5e2d7b5cd424f37d7569b2aa50e3450060746f4beba41
                                  • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                  • Opcode Fuzzy Hash: 0b34b3a5b5d670eb49a5e2d7b5cd424f37d7569b2aa50e3450060746f4beba41
                                  • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                  Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\SOA 89035673890.exe,0040F545,C:\Users\user\Desktop\SOA 89035673890.exe,004A90E8,C:\Users\user\Desktop\SOA 89035673890.exe,?,0040F545), ref: 0041013C
                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                  • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                  • MoveFileW.KERNEL32(?,?), ref: 00453932
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                  • String ID:
                                  • API String ID: 978794511-0
                                  • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                  • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                  • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                  • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                  Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                  • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                  • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                  • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                  Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID:
                                  • API String ID: 1473721057-0
                                  • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                  • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                  • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                  • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                  Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memmove$_memcmp
                                  • String ID: '$\$h
                                  • API String ID: 2205784470-1303700344
                                  • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                  • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                  • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                  • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                  Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                  • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                  • VariantClear.OLEAUT32 ref: 0045EA6D
                                  • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                  • __swprintf.LIBCMT ref: 0045EC33
                                  • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                  Strings
                                  • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                  • String ID: %4d%02d%02d%02d%02d%02d
                                  • API String ID: 2441338619-1568723262
                                  • Opcode ID: c256a0e8f79103727635468c6c39d920c699b266699b53e39892a4f9942b48fe
                                  • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                  • Opcode Fuzzy Hash: c256a0e8f79103727635468c6c39d920c699b266699b53e39892a4f9942b48fe
                                  • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                  Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                  • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Interlocked$DecrementIncrement$Sleep
                                  • String ID: @COM_EVENTOBJ
                                  • API String ID: 327565842-2228938565
                                  • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                  • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                  • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                  • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                  Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantClear.OLEAUT32(?), ref: 0047031B
                                  • VariantClear.OLEAUT32(?), ref: 0047044F
                                  • VariantInit.OLEAUT32(?), ref: 004704A3
                                  • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                  • VariantClear.OLEAUT32(?), ref: 00470516
                                    • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                  • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                    • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                  • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Variant$Clear$Copy$CallDispFuncInit
                                  • String ID: H
                                  • API String ID: 3613100350-2852464175
                                  • Opcode ID: a0993396c5b8998c97eda62eb292956ea80afa76050d6468dceab7f561fa4670
                                  • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                  • Opcode Fuzzy Hash: a0993396c5b8998c97eda62eb292956ea80afa76050d6468dceab7f561fa4670
                                  • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                  Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                                  Download Yara Rule
                                  APIs
                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                  • DestroyWindow.USER32(?), ref: 00426F50
                                  • UnregisterHotKey.USER32(?), ref: 00426F77
                                  • FreeLibrary.KERNEL32(?), ref: 0042701F
                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                  • String ID: close all
                                  • API String ID: 4174999648-3243417748
                                  • Opcode ID: 2f66c89a40f0e85c5d6dd4ec67defb2116834faec8b505cc193eeea2d12e665d
                                  • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                  • Opcode Fuzzy Hash: 2f66c89a40f0e85c5d6dd4ec67defb2116834faec8b505cc193eeea2d12e665d
                                  • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                  Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                  • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                    • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                  • String ID:
                                  • API String ID: 1291720006-3916222277
                                  • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                  • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                  • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                  • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                  Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                  • IsMenu.USER32(?), ref: 0045FC5F
                                  • CreatePopupMenu.USER32 ref: 0045FC97
                                  • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Menu$Item$CountCreateInfoInsertPopup
                                  • String ID: 0$2
                                  • API String ID: 93392585-3793063076
                                  • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                  • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                  • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                  • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                  Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                  Download Yara Rule
                                  APIs
                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                  • VariantClear.OLEAUT32(?), ref: 00435320
                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                  • VariantClear.OLEAUT32(?), ref: 004353B3
                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                  • String ID: crts
                                  • API String ID: 586820018-3724388283
                                  • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                  • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                  • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                  • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                  Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\SOA 89035673890.exe,0040F545,C:\Users\user\Desktop\SOA 89035673890.exe,004A90E8,C:\Users\user\Desktop\SOA 89035673890.exe,?,0040F545), ref: 0041013C
                                  • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                  • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                  • _wcscat.LIBCMT ref: 0044BCAF
                                  • _wcslen.LIBCMT ref: 0044BCBB
                                  • _wcslen.LIBCMT ref: 0044BCD1
                                  • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                  • String ID: \*.*
                                  • API String ID: 2326526234-1173974218
                                  • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                  • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                  • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                  • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                  Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                  • _wcslen.LIBCMT ref: 004335F2
                                  • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                  • GetLastError.KERNEL32 ref: 0043362B
                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                  • _wcsrchr.LIBCMT ref: 00433666
                                    • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                  • String ID: \
                                  • API String ID: 321622961-2967466578
                                  • Opcode ID: c150a4e9996d72ab87fed94048e5703dbc8ac01b5d1c28e2aacddbc68f85fc9a
                                  • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                  • Opcode Fuzzy Hash: c150a4e9996d72ab87fed94048e5703dbc8ac01b5d1c28e2aacddbc68f85fc9a
                                  • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                  Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __wcsnicmp
                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                  • API String ID: 1038674560-2734436370
                                  • Opcode ID: 7c13aa0513e4bb2138c96398a5a2566d58b08304d963883aeef11e8644bf4991
                                  • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                  • Opcode Fuzzy Hash: 7c13aa0513e4bb2138c96398a5a2566d58b08304d963883aeef11e8644bf4991
                                  • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                  Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                  • __lock.LIBCMT ref: 00417981
                                    • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                    • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                    • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                  • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                  • __lock.LIBCMT ref: 004179A2
                                  • ___addlocaleref.LIBCMT ref: 004179C0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                  • String ID: KERNEL32.DLL$pI
                                  • API String ID: 637971194-197072765
                                  • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                  • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                  • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                  • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                  Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memmove$_malloc
                                  • String ID:
                                  • API String ID: 1938898002-0
                                  • Opcode ID: 1f9281079767c86d8b96628a3580c8a8d8da7ec8fe09033d6c47d2aab1b684b9
                                  • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                  • Opcode Fuzzy Hash: 1f9281079767c86d8b96628a3580c8a8d8da7ec8fe09033d6c47d2aab1b684b9
                                  • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                  Function 00448D38 Relevance: 12.2, APIs: 8, Instructions: 165windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                  • SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00448E16
                                  • SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00448E25
                                    • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                  • String ID:
                                  • API String ID: 3771399671-0
                                  • Opcode ID: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                  • Instruction ID: 7a731ed810a83f1ebb4df5e1cc4d29f9b75a103154dfe2ed632c3d1cef216bf4
                                  • Opcode Fuzzy Hash: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                  • Instruction Fuzzy Hash: 72513970204244AFF720DF24CC85FAE7BB9AF15314F10495EFA999B292CB79E549CB18
                                  Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                  • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                  • _memmove.LIBCMT ref: 0044B555
                                  • _memmove.LIBCMT ref: 0044B578
                                  • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                  • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                  • String ID:
                                  • API String ID: 2737351978-0
                                  • Opcode ID: 7e8c1d8edbf82e8c7821aeb5991414bf18d3cd2399c52039398c0efb06360fcc
                                  • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                  • Opcode Fuzzy Hash: 7e8c1d8edbf82e8c7821aeb5991414bf18d3cd2399c52039398c0efb06360fcc
                                  • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                  Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                  • __calloc_crt.LIBCMT ref: 00415246
                                  • __getptd.LIBCMT ref: 00415253
                                  • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                  • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                  • _free.LIBCMT ref: 0041529E
                                  • __dosmaperr.LIBCMT ref: 004152A9
                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                  • String ID:
                                  • API String ID: 3638380555-0
                                  • Opcode ID: ceb77f577b932ecc061a214adf97d6bda1f2bbbde8b0acc1a90a04adb45bcfac
                                  • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                  • Opcode Fuzzy Hash: ceb77f577b932ecc061a214adf97d6bda1f2bbbde8b0acc1a90a04adb45bcfac
                                  • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                  Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(?), ref: 0046C96E
                                    • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                    • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Variant$Copy$ClearErrorInitLast
                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                  • API String ID: 3207048006-625585964
                                  • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                  • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                  • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                  • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                  Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                    • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                  • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                  • gethostbyname.WSOCK32(?), ref: 004655A6
                                  • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                  • _memmove.LIBCMT ref: 004656CA
                                  • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                  • WSACleanup.WSOCK32 ref: 00465762
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                  • String ID:
                                  • API String ID: 2945290962-0
                                  • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                  • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                  • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                  • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                  Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                  • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                  • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                  • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                  • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                  • String ID:
                                  • API String ID: 1457242333-0
                                  • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                  • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                  • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                  • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                  Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ConnectRegistry_memmove_wcslen
                                  • String ID:
                                  • API String ID: 15295421-0
                                  • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                  • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                  • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                  • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                  Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • _wcstok.LIBCMT ref: 004675B2
                                    • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                  • _wcscpy.LIBCMT ref: 00467641
                                  • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                  • _wcslen.LIBCMT ref: 00467793
                                  • _wcslen.LIBCMT ref: 004677BD
                                    • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                  • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                  • String ID: X
                                  • API String ID: 780548581-3081909835
                                  • Opcode ID: 59d8333ba564867e966a45eb1cae5b5c9aa55f5f2a82546ce07c615cef46a44c
                                  • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                  • Opcode Fuzzy Hash: 59d8333ba564867e966a45eb1cae5b5c9aa55f5f2a82546ce07c615cef46a44c
                                  • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                  Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                    • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                    • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                  • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                  • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                  • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                  • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                  • CloseFigure.GDI32(?), ref: 0044751F
                                  • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                  • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                  • String ID:
                                  • API String ID: 4082120231-0
                                  • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                  • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                  • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                  • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                  Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                  • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                  • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                  • String ID:
                                  • API String ID: 2027346449-0
                                  • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                  • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                  • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                  • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                  Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                  • GetMenu.USER32 ref: 0047A703
                                  • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                  • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                  • _wcslen.LIBCMT ref: 0047A79E
                                  • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                  • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                  • String ID:
                                  • API String ID: 3257027151-0
                                  • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                  • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                  • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                  • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                  Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ErrorLastselect
                                  • String ID:
                                  • API String ID: 215497628-0
                                  • Opcode ID: bd199fa730e01bd6eb844f10b5a9d2666f16aab98b040269f67dcb89f4e9aede
                                  • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                  • Opcode Fuzzy Hash: bd199fa730e01bd6eb844f10b5a9d2666f16aab98b040269f67dcb89f4e9aede
                                  • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                  Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(?), ref: 0044443B
                                  • GetKeyboardState.USER32(?), ref: 00444450
                                  • SetKeyboardState.USER32(?), ref: 004444A4
                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$Parent
                                  • String ID:
                                  • API String ID: 87235514-0
                                  • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                  • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                  • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                  • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                  Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(?), ref: 00444633
                                  • GetKeyboardState.USER32(?), ref: 00444648
                                  • SetKeyboardState.USER32(?), ref: 0044469C
                                  • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                  • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                  • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                  • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$Parent
                                  • String ID:
                                  • API String ID: 87235514-0
                                  • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                  • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                  • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                  • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                  Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                  • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                  • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                  • DeleteObject.GDI32(?), ref: 00455736
                                  • DeleteObject.GDI32(?), ref: 00455744
                                  • DestroyIcon.USER32(?), ref: 00455752
                                  • DestroyWindow.USER32(?), ref: 00455760
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                  • String ID:
                                  • API String ID: 2354583917-0
                                  • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                  • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                  • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                  • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                  Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                  • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                  • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                  • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                  Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                  • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window$Enable$Show$MessageMoveSend
                                  • String ID:
                                  • API String ID: 896007046-0
                                  • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                  • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                  • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                  • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                  Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                  • GetFocus.USER32 ref: 00448ACF
                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window$Enable$Show$FocusMessageSend
                                  • String ID:
                                  • API String ID: 3429747543-0
                                  • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                  • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                  • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                  • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                  Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                  • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                  • __swprintf.LIBCMT ref: 0045D4E9
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ErrorMode$InformationVolume__swprintf
                                  • String ID: %lu$\VH
                                  • API String ID: 3164766367-2432546070
                                  • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                  • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                  • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                  • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                  Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                  • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                  • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: Msctls_Progress32
                                  • API String ID: 3850602802-3636473452
                                  • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                  • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                  • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                  • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                  Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                  • String ID:
                                  • API String ID: 3985565216-0
                                  • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                  • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                  • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                  • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                  Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _malloc.LIBCMT ref: 0041F707
                                    • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                    • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                    • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                  • _free.LIBCMT ref: 0041F71A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: AllocateHeap_free_malloc
                                  • String ID: [B
                                  • API String ID: 1020059152-632041663
                                  • Opcode ID: 5ae3695c4899d33c0c5016eec090c96391fe5f6cd2bec6778d3ea2d81492c429
                                  • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                  • Opcode Fuzzy Hash: 5ae3695c4899d33c0c5016eec090c96391fe5f6cd2bec6778d3ea2d81492c429
                                  • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                  Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                  • __calloc_crt.LIBCMT ref: 00413DB0
                                  • __getptd.LIBCMT ref: 00413DBD
                                  • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                  • _free.LIBCMT ref: 00413E07
                                  • __dosmaperr.LIBCMT ref: 00413E12
                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                  • String ID:
                                  • API String ID: 155776804-0
                                  • Opcode ID: 2348856d60b5f8ae92a3c52096df9563f03509e61ea6f3f8618797eae5d9925f
                                  • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                  • Opcode Fuzzy Hash: 2348856d60b5f8ae92a3c52096df9563f03509e61ea6f3f8618797eae5d9925f
                                  • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                  Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                    • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                  • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                  • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                  • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                  • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                  • String ID:
                                  • API String ID: 1957940570-0
                                  • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                  • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                  • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                  • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                  Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                  • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                  • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                  • ExitThread.KERNEL32 ref: 00413D4E
                                  • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                  • __freefls@4.LIBCMT ref: 00413D74
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                  • String ID:
                                  • API String ID: 259663610-0
                                  • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                  • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                  • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                  • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                  Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClientRect.USER32(?,?), ref: 004302E6
                                  • GetWindowRect.USER32(00000000,?), ref: 00430316
                                  • GetClientRect.USER32(?,?), ref: 00430364
                                  • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                  • GetWindowRect.USER32(?,?), ref: 004303C3
                                  • ScreenToClient.USER32(?,?), ref: 004303EC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Rect$Client$Window$MetricsScreenSystem
                                  • String ID:
                                  • API String ID: 3220332590-0
                                  • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                  • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                  • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                  • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                  Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _malloc_wcslen$_strcat_wcscpy
                                  • String ID:
                                  • API String ID: 1612042205-0
                                  • Opcode ID: de986be264bc4095e11606319f6bc53bb2fe9b52cfcfc757ffd23d2b2712e847
                                  • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                  • Opcode Fuzzy Hash: de986be264bc4095e11606319f6bc53bb2fe9b52cfcfc757ffd23d2b2712e847
                                  • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                  Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memmove_strncmp
                                  • String ID: >$U$\
                                  • API String ID: 2666721431-237099441
                                  • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                  • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                  • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                  • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                  Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 0044C570
                                  • SetKeyboardState.USER32(00000080), ref: 0044C594
                                  • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                  • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                  • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                  • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$InputSend
                                  • String ID:
                                  • API String ID: 2221674350-0
                                  • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                  • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                  • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                  • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                  Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _wcscpy$_wcscat
                                  • String ID:
                                  • API String ID: 2037614760-0
                                  • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                  • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                  • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                  • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                  Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                  • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                  • VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                  • VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                  • VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                  • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Variant$Copy$AllocClearErrorLastString
                                  • String ID:
                                  • API String ID: 960795272-0
                                  • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                  • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                  • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                  • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                  Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                  • GetWindowRect.USER32(?,?), ref: 00447C5D
                                  • ScreenToClient.USER32(?,?), ref: 00447C7B
                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                  • EndPaint.USER32(?,?), ref: 00447D13
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                  • String ID:
                                  • API String ID: 4189319755-0
                                  • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                  • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                  • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                  • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                  Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                  • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                  • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                  • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                  • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend$LongWindow$InvalidateRect
                                  • String ID:
                                  • API String ID: 1976402638-0
                                  • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                  • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                  • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                  • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                  Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                  • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                  • ShowWindow.USER32(?,00000000), ref: 00440B18
                                  • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                  • EnableWindow.USER32(?,00000001), ref: 00440B50
                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window$Show$Enable$MessageSend
                                  • String ID:
                                  • API String ID: 642888154-0
                                  • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                  • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                  • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                  • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                  Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Variant$Copy$ClearErrorLast
                                  • String ID: NULL Pointer assignment$Not an Object type
                                  • API String ID: 2487901850-572801152
                                  • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                  • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                  • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                  • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                  Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window$Enable$Show$MessageSend
                                  • String ID:
                                  • API String ID: 1871949834-0
                                  • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                  • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                  • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                  • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                  Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                  • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                  • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                  • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                  Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                  • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                  • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                  • SendMessageW.USER32 ref: 00471AE3
                                  • DestroyIcon.USER32(?), ref: 00471AF4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                  • String ID:
                                  • API String ID: 3611059338-0
                                  • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                  • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                  • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                  • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                  Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: DestroyWindow$DeleteObject$IconMove
                                  • String ID:
                                  • API String ID: 1640429340-0
                                  • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                  • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                  • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                  • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                  Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                  • _wcslen.LIBCMT ref: 004438CD
                                  • _wcslen.LIBCMT ref: 004438E6
                                  • _wcstok.LIBCMT ref: 004438F8
                                  • _wcslen.LIBCMT ref: 0044390C
                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                  • _wcstok.LIBCMT ref: 00443931
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                  • String ID:
                                  • API String ID: 3632110297-0
                                  • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                  • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                  • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                  • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                  Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Destroy$DeleteMenuObject$IconWindow
                                  • String ID:
                                  • API String ID: 752480666-0
                                  • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                  • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                  • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                  • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                  Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                  • String ID:
                                  • API String ID: 3275902921-0
                                  • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                  • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                  • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                  • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                  Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                  • String ID:
                                  • API String ID: 3275902921-0
                                  • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                  • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                  • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                  • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                  Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                  • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                  • String ID:
                                  • API String ID: 2833360925-0
                                  • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                  • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                  • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                  • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                  Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32 ref: 004555C7
                                  • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                  • DeleteObject.GDI32(?), ref: 00455736
                                  • DeleteObject.GDI32(?), ref: 00455744
                                  • DestroyIcon.USER32(?), ref: 00455752
                                  • DestroyWindow.USER32(?), ref: 00455760
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                  • String ID:
                                  • API String ID: 3691411573-0
                                  • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                  • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                  • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                  • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                  Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                    • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                    • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                  • LineTo.GDI32(?,?,?), ref: 004472AC
                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                  • LineTo.GDI32(?,?,?), ref: 004472C6
                                  • EndPath.GDI32(?), ref: 004472D6
                                  • StrokePath.GDI32(?), ref: 004472E4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                  • String ID:
                                  • API String ID: 372113273-0
                                  • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                  • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                  • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                  • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                  Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDC.USER32(00000000), ref: 0044CC6D
                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                  • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CapsDevice$Release
                                  • String ID:
                                  • API String ID: 1035833867-0
                                  • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                  • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                  • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                  • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                  Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 0041708E
                                    • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                    • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                  • __amsg_exit.LIBCMT ref: 004170AE
                                  • __lock.LIBCMT ref: 004170BE
                                  • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                  • _free.LIBCMT ref: 004170EE
                                  • InterlockedIncrement.KERNEL32(00912CE0), ref: 00417106
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                  • String ID:
                                  • API String ID: 3470314060-0
                                  • Opcode ID: 24516f4010ce0b93e8566e6a8de288d1d1524a4de8e6263f522fbb499f39661f
                                  • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                  • Opcode Fuzzy Hash: 24516f4010ce0b93e8566e6a8de288d1d1524a4de8e6263f522fbb499f39661f
                                  • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                  Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                  • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                  • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                    • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                  • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                  • String ID:
                                  • API String ID: 3495660284-0
                                  • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                  • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                  • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                  • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                  Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Virtual
                                  • String ID:
                                  • API String ID: 4278518827-0
                                  • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                  • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                  • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                  • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                  Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                  • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                  • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                  • ExitThread.KERNEL32 ref: 004151ED
                                  • __freefls@4.LIBCMT ref: 00415209
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                  • String ID:
                                  • API String ID: 442100245-0
                                  • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                  • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                  • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                  • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                  Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                  • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                  • _wcslen.LIBCMT ref: 0045F94A
                                  • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                  • String ID: 0
                                  • API String ID: 621800784-4108050209
                                  • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                  • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                  • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                  • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                  Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • SetErrorMode.KERNEL32 ref: 004781CE
                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                  • SetErrorMode.KERNEL32(?), ref: 00478270
                                  • SetErrorMode.KERNEL32(?), ref: 00478340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                  • String ID: \VH
                                  • API String ID: 3884216118-234962358
                                  • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                  • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                  • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                  • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                  Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                  • IsMenu.USER32(?), ref: 0044854D
                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                  • DrawMenuBar.USER32 ref: 004485AF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Menu$Item$DrawInfoInsert
                                  • String ID: 0
                                  • API String ID: 3076010158-4108050209
                                  • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                  • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                  • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                  • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                  Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                  • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend$_memmove_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 1589278365-1403004172
                                  • Opcode ID: e833c5f683c324df3584e13527d60df096f9c23fae9490791bb62fc6faf22f53
                                  • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                  • Opcode Fuzzy Hash: e833c5f683c324df3584e13527d60df096f9c23fae9490791bb62fc6faf22f53
                                  • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                  Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Handle
                                  • String ID: nul
                                  • API String ID: 2519475695-2873401336
                                  • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                  • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                  • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                  • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                  Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Handle
                                  • String ID: nul
                                  • API String ID: 2519475695-2873401336
                                  • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                  • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                  • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                  • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                  Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: SysAnimate32
                                  • API String ID: 0-1011021900
                                  • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                  • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                  • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                  • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                  Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                    • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                    • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                    • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                    • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                  • GetFocus.USER32 ref: 0046157B
                                    • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                    • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                  • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                  • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                  • __swprintf.LIBCMT ref: 00461608
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                  • String ID: %s%d
                                  • API String ID: 2645982514-1110647743
                                  • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                  • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                  • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                  • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                  Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                  • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                  • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                  • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                  Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                  • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Process$CloseCountersCurrentHandleOpen
                                  • String ID:
                                  • API String ID: 3488606520-0
                                  • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                  • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                  • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                  • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                  Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ConnectRegistry_memmove_wcslen
                                  • String ID:
                                  • API String ID: 15295421-0
                                  • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                  • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                  • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                  • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                  Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                  • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                  • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                  • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                  • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: AddressProc$Library$FreeLoad
                                  • String ID:
                                  • API String ID: 2449869053-0
                                  • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                  • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                  • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                  • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                  Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 004563A6
                                  • ScreenToClient.USER32(?,?), ref: 004563C3
                                  • GetAsyncKeyState.USER32(?), ref: 00456400
                                  • GetAsyncKeyState.USER32(?), ref: 00456410
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: AsyncState$ClientCursorLongScreenWindow
                                  • String ID:
                                  • API String ID: 3539004672-0
                                  • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                  • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                  • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                  • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                  Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                  • Sleep.KERNEL32(0000000A), ref: 0047D455
                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Interlocked$DecrementIncrement$Sleep
                                  • String ID:
                                  • API String ID: 327565842-0
                                  • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                  • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                  • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                  • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                  Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                  • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                  • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                  • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: PrivateProfile$SectionWrite$String
                                  • String ID:
                                  • API String ID: 2832842796-0
                                  • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                  • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                  • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                  • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                  Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                  • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Enum$CloseDeleteOpen
                                  • String ID:
                                  • API String ID: 2095303065-0
                                  • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                  • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                  • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                  • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                  Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00436A24
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: RectWindow
                                  • String ID:
                                  • API String ID: 861336768-0
                                  • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                  • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                  • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                  • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                  Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32 ref: 00449598
                                    • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                  • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                  • _wcslen.LIBCMT ref: 0044960D
                                  • _wcslen.LIBCMT ref: 0044961A
                                  • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend$_wcslen$_wcspbrk
                                  • String ID:
                                  • API String ID: 1856069659-0
                                  • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                  • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                  • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                  • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                  Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 004478E2
                                  • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                  • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                  • GetCursorPos.USER32(00000000), ref: 0044796A
                                  • TrackPopupMenuEx.USER32(009163C0,00000000,00000000,?,?,00000000), ref: 00447991
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CursorMenuPopupTrack$Proc
                                  • String ID:
                                  • API String ID: 1300944170-0
                                  • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                  • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                  • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                  • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                  Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClientRect.USER32(?,?), ref: 004479CC
                                  • GetCursorPos.USER32(?), ref: 004479D7
                                  • ScreenToClient.USER32(?,?), ref: 004479F3
                                  • WindowFromPoint.USER32(?,?), ref: 00447A34
                                  • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Client$CursorFromPointProcRectScreenWindow
                                  • String ID:
                                  • API String ID: 1822080540-0
                                  • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                  • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                  • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                  • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                  Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00447C5D
                                  • ScreenToClient.USER32(?,?), ref: 00447C7B
                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                  • EndPaint.USER32(?,?), ref: 00447D13
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ClientPaintRectRectangleScreenViewportWindow
                                  • String ID:
                                  • API String ID: 659298297-0
                                  • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                  • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                  • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                  • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                  Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                    • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                    • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                    • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                    • Part of subcall function 00440D98: SendMessageW.USER32(00911A60,000000F1,00000000,00000000), ref: 00440E6E
                                    • Part of subcall function 00440D98: SendMessageW.USER32(00911A60,000000F1,00000001,00000000), ref: 00440E9A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window$EnableMessageSend$LongShow
                                  • String ID:
                                  • API String ID: 142311417-0
                                  • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                  • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                  • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                  • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                  Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                  • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                  • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                  • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                  Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • IsWindowVisible.USER32(?), ref: 00445879
                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                  • _wcslen.LIBCMT ref: 004458FB
                                  • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                  • String ID:
                                  • API String ID: 3087257052-0
                                  • Opcode ID: 622372a4a32610ce73fb3647056b26e365a1681bd10d6cc102ac189a3bd4553b
                                  • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                  • Opcode Fuzzy Hash: 622372a4a32610ce73fb3647056b26e365a1681bd10d6cc102ac189a3bd4553b
                                  • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                  Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                  • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                  • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                  • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                  • String ID:
                                  • API String ID: 245547762-0
                                  • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                  • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                  • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                  • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                  Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteObject.GDI32(00000000), ref: 004471D8
                                  • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                  • SelectObject.GDI32(?,00000000), ref: 00447228
                                  • BeginPath.GDI32(?), ref: 0044723D
                                  • SelectObject.GDI32(?,00000000), ref: 00447266
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Object$Select$BeginCreateDeletePath
                                  • String ID:
                                  • API String ID: 2338827641-0
                                  • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                  • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                  • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                  • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                  Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000), ref: 00434598
                                  • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                  • Sleep.KERNEL32(00000000), ref: 004345D4
                                  • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CounterPerformanceQuerySleep
                                  • String ID:
                                  • API String ID: 2875609808-0
                                  • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                  • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                  • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                  • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                  Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                  • MessageBeep.USER32(00000000), ref: 00460C46
                                  • KillTimer.USER32(?,0000040A), ref: 00460C68
                                  • EndDialog.USER32(?,00000001), ref: 00460C83
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                  • String ID:
                                  • API String ID: 3741023627-0
                                  • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                  • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                  • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                  • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                  Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Destroy$DeleteObjectWindow$Icon
                                  • String ID:
                                  • API String ID: 4023252218-0
                                  • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                  • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                  • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                  • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                  Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                  • DeleteObject.GDI32(?), ref: 00455736
                                  • DeleteObject.GDI32(?), ref: 00455744
                                  • DestroyIcon.USER32(?), ref: 00455752
                                  • DestroyWindow.USER32(?), ref: 00455760
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: DeleteDestroyObject$IconMessageSendWindow
                                  • String ID:
                                  • API String ID: 1489400265-0
                                  • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                  • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                  • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                  • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                  Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                  • DestroyWindow.USER32(?), ref: 00455728
                                  • DeleteObject.GDI32(?), ref: 00455736
                                  • DeleteObject.GDI32(?), ref: 00455744
                                  • DestroyIcon.USER32(?), ref: 00455752
                                  • DestroyWindow.USER32(?), ref: 00455760
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                  • String ID:
                                  • API String ID: 1042038666-0
                                  • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                  • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                  • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                  • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                  Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                  • String ID:
                                  • API String ID: 2625713937-0
                                  • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                  • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                                  • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                  • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                                  Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 0041780F
                                    • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                    • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                  • __getptd.LIBCMT ref: 00417826
                                  • __amsg_exit.LIBCMT ref: 00417834
                                  • __lock.LIBCMT ref: 00417844
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 938513278-0
                                  • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                  • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                  • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                  • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                  Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                  • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                  • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                  • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                  • ExitThread.KERNEL32 ref: 00413D4E
                                  • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                  • __freefls@4.LIBCMT ref: 00413D74
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                  • String ID:
                                  • API String ID: 2403457894-0
                                  • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                  • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                  • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                  • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                  Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                  • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                  • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                  • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                  • ExitThread.KERNEL32 ref: 004151ED
                                  • __freefls@4.LIBCMT ref: 00415209
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                  • String ID:
                                  • API String ID: 4247068974-0
                                  • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                  • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                  • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                  • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                  Function 004624C5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 409COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 5$8$^
                                  • API String ID: 0-3622883839
                                  • Opcode ID: 5b0bf54134f80cff9ca6ce4a8dff4b23300e7e002ba4f74be1d0103a91d53083
                                  • Instruction ID: 6ee989b57c56cc683e8081b45a60e8d88641feefa2b309a8211b066407c3f2e5
                                  • Opcode Fuzzy Hash: 5b0bf54134f80cff9ca6ce4a8dff4b23300e7e002ba4f74be1d0103a91d53083
                                  • Instruction Fuzzy Hash: 82F1B4B1D00649AACB24CFA9C940AEEFBF4EF84300F14856FE455E7351E3B89A45CB56
                                  Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: )$U$\
                                  • API String ID: 0-3705770531
                                  • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                  • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                  • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                  • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                  Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                  • CoInitialize.OLE32(00000000), ref: 0046E505
                                  • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                  • CoUninitialize.OLE32 ref: 0046E53D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                  • String ID: .lnk
                                  • API String ID: 886957087-24824748
                                  • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                  • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                  • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                  • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                  Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                  Download Yara Rule
                                  Strings
                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                  • API String ID: 708495834-557222456
                                  • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                  • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                  • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                  • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                  Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                    • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                    • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                    • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                    • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                  • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                  • String ID: @
                                  • API String ID: 4150878124-2766056989
                                  • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                  • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                  • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                  • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                  Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \$]$h
                                  • API String ID: 4104443479-3262404753
                                  • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                  • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                  • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                  • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                  Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                  • CloseHandle.KERNEL32(?), ref: 00457E09
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                  • String ID: <$@
                                  • API String ID: 2417854910-1426351568
                                  • Opcode ID: 024707e8d0be736fd9aee974053134abdf34597ecb22147b7e98c4ffc578353a
                                  • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                  • Opcode Fuzzy Hash: 024707e8d0be736fd9aee974053134abdf34597ecb22147b7e98c4ffc578353a
                                  • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                  Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                    • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                  • String ID:
                                  • API String ID: 3705125965-3916222277
                                  • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                  • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                  • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                  • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                  Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                  • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                  • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Menu$Delete$InfoItem
                                  • String ID: 0
                                  • API String ID: 135850232-4108050209
                                  • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                  • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                  • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                  • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                  Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                  • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window$Long
                                  • String ID: SysTreeView32
                                  • API String ID: 847901565-1698111956
                                  • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                  • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                  • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                  • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                  Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                  • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                  • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Library$AddressFreeLoadProc
                                  • String ID: AU3_GetPluginDetails
                                  • API String ID: 145871493-4132174516
                                  • Opcode ID: eeab42aefd2d36d06d7687f66def4b4fc74e6333f2f3c4216b61849e5f0d6007
                                  • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                  • Opcode Fuzzy Hash: eeab42aefd2d36d06d7687f66def4b4fc74e6333f2f3c4216b61849e5f0d6007
                                  • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                  Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window
                                  • String ID: SysMonthCal32
                                  • API String ID: 2326795674-1439706946
                                  • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                  • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                  • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                  • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                  Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                  Download Yara Rule
                                  APIs
                                  • DestroyWindow.USER32(00000000), ref: 00450A2F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: DestroyWindow
                                  • String ID: msctls_updown32
                                  • API String ID: 3375834691-2298589950
                                  • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                  • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                  • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                  • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                  Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: $<
                                  • API String ID: 4104443479-428540627
                                  • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                  • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                  • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                  • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                  Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DiskFreeSpace
                                  • String ID: \VH
                                  • API String ID: 1682464887-234962358
                                  • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                  • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                  • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                  • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                  Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DiskFreeSpace
                                  • String ID: \VH
                                  • API String ID: 1682464887-234962358
                                  • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                  • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                  • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                  • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                  Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DiskFreeSpace
                                  • String ID: \VH
                                  • API String ID: 1682464887-234962358
                                  • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                  • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                  • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                  • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                  Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                  • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ErrorMode$InformationVolume
                                  • String ID: \VH
                                  • API String ID: 2507767853-234962358
                                  • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                  • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                  • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                  • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                  Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                  • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ErrorMode$InformationVolume
                                  • String ID: \VH
                                  • API String ID: 2507767853-234962358
                                  • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                  • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                  • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                  • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                  Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                  • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: msctls_trackbar32
                                  • API String ID: 3850602802-1010561917
                                  • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                  • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                  • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                  • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                  Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                  • String ID: crts
                                  • API String ID: 943502515-3724388283
                                  • Opcode ID: 529e37b86e0cb06f9ed43835dc92f00344189a4a835cae890eb44c126e03fe94
                                  • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                  • Opcode Fuzzy Hash: 529e37b86e0cb06f9ed43835dc92f00344189a4a835cae890eb44c126e03fe94
                                  • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                  Function 0046E48C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64comCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                  • CoInitialize.OLE32(00000000), ref: 0046E505
                                  • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                  • CoUninitialize.OLE32 ref: 0046E53D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                  • String ID: .lnk
                                  • API String ID: 886957087-24824748
                                  • Opcode ID: ca4e97b0deac3c583c427a3e57c18447ee07ba297a7231e98f3a70961bae8bd6
                                  • Instruction ID: 8523b4f55483354ee3aaa8e7e2ee5f8b04597d59409be9d2747526508be4cfd1
                                  • Opcode Fuzzy Hash: ca4e97b0deac3c583c427a3e57c18447ee07ba297a7231e98f3a70961bae8bd6
                                  • Instruction Fuzzy Hash: E72183312082009FD700EF55C985F4AB7F4AF88729F14866EF9589B2E1D7B4E804CB56
                                  Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                  • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                  • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ErrorMode$LabelVolume
                                  • String ID: \VH
                                  • API String ID: 2006950084-234962358
                                  • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                  • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                  • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                  • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                  Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • GetMenuItemInfoW.USER32 ref: 00449727
                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                  • DrawMenuBar.USER32 ref: 00449761
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Menu$InfoItem$Draw_malloc
                                  • String ID: 0
                                  • API String ID: 772068139-4108050209
                                  • Opcode ID: 15a76c8cdafcabc0d330a2bd3afc87876622b04de3c231e264bb1fcb70d0c272
                                  • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                  • Opcode Fuzzy Hash: 15a76c8cdafcabc0d330a2bd3afc87876622b04de3c231e264bb1fcb70d0c272
                                  • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                  Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _wcslen$_wcscpy
                                  • String ID: 3, 3, 8, 1
                                  • API String ID: 3469035223-357260408
                                  • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                  • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                  • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                  • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                  Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                  • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: ICMP.DLL$IcmpCloseHandle
                                  • API String ID: 2574300362-3530519716
                                  • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                  • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                  • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                  • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                  Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                  • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: ICMP.DLL$IcmpCreateFile
                                  • API String ID: 2574300362-275556492
                                  • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                  • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                  • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                  • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                  Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                  • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: ICMP.DLL$IcmpSendEcho
                                  • API String ID: 2574300362-58917771
                                  • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                  • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                  • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                  • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                  Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                  • API String ID: 2574300362-4033151799
                                  • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                  • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                  • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                  • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                  Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                  • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                  • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                  • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                  Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(?), ref: 0047950F
                                  • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                  • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                  • VariantClear.OLEAUT32(?), ref: 00479650
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Variant$AllocClearCopyInitString
                                  • String ID:
                                  • API String ID: 2808897238-0
                                  • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                  • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                  • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                  • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                  Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                  • __itow.LIBCMT ref: 004699CD
                                    • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                  • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                  • __itow.LIBCMT ref: 00469A97
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend$__itow
                                  • String ID:
                                  • API String ID: 3379773720-0
                                  • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                  • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                  • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                  • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                  Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00449A4A
                                  • ScreenToClient.USER32(?,?), ref: 00449A80
                                  • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window$ClientMoveRectScreen
                                  • String ID:
                                  • API String ID: 3880355969-0
                                  • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                  • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                  • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                  • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                  Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                  • String ID:
                                  • API String ID: 2782032738-0
                                  • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                  • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                  • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                  • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                  Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                  • GetWindowRect.USER32(?,?), ref: 00441722
                                  • PtInRect.USER32(?,?,?), ref: 00441734
                                  • MessageBeep.USER32(00000000), ref: 004417AD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Rect$BeepClientMessageScreenWindow
                                  • String ID:
                                  • API String ID: 1352109105-0
                                  • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                  • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                  • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                  • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                  Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                  • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                  • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                  • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                  • String ID:
                                  • API String ID: 3321077145-0
                                  • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                  • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                  • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                  • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                  Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                  • __isleadbyte_l.LIBCMT ref: 004208A6
                                  • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                  • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                  • String ID:
                                  • API String ID: 3058430110-0
                                  • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                  • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                  • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                  • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                  Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(?), ref: 004503C8
                                  • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                  • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                  • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Proc$Parent
                                  • String ID:
                                  • API String ID: 2351499541-0
                                  • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                  • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                  • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                  • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                  Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                  • TranslateMessage.USER32(?), ref: 00442B01
                                  • DispatchMessageW.USER32(?), ref: 00442B0B
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Message$Peek$DispatchTranslate
                                  • String ID:
                                  • API String ID: 1795658109-0
                                  • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                  • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                  • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                  • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                  Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                    • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                    • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                    • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                  • GetCaretPos.USER32(?), ref: 004743B2
                                  • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                  • GetForegroundWindow.USER32 ref: 004743EE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                  • String ID:
                                  • API String ID: 2759813231-0
                                  • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                  • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                  • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                  • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                  Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                  • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                  • _wcslen.LIBCMT ref: 00449519
                                  • _wcslen.LIBCMT ref: 00449526
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend_wcslen$_wcspbrk
                                  • String ID:
                                  • API String ID: 2886238975-0
                                  • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                  • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                  • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                  • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                  Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __setmode$DebugOutputString_fprintf
                                  • String ID:
                                  • API String ID: 1792727568-0
                                  • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                  • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                  • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                  • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                  Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                  • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window$Long$AttributesLayered
                                  • String ID:
                                  • API String ID: 2169480361-0
                                  • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                  • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                  • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                  • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                  Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                    • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                    • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                  • lstrlenW.KERNEL32(?), ref: 00434CF6
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                  • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: lstrcmpilstrcpylstrlen$_malloc
                                  • String ID: cdecl
                                  • API String ID: 3850814276-3896280584
                                  • Opcode ID: c1d0e3fd88ced86f6f3832065c3908be80ab03c979ff4d6bcf24e5a7885ffd19
                                  • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                  • Opcode Fuzzy Hash: c1d0e3fd88ced86f6f3832065c3908be80ab03c979ff4d6bcf24e5a7885ffd19
                                  • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                  Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                  • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                  • _memmove.LIBCMT ref: 0046D475
                                  • inet_ntoa.WSOCK32(?), ref: 0046D481
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                  • String ID:
                                  • API String ID: 2502553879-0
                                  • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                  • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                  • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                  • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                  Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32 ref: 00448C69
                                  • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                  • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                  • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend$LongWindow
                                  • String ID:
                                  • API String ID: 312131281-0
                                  • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                  • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                  • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                  • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                  Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                  • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                  • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                  • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ErrorLastacceptselect
                                  • String ID:
                                  • API String ID: 385091864-0
                                  • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                  • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                  • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                  • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                  Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                  • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                  • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                  • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                  Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                  • GetStockObject.GDI32(00000011), ref: 00430258
                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                  • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Window$CreateMessageObjectSendShowStock
                                  • String ID:
                                  • API String ID: 1358664141-0
                                  • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                  • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                  • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                  • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                  Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                  • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                  • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 2880819207-0
                                  • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                  • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                  • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                  • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                  Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00430BA2
                                  • ScreenToClient.USER32(?,?), ref: 00430BC1
                                  • ScreenToClient.USER32(?,?), ref: 00430BE2
                                  • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ClientRectScreen$InvalidateWindow
                                  • String ID:
                                  • API String ID: 357397906-0
                                  • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                  • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                  • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                  • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                  Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • __wsplitpath.LIBCMT ref: 0043392E
                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                  • __wsplitpath.LIBCMT ref: 00433950
                                  • __wcsicoll.LIBCMT ref: 00433974
                                  • __wcsicoll.LIBCMT ref: 0043398A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                  • String ID:
                                  • API String ID: 1187119602-0
                                  • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                  • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                  • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                  • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                  Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _wcslen$_malloc_wcscat_wcscpy
                                  • String ID:
                                  • API String ID: 1597257046-0
                                  • Opcode ID: 15947565afd9da0c51d6b39d986381e9b8142da2aa4972dda906e7c054fe1a7b
                                  • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                  • Opcode Fuzzy Hash: 15947565afd9da0c51d6b39d986381e9b8142da2aa4972dda906e7c054fe1a7b
                                  • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                  Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                  • __malloc_crt.LIBCMT ref: 0041F5B6
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: EnvironmentStrings$Free__malloc_crt
                                  • String ID:
                                  • API String ID: 237123855-0
                                  • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                  • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                  • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                  • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                  Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: DeleteDestroyObject$IconWindow
                                  • String ID:
                                  • API String ID: 3349847261-0
                                  • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                  • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                  • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                  • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                  Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                  • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                  • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                  • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                  • String ID:
                                  • API String ID: 2223660684-0
                                  • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                  • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                  • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                  • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                  Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                    • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                    • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                  • LineTo.GDI32(?,?,?), ref: 00447326
                                  • EndPath.GDI32(?), ref: 00447336
                                  • StrokePath.GDI32(?), ref: 00447344
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                  • String ID:
                                  • API String ID: 2783949968-0
                                  • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                  • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                  • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                  • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                  Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                  • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                  • AttachThreadInput.USER32(00000000), ref: 004364AA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                  • String ID:
                                  • API String ID: 2710830443-0
                                  • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                  • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                  • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                  • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                  Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                  • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                  • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                  • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                    • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                    • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                  • String ID:
                                  • API String ID: 146765662-0
                                  • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                  • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                  • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                  • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                  Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDesktopWindow.USER32 ref: 00472B63
                                  • GetDC.USER32(00000000), ref: 00472B6C
                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                  • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CapsDesktopDeviceReleaseWindow
                                  • String ID:
                                  • API String ID: 2889604237-0
                                  • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                  • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                  • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                  • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                  Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDesktopWindow.USER32 ref: 00472BB2
                                  • GetDC.USER32(00000000), ref: 00472BBB
                                  • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                  • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CapsDesktopDeviceReleaseWindow
                                  • String ID:
                                  • API String ID: 2889604237-0
                                  • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                  • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                  • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                  • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                  Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __getptd_noexit.LIBCMT ref: 00415150
                                    • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                    • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                    • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                    • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                    • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                  • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                  • __freeptd.LIBCMT ref: 0041516B
                                  • ExitThread.KERNEL32 ref: 00415173
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                  • String ID:
                                  • API String ID: 1454798553-0
                                  • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                  • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                  • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                  • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                  Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _strncmp
                                  • String ID: Q\E
                                  • API String ID: 909875538-2189900498
                                  • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                  • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                  • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                  • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                  Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                    • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                    • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                  • String ID: AutoIt3GUI$Container
                                  • API String ID: 2652923123-3941886329
                                  • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                  • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                  • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                  • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                  Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memmove_strncmp
                                  • String ID: U$\
                                  • API String ID: 2666721431-100911408
                                  • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                  • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                  • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                  • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                  Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                  • __wcsnicmp.LIBCMT ref: 00467288
                                  • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                  • String ID: LPT
                                  • API String ID: 3035604524-1350329615
                                  • Opcode ID: d6ee32a1e65a10be59cd2aee46927f2afb98f966929ec107a83db754813dcd00
                                  • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                  • Opcode Fuzzy Hash: d6ee32a1e65a10be59cd2aee46927f2afb98f966929ec107a83db754813dcd00
                                  • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                  Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \$h
                                  • API String ID: 4104443479-677774858
                                  • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                  • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                  • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                  • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                  Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memcmp
                                  • String ID: &
                                  • API String ID: 2931989736-1010288
                                  • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                  • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                  • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                  • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                  Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \
                                  • API String ID: 4104443479-2967466578
                                  • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                  • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                  • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                  • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                  Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00466825
                                  • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CrackInternet_wcslen
                                  • String ID: |
                                  • API String ID: 596671847-2343686810
                                  • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                  • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                  • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                  • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                  Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: '
                                  • API String ID: 3850602802-1997036262
                                  • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                  • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                  • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                  • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                  Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • _strlen.LIBCMT ref: 0040F858
                                    • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                    • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                  • _sprintf.LIBCMT ref: 0040F9AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memmove$_sprintf_strlen
                                  • String ID: %02X
                                  • API String ID: 1921645428-436463671
                                  • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                  • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                  • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                  • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                  Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: Combobox
                                  • API String ID: 3850602802-2096851135
                                  • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                  • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                  • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                  • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                  Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: LengthMessageSendTextWindow
                                  • String ID: edit
                                  • API String ID: 2978978980-2167791130
                                  • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                  • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                  • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                  • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                  Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000), ref: 00476CB0
                                  • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: GlobalMemorySleepStatus
                                  • String ID: @
                                  • API String ID: 2783356886-2766056989
                                  • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                  • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                  • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                  • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                  Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: htonsinet_addr
                                  • String ID: 255.255.255.255
                                  • API String ID: 3832099526-2422070025
                                  • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                  • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                  • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                  • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                  Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: InternetOpen
                                  • String ID: <local>
                                  • API String ID: 2038078732-4266983199
                                  • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                  • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                  • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                  • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                  Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: __fread_nolock_memmove
                                  • String ID: EA06
                                  • API String ID: 1988441806-3962188686
                                  • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                  • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                  • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                  • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                  Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: u,D
                                  • API String ID: 4104443479-3858472334
                                  • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                  • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                  • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                  • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                  Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • _memmove.LIBCMT ref: 00401B57
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                  • String ID: @EXITCODE
                                  • API String ID: 2734553683-3436989551
                                  • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                  • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                  • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                  • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                  Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • wsprintfW.USER32 ref: 0045612A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: MessageSend_mallocwsprintf
                                  • String ID: %d/%02d/%02d
                                  • API String ID: 1262938277-328681919
                                  • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                  • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                  • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                  • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                  Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetCloseHandle.WININET(?), ref: 00442663
                                  • InternetCloseHandle.WININET ref: 00442668
                                    • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: CloseHandleInternet$ObjectSingleWait
                                  • String ID: aeB
                                  • API String ID: 857135153-906807131
                                  • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                  • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                  • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                  • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                  Function 00433244 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: _wcsncpy
                                  • String ID: ^B$C:\Users\user\Desktop\SOA 89035673890.exe
                                  • API String ID: 1735881322-1290184060
                                  • Opcode ID: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                  • Instruction ID: 95fca152a805ab331260cabc3645652019b64b11bc5d0d7a1f408bc65d2df1f2
                                  • Opcode Fuzzy Hash: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                  • Instruction Fuzzy Hash: ADE0C23360051A7B9710DE4AD841DBBF37DEEC4A20B08802AF90883200E2B1BD1A43E4
                                  Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                  • PostMessageW.USER32(00000000), ref: 00441C05
                                    • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: FindMessagePostSleepWindow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 529655941-2988720461
                                  • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                  • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                  • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                  • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                  Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                    • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: FindMessagePostSleepWindow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 529655941-2988720461
                                  • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                  • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                  • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                  • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                  Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                    • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1724468622.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1724455377.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724507910.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724524098.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724537002.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724550031.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1724578135.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_SOA 89035673890.jbxd
                                  Similarity
                                  • API ID: Message_doexit
                                  • String ID: AutoIt$Error allocating memory.
                                  • API String ID: 1993061046-4017498283
                                  • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                  • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                  • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                  • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D