Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
(2).docx.exe

Overview

General Information

Sample name:(2).docx.exe
renamed because original name is a hash value
Original sample name:11_21-2024_753e373_9-372-- -A1 (2).docx.exe
Analysis ID:1560294
MD5:8c01c51ef925e81212d6f39c098fe65f
SHA1:94404d75e90260be4bdea4d3f76d1cab1deca5ff
SHA256:f03d10d6d5be51c58642517465216d686f029cb1f85266939eed886f85e68dda
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Suspicious Double Extension File Execution
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • (2).docx.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\(2).docx.exe" MD5: 8C01C51EF925E81212D6F39C098FE65F)
    • svchost.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\(2).docx.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • cmstp.exe (PID: 7416 cmdline: "C:\Windows\SysWOW64\cmstp.exe" MD5: D7AABFAB5BEFD53BA3A27BD48F3CC675)
          • cmd.exe (PID: 7440 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.2creativedesign.online/ud04/"], "decoy": ["oum7.pro", "ovonordisk.online", "akrzus.pro", "tendmtedcpsa.site", "mm.foo", "animevyhgsft29817.click", "digdxxb.info", "1130.vip", "uy-now-pay-later-74776.bond", "ybzert.online", "edcn.link", "rime-flow-bay.xyz", "nd777id.beauty", "otoyama.shop", "lranchomx.xyz", "unluoren.top", "uglesang-troms.net", "udulbet88.net", "raquewear.shop", "ijanarko.net", "iuxy.host", "itaxia.dev", "hisewntbqg.makeup", "talianfood.store", "22gxx.app", "tandkite.fun", "rovideoeditor.shop", "ires-86307.bond", "elitjatarjoukset.click", "rofilern.net", "uycarpaylater-02-t1e-01.today", "futurum.xyz", "inance15.site", "alance-ton-budget.net", "tpuniplay.shop", "dlpli.xyz", "riteon.online", "rippyshaker.shop", "rn10.top", "linko1win.icu", "ugeniolopez.art", "raphic-design-degree-68380.bond", "narchists.info", "uy-now-pay-later-25573.bond", "gzvmt.info", "df.clinic", "onesome.store", "imba-168.net", "ayef.xyz", "64axyozkgl.top", "dult-diapers-53774.bond", "ec.baby", "el-radu-easy4y.one", "asik-eye-surgery-63293.bond", "p-inbox4.click", "0417.one", "ualitystore.shop", "partments-for-rent-61932.bond", "enobscotlobster.online", "fhou.link", "eo56a3oouu.top", "cweb.cyou", "hoe-organizer-za.today", "p806.top"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b907:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18829:$sqlite3step: 68 34 1C 7B E1
      • 0x1893c:$sqlite3step: 68 34 1C 7B E1
      • 0x18858:$sqlite3text: 68 38 2A 90 C5
      • 0x1897d:$sqlite3text: 68 38 2A 90 C5
      • 0x1886b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18993:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bda0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          1.2.svchost.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab07:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb0a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          1.2.svchost.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a29:$sqlite3step: 68 34 1C 7B E1
          • 0x17b3c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a58:$sqlite3text: 68 38 2A 90 C5
          • 0x17b7d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a6b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b93:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 15 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Suspicious Double Extension File Execution
          Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\(2).docx.exe", CommandLine: "C:\Users\user\Desktop\(2).docx.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\(2).docx.exe, NewProcessName: C:\Users\user\Desktop\(2).docx.exe, OriginalFileName: C:\Users\user\Desktop\(2).docx.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\(2).docx.exe", ProcessId: 7308, ProcessName: (2).docx.exe
          Sigma detected: CMSTP Execution Process Creation
          Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del "C:\Windows\SysWOW64\svchost.exe", CommandLine: /c del "C:\Windows\SysWOW64\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\cmstp.exe", ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 7416, ParentProcessName: cmstp.exe, ProcessCommandLine: /c del "C:\Windows\SysWOW64\svchost.exe", ProcessId: 7440, ProcessName: cmd.exe
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\(2).docx.exe", CommandLine: "C:\Users\user\Desktop\(2).docx.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\(2).docx.exe", ParentImage: C:\Users\user\Desktop\(2).docx.exe, ParentProcessId: 7308, ParentProcessName: (2).docx.exe, ProcessCommandLine: "C:\Users\user\Desktop\(2).docx.exe", ProcessId: 7336, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\(2).docx.exe", CommandLine: "C:\Users\user\Desktop\(2).docx.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\(2).docx.exe", ParentImage: C:\Users\user\Desktop\(2).docx.exe, ParentProcessId: 7308, ParentProcessName: (2).docx.exe, ProcessCommandLine: "C:\Users\user\Desktop\(2).docx.exe", ProcessId: 7336, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.2creativedesign.online/ud04/"], "decoy": ["oum7.pro", "ovonordisk.online", "akrzus.pro", "tendmtedcpsa.site", "mm.foo", "animevyhgsft29817.click", "digdxxb.info", "1130.vip", "uy-now-pay-later-74776.bond", "ybzert.online", "edcn.link", "rime-flow-bay.xyz", "nd777id.beauty", "otoyama.shop", "lranchomx.xyz", "unluoren.top", "uglesang-troms.net", "udulbet88.net", "raquewear.shop", "ijanarko.net", "iuxy.host", "itaxia.dev", "hisewntbqg.makeup", "talianfood.store", "22gxx.app", "tandkite.fun", "rovideoeditor.shop", "ires-86307.bond", "elitjatarjoukset.click", "rofilern.net", "uycarpaylater-02-t1e-01.today", "futurum.xyz", "inance15.site", "alance-ton-budget.net", "tpuniplay.shop", "dlpli.xyz", "riteon.online", "rippyshaker.shop", "rn10.top", "linko1win.icu", "ugeniolopez.art", "raphic-design-degree-68380.bond", "narchists.info", "uy-now-pay-later-25573.bond", "gzvmt.info", "df.clinic", "onesome.store", "imba-168.net", "ayef.xyz", "64axyozkgl.top", "dult-diapers-53774.bond", "ec.baby", "el-radu-easy4y.one", "asik-eye-surgery-63293.bond", "p-inbox4.click", "0417.one", "ualitystore.shop", "partments-for-rent-61932.bond", "enobscotlobster.online", "fhou.link", "eo56a3oouu.top", "cweb.cyou", "hoe-organizer-za.today", "p806.top"]}
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: (2).docx.exeJoe Sandbox ML: detected
          Source: (2).docx.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: cmstp.pdbGCTL source: svchost.exe, 00000001.00000003.1768938780.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768777002.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771267761.00000000031E0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157551196.0000000000370000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: (2).docx.exe, 00000000.00000003.1710199519.0000000003960000.00000004.00001000.00020000.00000000.sdmp, (2).docx.exe, 00000000.00000003.1703950706.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1713084790.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1711161048.0000000003000000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.0000000004590000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.000000000472E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1772205219.00000000043EA000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1769783725.0000000004235000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: (2).docx.exe, 00000000.00000003.1710199519.0000000003960000.00000004.00001000.00020000.00000000.sdmp, (2).docx.exe, 00000000.00000003.1703950706.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1713084790.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1711161048.0000000003000000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.0000000004590000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.000000000472E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1772205219.00000000043EA000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1769783725.0000000004235000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cmstp.pdb source: svchost.exe, 00000001.00000003.1768938780.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768777002.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771267761.00000000031E0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157551196.0000000000370000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000002.00000002.4173159829.0000000010D6F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4159091144.0000000004ADF000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157938897.00000000027FC000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000002.00000002.4173159829.0000000010D6F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4159091144.0000000004ADF000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157938897.00000000027FC000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00316CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00316CA9
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_003160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_003160DD
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_003163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_003163F9
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0031EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0031EB60
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0031F56F FindFirstFileW,FindClose,0_2_0031F56F
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0031F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0031F5FA
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00321B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00321B2F
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00321C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00321C8A
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00321F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00321F94
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop ebx1_2_00407B28

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.2creativedesign.online/ud04/
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.2creativedesign.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.tandkite.fun replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ijanarko.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ualitystore.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.onesome.store replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.riteon.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.p-inbox4.click replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.elitjatarjoukset.click replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ovonordisk.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.narchists.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.gzvmt.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.2creativedesign.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.tandkite.fun replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ijanarko.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ualitystore.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.onesome.store replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.riteon.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.p-inbox4.click replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.elitjatarjoukset.click replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ovonordisk.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.narchists.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.gzvmt.info replaycode: Name error (3)
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00324EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00324EB5
          Source: global trafficDNS traffic detected: DNS query: www.elitjatarjoukset.click
          Source: global trafficDNS traffic detected: DNS query: www.gzvmt.info
          Source: global trafficDNS traffic detected: DNS query: www.riteon.online
          Source: global trafficDNS traffic detected: DNS query: www.ovonordisk.online
          Source: global trafficDNS traffic detected: DNS query: www.narchists.info
          Source: global trafficDNS traffic detected: DNS query: www.ijanarko.net
          Source: global trafficDNS traffic detected: DNS query: www.2creativedesign.online
          Source: global trafficDNS traffic detected: DNS query: www.tandkite.fun
          Source: global trafficDNS traffic detected: DNS query: www.ualitystore.shop
          Source: global trafficDNS traffic detected: DNS query: www.onesome.store
          Source: global trafficDNS traffic detected: DNS query: www.p-inbox4.click
          Source: explorer.exe, 00000002.00000000.1719453857.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000002.00000000.1719453857.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000002.00000000.1719453857.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000002.00000000.1719453857.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1720157919.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1720157919.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
          Source: explorer.exe, 00000002.00000000.1720385480.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1718080624.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4162452584.0000000008720000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.2creativedesign.online
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.2creativedesign.online/ud04/
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.2creativedesign.online/ud04/www.tandkite.fun
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.2creativedesign.onlineReferer:
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.df.clinic
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.df.clinic/ud04/
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.df.clinic/ud04/www.tendmtedcpsa.site
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.df.clinicReferer:
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.elitjatarjoukset.click
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.elitjatarjoukset.click/ud04/
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.elitjatarjoukset.click/ud04/www.gzvmt.info
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.elitjatarjoukset.clickReferer:
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gzvmt.info
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gzvmt.info/ud04/
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gzvmt.info/ud04/www.riteon.online
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gzvmt.infoReferer:
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ijanarko.net
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ijanarko.net/ud04/
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ijanarko.net/ud04/www.2creativedesign.online
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ijanarko.netReferer:
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inance15.site
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inance15.site/ud04/
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inance15.site/ud04/www.df.clinic
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inance15.siteReferer:
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lranchomx.xyz
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lranchomx.xyz/ud04/
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lranchomx.xyz/ud04/www.inance15.site
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lranchomx.xyzReferer:
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.narchists.info
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.narchists.info/ud04/
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.narchists.info/ud04/www.ijanarko.net
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.narchists.infoReferer:
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onesome.store
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onesome.store/ud04/
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onesome.store/ud04/www.p-inbox4.click
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onesome.storeReferer:
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ovonordisk.online
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ovonordisk.online/ud04/
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ovonordisk.online/ud04/www.narchists.info
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ovonordisk.onlineReferer:
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.p-inbox4.click
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.p-inbox4.click/ud04/
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.p-inbox4.click/ud04/www.lranchomx.xyz
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.p-inbox4.clickReferer:
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.riteon.online
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.riteon.online/ud04/
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.riteon.online/ud04/www.ovonordisk.online
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.riteon.onlineReferer:
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tandkite.fun
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tandkite.fun/ud04/
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tandkite.fun/ud04/www.ualitystore.shop
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tandkite.funReferer:
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tendmtedcpsa.site
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tendmtedcpsa.site/ud04/
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tendmtedcpsa.siteReferer:
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ualitystore.shop
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ualitystore.shop/ud04/
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ualitystore.shop/ud04/www.ybzert.online
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ualitystore.shopReferer:
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ybzert.online
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ybzert.online/ud04/
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ybzert.online/ud04/www.onesome.store
          Source: explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ybzert.onlineReferer:
          Source: explorer.exe, 00000002.00000002.4167170759.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000002.00000002.4160238706.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: explorer.exe, 00000002.00000002.4160238706.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
          Source: explorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000002.00000003.3106173503.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1719453857.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000002.00000003.3106173503.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1719453857.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
          Source: explorer.exe, 00000002.00000000.1715123564.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4158924998.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4157904661.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1716063740.0000000003700000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000002.00000000.1719453857.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.0000000009701000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
          Source: explorer.exe, 00000002.00000003.3106173503.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1719453857.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000002.00000000.1719453857.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.0000000009701000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
          Source: explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
          Source: explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
          Source: explorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
          Source: explorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
          Source: explorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
          Source: explorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
          Source: explorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000002.00000002.4167170759.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
          Source: explorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
          Source: explorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
          Source: explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
          Source: explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00326B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00326B0C
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00326D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00326D07
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00326B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00326B0C
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00312B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00312B37
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0033F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0033F7FF

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.4170679439.000000000E64E000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: (2).docx.exe PID: 7308, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 7336, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: cmstp.exe PID: 7416, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: This is a third-party compiled AutoIt script.0_2_002D3D19
          Source: (2).docx.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: (2).docx.exe, 00000000.00000000.1686077283.000000000037E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_52f403a0-3
          Source: (2).docx.exe, 00000000.00000000.1686077283.000000000037E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: 0SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_df831d4d-e
          Source: (2).docx.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_60488e8c-5
          Source: (2).docx.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_aa3508c2-d
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A340 NtCreateFile,1_2_0041A340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A3F0 NtReadFile,1_2_0041A3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A470 NtClose,1_2_0041A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A520 NtAllocateVirtualMemory,1_2_0041A520
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A3EB NtReadFile,1_2_0041A3EB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A392 NtCreateFile,NtReadFile,1_2_0041A392
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A51C NtAllocateVirtualMemory,1_2_0041A51C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472B60 NtClose,LdrInitializeThunk,1_2_03472B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472BF0 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_03472BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472AD0 NtReadFile,LdrInitializeThunk,1_2_03472AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472F30 NtCreateSection,LdrInitializeThunk,1_2_03472F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472FE0 NtCreateFile,LdrInitializeThunk,1_2_03472FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472F90 NtProtectVirtualMemory,LdrInitializeThunk,1_2_03472F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472FB0 NtResumeThread,LdrInitializeThunk,1_2_03472FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472E80 NtReadVirtualMemory,LdrInitializeThunk,1_2_03472E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_03472EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472D10 NtMapViewOfSection,LdrInitializeThunk,1_2_03472D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472D30 NtUnmapViewOfSection,LdrInitializeThunk,1_2_03472D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472DD0 NtDelayExecution,LdrInitializeThunk,1_2_03472DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03472DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472CA0 NtQueryInformationToken,LdrInitializeThunk,1_2_03472CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03474340 NtSetContextThread,1_2_03474340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03474650 NtSuspendThread,1_2_03474650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472BE0 NtQueryValueKey,1_2_03472BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472B80 NtQueryInformationFile,1_2_03472B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472BA0 NtEnumerateValueKey,1_2_03472BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472AF0 NtWriteFile,1_2_03472AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472AB0 NtWaitForSingleObject,1_2_03472AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472F60 NtCreateProcessEx,1_2_03472F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472FA0 NtQuerySection,1_2_03472FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472E30 NtWriteVirtualMemory,1_2_03472E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472EE0 NtQueueApcThread,1_2_03472EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472D00 NtSetInformationFile,1_2_03472D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472DB0 NtEnumerateKey,1_2_03472DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472C60 NtCreateKey,1_2_03472C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472C70 NtFreeVirtualMemory,1_2_03472C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472C00 NtQueryInformationProcess,1_2_03472C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472CC0 NtQueryVirtualMemory,1_2_03472CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472CF0 NtOpenProcess,1_2_03472CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473010 NtOpenDirectoryObject,1_2_03473010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473090 NtSetValueKey,1_2_03473090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034735C0 NtCreateMutant,1_2_034735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034739B0 NtGetContextThread,1_2_034739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473D70 NtOpenThread,1_2_03473D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473D10 NtOpenProcessToken,1_2_03473D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031CA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,1_2_031CA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031CA042 NtQueryInformationProcess,1_2_031CA042
          Source: C:\Windows\explorer.exeCode function: 2_2_0E636232 NtCreateFile,2_2_0E636232
          Source: C:\Windows\explorer.exeCode function: 2_2_0E637E12 NtProtectVirtualMemory,2_2_0E637E12
          Source: C:\Windows\explorer.exeCode function: 2_2_0E637E0A NtProtectVirtualMemory,2_2_0E637E0A
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00316606: CreateFileW,DeviceIoControl,CloseHandle,0_2_00316606
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0030ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0030ACC5
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_003179D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_003179D3
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002FB0430_2_002FB043
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002E32000_2_002E3200
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002E3B700_2_002E3B70
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0030410F0_2_0030410F
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002F02A40_2_002F02A4
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0030038E0_2_0030038E
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002DE3E30_2_002DE3E3
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0030467F0_2_0030467F
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002F06D90_2_002F06D9
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0033AACE0_2_0033AACE
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00304BEF0_2_00304BEF
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002ECC7F0_2_002ECC7F
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002FCCC10_2_002FCCC1
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002D6F070_2_002D6F07
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002DAF500_2_002DAF50
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002EB11F0_2_002EB11F
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_003331BC0_2_003331BC
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002FD1B90_2_002FD1B9
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002F123A0_2_002F123A
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0030724D0_2_0030724D
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002D93F00_2_002D93F0
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_003113CA0_2_003113CA
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002EF5630_2_002EF563
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002D96C00_2_002D96C0
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0031B6CC0_2_0031B6CC
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002D77B00_2_002D77B0
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0033F7FF0_2_0033F7FF
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_003079C90_2_003079C9
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002EFA570_2_002EFA57
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002D9B600_2_002D9B60
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002D7D190_2_002D7D19
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002EFE6F0_2_002EFE6F
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002F9ED00_2_002F9ED0
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002D7FA30_2_002D7FA3
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_012597C80_2_012597C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004010261_2_00401026
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E1B71_2_0041E1B7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041DA081_2_0041DA08
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00409E5B1_2_00409E5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00409E601_2_00409E60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FA3521_2_034FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F01_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035003E61_2_035003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E02741_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C02C01_2_034C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C81581_2_034C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034301001_2_03430100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA1181_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F81CC1_2_034F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F41A21_2_034F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035001AA1_2_035001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D20001_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034647501_2_03464750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034407701_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343C7C01_2_0343C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345C6E01_2_0345C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034405351_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035005911_2_03500591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F24461_2_034F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E44201_2_034E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EE4F61_2_034EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FAB401_2_034FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F6BD71_2_034F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA801_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034569621_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A01_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350A9A61_2_0350A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344A8401_2_0344A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034428401_2_03442840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E8F01_2_0346E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034268B81_2_034268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B4F401_2_034B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03482F281_2_03482F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460F301_2_03460F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E2F301_2_034E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432FC81_2_03432FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BEFA01_2_034BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440E591_2_03440E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FEE261_2_034FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FEEDB1_2_034FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452E901_2_03452E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FCE931_2_034FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344AD001_2_0344AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DCD1F1_2_034DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343ADE01_2_0343ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03458DBF1_2_03458DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440C001_2_03440C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430CF21_2_03430CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0CB51_2_034E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342D34C1_2_0342D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F132D1_2_034F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0348739A1_2_0348739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345B2C01_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E12ED1_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345D2F01_2_0345D2F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034452A01_2_034452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347516C1_2_0347516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342F1721_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350B16B1_2_0350B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344B1B01_2_0344B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EF0CC1_2_034EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034470C01_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F70E91_2_034F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FF0E01_2_034FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FF7B01_2_034FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034856301_2_03485630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F16CC1_2_034F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F75711_2_034F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035095C31_2_035095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DD5B01_2_034DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034314601_2_03431460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FF43F1_2_034FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFB761_2_034FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B5BF01_2_034B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347DBF91_2_0347DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345FB801_2_0345FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFA491_2_034FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F7A461_2_034F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B3A6C1_2_034B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EDAC61_2_034EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DDAAC1_2_034DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03485AA01_2_03485AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E1AA31_2_034E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034499501_2_03449950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345B9501_2_0345B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D59101_2_034D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AD8001_2_034AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034438E01_2_034438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFF091_2_034FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03403FD21_2_03403FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03403FD51_2_03403FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03441F921_2_03441F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFFB11_2_034FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03449EB01_2_03449EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03443D401_2_03443D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F1D5A1_2_034F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F7D731_2_034F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345FDC01_2_0345FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B9C321_2_034B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFCF21_2_034FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031CA0361_2_031CA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031CB2321_2_031CB232
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C10821_2_031C1082
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031CE5CD1_2_031CE5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C5B301_2_031C5B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C5B321_2_031C5B32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C89121_2_031C8912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C2D021_2_031C2D02
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6362322_2_0E636232
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6350362_2_0E635036
          Source: C:\Windows\explorer.exeCode function: 2_2_0E62C0822_2_0E62C082
          Source: C:\Windows\explorer.exeCode function: 2_2_0E630B322_2_0E630B32
          Source: C:\Windows\explorer.exeCode function: 2_2_0E630B302_2_0E630B30
          Source: C:\Windows\explorer.exeCode function: 2_2_0E62DD022_2_0E62DD02
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6339122_2_0E633912
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6395CD2_2_0E6395CD
          Source: C:\Windows\explorer.exeCode function: 2_2_10AB50822_2_10AB5082
          Source: C:\Windows\explorer.exeCode function: 2_2_10ABE0362_2_10ABE036
          Source: C:\Windows\explorer.exeCode function: 2_2_10AC25CD2_2_10AC25CD
          Source: C:\Windows\explorer.exeCode function: 2_2_10AB6D022_2_10AB6D02
          Source: C:\Windows\explorer.exeCode function: 2_2_10ABC9122_2_10ABC912
          Source: C:\Windows\explorer.exeCode function: 2_2_10ABF2322_2_10ABF232
          Source: C:\Windows\explorer.exeCode function: 2_2_10AB9B322_2_10AB9B32
          Source: C:\Windows\explorer.exeCode function: 2_2_10AB9B302_2_10AB9B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 262 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 107 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 103 times
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: String function: 002F6AC0 appears 42 times
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: String function: 002FF8A0 appears 35 times
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: String function: 002EEC2F appears 68 times
          Source: (2).docx.exe, 00000000.00000003.1711064108.0000000003C2D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs (2).docx.exe
          Source: (2).docx.exe, 00000000.00000003.1706891600.0000000003A83000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs (2).docx.exe
          Source: (2).docx.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"Jump to behavior
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.4170679439.000000000E64E000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: (2).docx.exe PID: 7308, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 7336, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: cmstp.exe PID: 7416, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.evad.winEXE@108/3@11/0
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0031CE7A GetLastError,FormatMessageW,0_2_0031CE7A
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0030AB84 AdjustTokenPrivileges,CloseHandle,0_2_0030AB84
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0030B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0030B134
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0031E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0031E1FD
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00316532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00316532
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0032C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0032C18C
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002D406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_002D406B
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
          Source: C:\Users\user\Desktop\(2).docx.exeFile created: C:\Users\user\AppData\Local\Temp\aut89B9.tmpJump to behavior
          Source: (2).docx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\(2).docx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\(2).docx.exe "C:\Users\user\Desktop\(2).docx.exe"
          Source: C:\Users\user\Desktop\(2).docx.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\(2).docx.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\(2).docx.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\(2).docx.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: cmutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
          Source: (2).docx.exeStatic file information: File size 1310208 > 1048576
          Source: (2).docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: (2).docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: (2).docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: (2).docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: (2).docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: (2).docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: (2).docx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: cmstp.pdbGCTL source: svchost.exe, 00000001.00000003.1768938780.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768777002.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771267761.00000000031E0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157551196.0000000000370000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: (2).docx.exe, 00000000.00000003.1710199519.0000000003960000.00000004.00001000.00020000.00000000.sdmp, (2).docx.exe, 00000000.00000003.1703950706.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1713084790.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1711161048.0000000003000000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.0000000004590000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.000000000472E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1772205219.00000000043EA000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1769783725.0000000004235000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: (2).docx.exe, 00000000.00000003.1710199519.0000000003960000.00000004.00001000.00020000.00000000.sdmp, (2).docx.exe, 00000000.00000003.1703950706.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1713084790.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771326144.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1711161048.0000000003000000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.0000000004590000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000002.4158569975.000000000472E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1772205219.00000000043EA000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000003.00000003.1769783725.0000000004235000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cmstp.pdb source: svchost.exe, 00000001.00000003.1768938780.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768777002.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1771267761.00000000031E0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157551196.0000000000370000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000002.00000002.4173159829.0000000010D6F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4159091144.0000000004ADF000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157938897.00000000027FC000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000002.00000002.4173159829.0000000010D6F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4159091144.0000000004ADF000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000003.00000002.4157938897.00000000027FC000.00000004.00000020.00020000.00000000.sdmp
          Source: (2).docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: (2).docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: (2).docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: (2).docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: (2).docx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002EE01E LoadLibraryA,GetProcAddress,0_2_002EE01E
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002FC09E push esi; ret 0_2_002FC0A0
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002FC187 push edi; ret 0_2_002FC189
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0033C8BC push esi; ret 0_2_0033C8BE
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002F6B05 push ecx; ret 0_2_002F6B18
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0031B2B1 push FFFFFF8Bh; iretd 0_2_0031B2B3
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002FBDAA push edi; ret 0_2_002FBDAC
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002FBEC3 push esi; ret 0_2_002FBEC5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00404905 push eax; iretd 1_2_0040490C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417AD0 push ecx; ret 1_2_00417AD1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416431 push 00000063h; ret 1_2_00416438
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041D4E2 push eax; ret 1_2_0041D4E8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041D4EB push eax; ret 1_2_0041D552
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00409C84 push esi; ret 1_2_00409C85
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041D495 push eax; ret 1_2_0041D4E8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041D54C push eax; ret 1_2_0041D552
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041973C push esi; retf 1_2_0041973D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340225F pushad ; ret 1_2_034027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034027FA pushad ; ret 1_2_034027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034309AD push ecx; mov dword ptr [esp], ecx1_2_034309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340283D push eax; iretd 1_2_03402858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340135E push eax; iretd 1_2_03401369
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031CEB1E push esp; retn 0000h1_2_031CEB1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031CEB02 push esp; retn 0000h1_2_031CEB03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031CE9B5 push esp; retn 0000h1_2_031CEAE7
          Source: C:\Windows\explorer.exeCode function: 2_2_0E639B02 push esp; retn 0000h2_2_0E639B03
          Source: C:\Windows\explorer.exeCode function: 2_2_0E639B1E push esp; retn 0000h2_2_0E639B1F
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6399B5 push esp; retn 0000h2_2_0E639AE7
          Source: C:\Windows\explorer.exeCode function: 2_2_10AC29B5 push esp; retn 0000h2_2_10AC2AE7
          Source: C:\Windows\explorer.exeCode function: 2_2_10AC2B02 push esp; retn 0000h2_2_10AC2B03
          Source: C:\Windows\explorer.exeCode function: 2_2_10AC2B1E push esp; retn 0000h2_2_10AC2B1F

          Hooking and other Techniques for Hiding and Protection

          barindex
          Uses an obfuscated file name to hide its real file extension (double extension)
          Source: Possible double extension: docx.exeStatic PE information: (2).docx.exe
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00338111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00338111
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002EEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002EEB42
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002F123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_002F123A
          Source: C:\Users\user\Desktop\(2).docx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\(2).docx.exeAPI/Special instruction interceptor: Address: 12593EC
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\cmstp.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\cmstp.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\cmstp.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\cmstp.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\cmstp.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\cmstp.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\cmstp.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\cmstp.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\cmstp.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 26E9904 second address: 26E990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 26E9B7E second address: 26E9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00409AB0 rdtsc 1_2_00409AB0
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1402Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8546Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 870Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 869Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeWindow / User API: threadDelayed 8100Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeWindow / User API: threadDelayed 1873Jump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeEvaded block: after key decisiongraph_0-93442
          Source: C:\Users\user\Desktop\(2).docx.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-94300
          Source: C:\Users\user\Desktop\(2).docx.exeAPI coverage: 4.6 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 2.0 %
          Source: C:\Windows\explorer.exe TID: 7748Thread sleep count: 1402 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7748Thread sleep time: -2804000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7748Thread sleep count: 8546 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7748Thread sleep time: -17092000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 7516Thread sleep count: 8100 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 7516Thread sleep time: -16200000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 7516Thread sleep count: 1873 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 7516Thread sleep time: -3746000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00316CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00316CA9
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_003160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_003160DD
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_003163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_003163F9
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0031EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0031EB60
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0031F56F FindFirstFileW,FindClose,0_2_0031F56F
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0031F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0031F5FA
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00321B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00321B2F
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00321C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00321C8A
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00321F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00321F94
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002EDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002EDDC0
          Source: explorer.exe, 00000002.00000000.1720157919.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000002.00000000.1723443132.000000000CA7C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D.exe??f
          Source: explorer.exe, 00000002.00000000.1719453857.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
          Source: explorer.exe, 00000002.00000000.1719453857.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
          Source: explorer.exe, 00000002.00000000.1720157919.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000002.00000002.4157904661.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
          Source: explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%
          Source: explorer.exe, 00000002.00000002.4164107496.000000000997A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
          Source: explorer.exe, 00000002.00000000.1719453857.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
          Source: explorer.exe, 00000002.00000000.1719453857.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1719453857.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.00000000097D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000002.00000002.4164107496.000000000997A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000002.00000000.1717133268.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
          Source: explorer.exe, 00000002.00000002.4157904661.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000002.00000002.4163062009.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
          Source: explorer.exe, 00000002.00000002.4157904661.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00409AB0 rdtsc 1_2_00409AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040ACF0 LdrLoadDll,1_2_0040ACF0
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00326AAF BlockInput,0_2_00326AAF
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002D3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_002D3D19
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00303920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00303920
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002EE01E LoadLibraryA,GetProcAddress,0_2_002EE01E
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_01258048 mov eax, dword ptr fs:[00000030h]0_2_01258048
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_01259658 mov eax, dword ptr fs:[00000030h]0_2_01259658
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_012596B8 mov eax, dword ptr fs:[00000030h]0_2_012596B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov ecx, dword ptr fs:[00000030h]1_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FA352 mov eax, dword ptr fs:[00000030h]1_2_034FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D8350 mov ecx, dword ptr fs:[00000030h]1_2_034D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350634F mov eax, dword ptr fs:[00000030h]1_2_0350634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D437C mov eax, dword ptr fs:[00000030h]1_2_034D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]1_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]1_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]1_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C310 mov ecx, dword ptr fs:[00000030h]1_2_0342C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450310 mov ecx, dword ptr fs:[00000030h]1_2_03450310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]1_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov ecx, dword ptr fs:[00000030h]1_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]1_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]1_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EC3CD mov eax, dword ptr fs:[00000030h]1_2_034EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B63C0 mov eax, dword ptr fs:[00000030h]1_2_034B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]1_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]1_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov ecx, dword ptr fs:[00000030h]1_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]1_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D43D4 mov eax, dword ptr fs:[00000030h]1_2_034D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D43D4 mov eax, dword ptr fs:[00000030h]1_2_034D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]1_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]1_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]1_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034663FF mov eax, dword ptr fs:[00000030h]1_2_034663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]1_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]1_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]1_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345438F mov eax, dword ptr fs:[00000030h]1_2_0345438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345438F mov eax, dword ptr fs:[00000030h]1_2_0345438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]1_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]1_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]1_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B8243 mov eax, dword ptr fs:[00000030h]1_2_034B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B8243 mov ecx, dword ptr fs:[00000030h]1_2_034B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350625D mov eax, dword ptr fs:[00000030h]1_2_0350625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A250 mov eax, dword ptr fs:[00000030h]1_2_0342A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436259 mov eax, dword ptr fs:[00000030h]1_2_03436259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA250 mov eax, dword ptr fs:[00000030h]1_2_034EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA250 mov eax, dword ptr fs:[00000030h]1_2_034EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]1_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]1_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]1_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342826B mov eax, dword ptr fs:[00000030h]1_2_0342826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342823B mov eax, dword ptr fs:[00000030h]1_2_0342823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035062D6 mov eax, dword ptr fs:[00000030h]1_2_035062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]1_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]1_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]1_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E284 mov eax, dword ptr fs:[00000030h]1_2_0346E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E284 mov eax, dword ptr fs:[00000030h]1_2_0346E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]1_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]1_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]1_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402A0 mov eax, dword ptr fs:[00000030h]1_2_034402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402A0 mov eax, dword ptr fs:[00000030h]1_2_034402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov ecx, dword ptr fs:[00000030h]1_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov ecx, dword ptr fs:[00000030h]1_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C156 mov eax, dword ptr fs:[00000030h]1_2_0342C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C8158 mov eax, dword ptr fs:[00000030h]1_2_034C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436154 mov eax, dword ptr fs:[00000030h]1_2_03436154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436154 mov eax, dword ptr fs:[00000030h]1_2_03436154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504164 mov eax, dword ptr fs:[00000030h]1_2_03504164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504164 mov eax, dword ptr fs:[00000030h]1_2_03504164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov ecx, dword ptr fs:[00000030h]1_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]1_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]1_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]1_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F0115 mov eax, dword ptr fs:[00000030h]1_2_034F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460124 mov eax, dword ptr fs:[00000030h]1_2_03460124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F61C3 mov eax, dword ptr fs:[00000030h]1_2_034F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F61C3 mov eax, dword ptr fs:[00000030h]1_2_034F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035061E5 mov eax, dword ptr fs:[00000030h]1_2_035061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034601F8 mov eax, dword ptr fs:[00000030h]1_2_034601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03470185 mov eax, dword ptr fs:[00000030h]1_2_03470185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EC188 mov eax, dword ptr fs:[00000030h]1_2_034EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EC188 mov eax, dword ptr fs:[00000030h]1_2_034EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4180 mov eax, dword ptr fs:[00000030h]1_2_034D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4180 mov eax, dword ptr fs:[00000030h]1_2_034D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]1_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]1_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]1_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432050 mov eax, dword ptr fs:[00000030h]1_2_03432050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6050 mov eax, dword ptr fs:[00000030h]1_2_034B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345C073 mov eax, dword ptr fs:[00000030h]1_2_0345C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B4000 mov ecx, dword ptr fs:[00000030h]1_2_034B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A020 mov eax, dword ptr fs:[00000030h]1_2_0342A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C020 mov eax, dword ptr fs:[00000030h]1_2_0342C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6030 mov eax, dword ptr fs:[00000030h]1_2_034C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B20DE mov eax, dword ptr fs:[00000030h]1_2_034B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0342A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034380E9 mov eax, dword ptr fs:[00000030h]1_2_034380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B60E0 mov eax, dword ptr fs:[00000030h]1_2_034B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C0F0 mov eax, dword ptr fs:[00000030h]1_2_0342C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034720F0 mov ecx, dword ptr fs:[00000030h]1_2_034720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343208A mov eax, dword ptr fs:[00000030h]1_2_0343208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034280A0 mov eax, dword ptr fs:[00000030h]1_2_034280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C80A8 mov eax, dword ptr fs:[00000030h]1_2_034C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F60B8 mov eax, dword ptr fs:[00000030h]1_2_034F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F60B8 mov ecx, dword ptr fs:[00000030h]1_2_034F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346674D mov esi, dword ptr fs:[00000030h]1_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346674D mov eax, dword ptr fs:[00000030h]1_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346674D mov eax, dword ptr fs:[00000030h]1_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430750 mov eax, dword ptr fs:[00000030h]1_2_03430750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE75D mov eax, dword ptr fs:[00000030h]1_2_034BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472750 mov eax, dword ptr fs:[00000030h]1_2_03472750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472750 mov eax, dword ptr fs:[00000030h]1_2_03472750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B4755 mov eax, dword ptr fs:[00000030h]1_2_034B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438770 mov eax, dword ptr fs:[00000030h]1_2_03438770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C700 mov eax, dword ptr fs:[00000030h]1_2_0346C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430710 mov eax, dword ptr fs:[00000030h]1_2_03430710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460710 mov eax, dword ptr fs:[00000030h]1_2_03460710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C720 mov eax, dword ptr fs:[00000030h]1_2_0346C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C720 mov eax, dword ptr fs:[00000030h]1_2_0346C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346273C mov eax, dword ptr fs:[00000030h]1_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346273C mov ecx, dword ptr fs:[00000030h]1_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346273C mov eax, dword ptr fs:[00000030h]1_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AC730 mov eax, dword ptr fs:[00000030h]1_2_034AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343C7C0 mov eax, dword ptr fs:[00000030h]1_2_0343C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B07C3 mov eax, dword ptr fs:[00000030h]1_2_034B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]1_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]1_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]1_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE7E1 mov eax, dword ptr fs:[00000030h]1_2_034BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034347FB mov eax, dword ptr fs:[00000030h]1_2_034347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034347FB mov eax, dword ptr fs:[00000030h]1_2_034347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D678E mov eax, dword ptr fs:[00000030h]1_2_034D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034307AF mov eax, dword ptr fs:[00000030h]1_2_034307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E47A0 mov eax, dword ptr fs:[00000030h]1_2_034E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344C640 mov eax, dword ptr fs:[00000030h]1_2_0344C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F866E mov eax, dword ptr fs:[00000030h]1_2_034F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F866E mov eax, dword ptr fs:[00000030h]1_2_034F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A660 mov eax, dword ptr fs:[00000030h]1_2_0346A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A660 mov eax, dword ptr fs:[00000030h]1_2_0346A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03462674 mov eax, dword ptr fs:[00000030h]1_2_03462674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE609 mov eax, dword ptr fs:[00000030h]1_2_034AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472619 mov eax, dword ptr fs:[00000030h]1_2_03472619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E627 mov eax, dword ptr fs:[00000030h]1_2_0344E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03466620 mov eax, dword ptr fs:[00000030h]1_2_03466620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03468620 mov eax, dword ptr fs:[00000030h]1_2_03468620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343262C mov eax, dword ptr fs:[00000030h]1_2_0343262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0346A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A6C7 mov eax, dword ptr fs:[00000030h]1_2_0346A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B06F1 mov eax, dword ptr fs:[00000030h]1_2_034B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B06F1 mov eax, dword ptr fs:[00000030h]1_2_034B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434690 mov eax, dword ptr fs:[00000030h]1_2_03434690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434690 mov eax, dword ptr fs:[00000030h]1_2_03434690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C6A6 mov eax, dword ptr fs:[00000030h]1_2_0346C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034666B0 mov eax, dword ptr fs:[00000030h]1_2_034666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438550 mov eax, dword ptr fs:[00000030h]1_2_03438550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438550 mov eax, dword ptr fs:[00000030h]1_2_03438550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]1_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]1_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]1_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6500 mov eax, dword ptr fs:[00000030h]1_2_034C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E5CF mov eax, dword ptr fs:[00000030h]1_2_0346E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E5CF mov eax, dword ptr fs:[00000030h]1_2_0346E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034365D0 mov eax, dword ptr fs:[00000030h]1_2_034365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A5D0 mov eax, dword ptr fs:[00000030h]1_2_0346A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A5D0 mov eax, dword ptr fs:[00000030h]1_2_0346A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034325E0 mov eax, dword ptr fs:[00000030h]1_2_034325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C5ED mov eax, dword ptr fs:[00000030h]1_2_0346C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C5ED mov eax, dword ptr fs:[00000030h]1_2_0346C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432582 mov eax, dword ptr fs:[00000030h]1_2_03432582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432582 mov ecx, dword ptr fs:[00000030h]1_2_03432582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03464588 mov eax, dword ptr fs:[00000030h]1_2_03464588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E59C mov eax, dword ptr fs:[00000030h]1_2_0346E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]1_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]1_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]1_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034545B1 mov eax, dword ptr fs:[00000030h]1_2_034545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034545B1 mov eax, dword ptr fs:[00000030h]1_2_034545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA456 mov eax, dword ptr fs:[00000030h]1_2_034EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342645D mov eax, dword ptr fs:[00000030h]1_2_0342645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345245A mov eax, dword ptr fs:[00000030h]1_2_0345245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC460 mov ecx, dword ptr fs:[00000030h]1_2_034BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]1_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]1_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]1_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]1_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]1_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]1_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C427 mov eax, dword ptr fs:[00000030h]1_2_0342C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034304E5 mov ecx, dword ptr fs:[00000030h]1_2_034304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA49A mov eax, dword ptr fs:[00000030h]1_2_034EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034364AB mov eax, dword ptr fs:[00000030h]1_2_034364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034644B0 mov ecx, dword ptr fs:[00000030h]1_2_034644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BA4B0 mov eax, dword ptr fs:[00000030h]1_2_034BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4B4B mov eax, dword ptr fs:[00000030h]1_2_034E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4B4B mov eax, dword ptr fs:[00000030h]1_2_034E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6B40 mov eax, dword ptr fs:[00000030h]1_2_034C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6B40 mov eax, dword ptr fs:[00000030h]1_2_034C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FAB40 mov eax, dword ptr fs:[00000030h]1_2_034FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D8B42 mov eax, dword ptr fs:[00000030h]1_2_034D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428B50 mov eax, dword ptr fs:[00000030h]1_2_03428B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DEB50 mov eax, dword ptr fs:[00000030h]1_2_034DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342CB7E mov eax, dword ptr fs:[00000030h]1_2_0342CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504B00 mov eax, dword ptr fs:[00000030h]1_2_03504B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EB20 mov eax, dword ptr fs:[00000030h]1_2_0345EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EB20 mov eax, dword ptr fs:[00000030h]1_2_0345EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F8B28 mov eax, dword ptr fs:[00000030h]1_2_034F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F8B28 mov eax, dword ptr fs:[00000030h]1_2_034F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]1_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]1_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]1_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]1_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]1_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]1_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DEBD0 mov eax, dword ptr fs:[00000030h]1_2_034DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]1_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]1_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]1_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EBFC mov eax, dword ptr fs:[00000030h]1_2_0345EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BCBF0 mov eax, dword ptr fs:[00000030h]1_2_034BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440BBE mov eax, dword ptr fs:[00000030h]1_2_03440BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440BBE mov eax, dword ptr fs:[00000030h]1_2_03440BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4BB0 mov eax, dword ptr fs:[00000030h]1_2_034E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4BB0 mov eax, dword ptr fs:[00000030h]1_2_034E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440A5B mov eax, dword ptr fs:[00000030h]1_2_03440A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440A5B mov eax, dword ptr fs:[00000030h]1_2_03440A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]1_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]1_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]1_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DEA60 mov eax, dword ptr fs:[00000030h]1_2_034DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034ACA72 mov eax, dword ptr fs:[00000030h]1_2_034ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034ACA72 mov eax, dword ptr fs:[00000030h]1_2_034ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BCA11 mov eax, dword ptr fs:[00000030h]1_2_034BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA24 mov eax, dword ptr fs:[00000030h]1_2_0346CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EA2E mov eax, dword ptr fs:[00000030h]1_2_0345EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03454A35 mov eax, dword ptr fs:[00000030h]1_2_03454A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03454A35 mov eax, dword ptr fs:[00000030h]1_2_03454A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]1_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]1_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]1_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430AD0 mov eax, dword ptr fs:[00000030h]1_2_03430AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03464AD0 mov eax, dword ptr fs:[00000030h]1_2_03464AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03464AD0 mov eax, dword ptr fs:[00000030h]1_2_03464AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346AAEE mov eax, dword ptr fs:[00000030h]1_2_0346AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346AAEE mov eax, dword ptr fs:[00000030h]1_2_0346AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504A80 mov eax, dword ptr fs:[00000030h]1_2_03504A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03468A90 mov edx, dword ptr fs:[00000030h]1_2_03468A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438AA0 mov eax, dword ptr fs:[00000030h]1_2_03438AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438AA0 mov eax, dword ptr fs:[00000030h]1_2_03438AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486AA4 mov eax, dword ptr fs:[00000030h]1_2_03486AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0946 mov eax, dword ptr fs:[00000030h]1_2_034B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504940 mov eax, dword ptr fs:[00000030h]1_2_03504940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]1_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]1_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]1_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E mov eax, dword ptr fs:[00000030h]1_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E mov edx, dword ptr fs:[00000030h]1_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E mov eax, dword ptr fs:[00000030h]1_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4978 mov eax, dword ptr fs:[00000030h]1_2_034D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4978 mov eax, dword ptr fs:[00000030h]1_2_034D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC97C mov eax, dword ptr fs:[00000030h]1_2_034BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE908 mov eax, dword ptr fs:[00000030h]1_2_034AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE908 mov eax, dword ptr fs:[00000030h]1_2_034AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC912 mov eax, dword ptr fs:[00000030h]1_2_034BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428918 mov eax, dword ptr fs:[00000030h]1_2_03428918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428918 mov eax, dword ptr fs:[00000030h]1_2_03428918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B892A mov eax, dword ptr fs:[00000030h]1_2_034B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C892B mov eax, dword ptr fs:[00000030h]1_2_034C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C69C0 mov eax, dword ptr fs:[00000030h]1_2_034C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034649D0 mov eax, dword ptr fs:[00000030h]1_2_034649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FA9D3 mov eax, dword ptr fs:[00000030h]1_2_034FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE9E0 mov eax, dword ptr fs:[00000030h]1_2_034BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034629F9 mov eax, dword ptr fs:[00000030h]1_2_034629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034629F9 mov eax, dword ptr fs:[00000030h]1_2_034629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034309AD mov eax, dword ptr fs:[00000030h]1_2_034309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034309AD mov eax, dword ptr fs:[00000030h]1_2_034309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B89B3 mov esi, dword ptr fs:[00000030h]1_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B89B3 mov eax, dword ptr fs:[00000030h]1_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B89B3 mov eax, dword ptr fs:[00000030h]1_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03442840 mov ecx, dword ptr fs:[00000030h]1_2_03442840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460854 mov eax, dword ptr fs:[00000030h]1_2_03460854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434859 mov eax, dword ptr fs:[00000030h]1_2_03434859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434859 mov eax, dword ptr fs:[00000030h]1_2_03434859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE872 mov eax, dword ptr fs:[00000030h]1_2_034BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE872 mov eax, dword ptr fs:[00000030h]1_2_034BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6870 mov eax, dword ptr fs:[00000030h]1_2_034C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6870 mov eax, dword ptr fs:[00000030h]1_2_034C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC810 mov eax, dword ptr fs:[00000030h]1_2_034BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov ecx, dword ptr fs:[00000030h]1_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A830 mov eax, dword ptr fs:[00000030h]1_2_0346A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D483A mov eax, dword ptr fs:[00000030h]1_2_034D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D483A mov eax, dword ptr fs:[00000030h]1_2_034D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E8C0 mov eax, dword ptr fs:[00000030h]1_2_0345E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035008C0 mov eax, dword ptr fs:[00000030h]1_2_035008C0
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0030A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0030A66C
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002F81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002F81AC
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002F8189 SetUnhandledExceptionFilter,0_2_002F8189

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\(2).docx.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 2580Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 370000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\(2).docx.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 9C1008Jump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0030B106 LogonUserW,0_2_0030B106
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002D3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_002D3D19
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0031411C SendInput,keybd_event,0_2_0031411C
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_003174BB mouse_event,0_2_003174BB
          Source: C:\Users\user\Desktop\(2).docx.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\(2).docx.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0030A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0030A66C
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_003171FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_003171FA
          Source: (2).docx.exe, explorer.exe, 00000002.00000002.4163164050.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159983624.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000002.4158377602.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1715393255.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: (2).docx.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
          Source: explorer.exe, 00000002.00000000.1715123564.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4157904661.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
          Source: explorer.exe, 00000002.00000002.4158377602.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1715393255.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000002.00000002.4158377602.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1715393255.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002F65C4 cpuid 0_2_002F65C4
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0032091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0032091D
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0034B340 GetUserNameW,0_2_0034B340
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00301E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00301E8E
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_002EDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002EDDC0

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: (2).docx.exeBinary or memory string: WIN_81
          Source: (2).docx.exeBinary or memory string: WIN_XP
          Source: (2).docx.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
          Source: (2).docx.exeBinary or memory string: WIN_XPe
          Source: (2).docx.exeBinary or memory string: WIN_VISTA
          Source: (2).docx.exeBinary or memory string: WIN_7
          Source: (2).docx.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.(2).docx.exe.1d10000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.(2).docx.exe.1d10000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_00328C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00328C4F
          Source: C:\Users\user\Desktop\(2).docx.exeCode function: 0_2_0032923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0032923B

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		3
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Shared Modules          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
          Valid Accounts          		13
          Obfuscated Files or Information          		Security Account Manager1
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS215
          System Information Discovery          		Distributed Component Object ModelInput Capture11
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script512
          Process Injection          		1
          Masquerading          		LSA Secrets251
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Valid Accounts          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Virtualization/Sandbox Evasion          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
          Access Token Manipulation          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt512
          Process Injection          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560294 Sample: (2).docx.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 26 www.ualitystore.shop 2->26 28 www.tandkite.fun 2->28 30 9 other IPs or domains 2->30 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Yara detected FormBook 2->36 38 8 other signatures 2->38 11 (2).docx.exe 2 2->11         started        signatures3 process4 signatures5 48 Binary is likely a compiled AutoIt script file 11->48 50 Writes to foreign memory regions 11->50 52 Maps a DLL or memory area into another process 11->52 54 Switches to a custom stack to bypass stack traces 11->54 14 svchost.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 3 other signatures 14->62 17 explorer.exe 50 1 14->17 injected process8 process9 19 cmstp.exe 17->19         started        signatures10 40 Modifies the context of a thread in another process (thread injection) 19->40 42 Maps a DLL or memory area into another process 19->42 44 Tries to detect virtualization through RDTSC time measurements 19->44 46 Switches to a custom stack to bypass stack traces 19->46 22 cmd.exe 1 19->22         started        process11 process12 24 conhost.exe 22->24         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          (2).docx.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.inance15.site/ud04/www.df.clinic0%Avira URL Cloudsafe
          http://www.riteon.onlineReferer:0%Avira URL Cloudsafe
          http://www.df.clinic0%Avira URL Cloudsafe
          http://www.2creativedesign.online/ud04/www.tandkite.fun0%Avira URL Cloudsafe
          http://www.narchists.info/ud04/0%Avira URL Cloudsafe
          http://www.narchists.info/ud04/www.ijanarko.net0%Avira URL Cloudsafe
          www.2creativedesign.online/ud04/0%Avira URL Cloudsafe
          http://www.gzvmt.info/ud04/0%Avira URL Cloudsafe
          http://www.narchists.info0%Avira URL Cloudsafe
          http://www.2creativedesign.online/ud04/0%Avira URL Cloudsafe
          http://www.ualitystore.shopReferer:0%Avira URL Cloudsafe
          http://www.ybzert.online/ud04/0%Avira URL Cloudsafe
          http://www.onesome.storeReferer:0%Avira URL Cloudsafe
          http://www.df.clinicReferer:0%Avira URL Cloudsafe
          http://www.onesome.store/ud04/www.p-inbox4.click0%Avira URL Cloudsafe
          http://www.riteon.online0%Avira URL Cloudsafe
          http://www.tandkite.fun0%Avira URL Cloudsafe
          http://www.lranchomx.xyz/ud04/0%Avira URL Cloudsafe
          http://www.ovonordisk.online/ud04/0%Avira URL Cloudsafe
          http://www.lranchomx.xyz/ud04/www.inance15.site0%Avira URL Cloudsafe
          http://www.ualitystore.shop/ud04/www.ybzert.online0%Avira URL Cloudsafe
          http://www.onesome.store/ud04/0%Avira URL Cloudsafe
          http://www.elitjatarjoukset.click/ud04/0%Avira URL Cloudsafe
          http://www.lranchomx.xyz0%Avira URL Cloudsafe
          http://www.p-inbox4.click0%Avira URL Cloudsafe
          http://www.df.clinic/ud04/www.tendmtedcpsa.site0%Avira URL Cloudsafe
          http://www.ovonordisk.online/ud04/www.narchists.info0%Avira URL Cloudsafe
          http://www.df.clinic/ud04/0%Avira URL Cloudsafe
          http://www.ualitystore.shop/ud04/0%Avira URL Cloudsafe
          http://www.ijanarko.net/ud04/www.2creativedesign.online0%Avira URL Cloudsafe
          http://www.p-inbox4.clickReferer:0%Avira URL Cloudsafe
          http://www.tendmtedcpsa.site0%Avira URL Cloudsafe
          http://www.inance15.site/ud04/0%Avira URL Cloudsafe
          http://www.onesome.store0%Avira URL Cloudsafe
          http://www.lranchomx.xyzReferer:0%Avira URL Cloudsafe
          http://www.ovonordisk.onlineReferer:0%Avira URL Cloudsafe
          http://www.tandkite.fun/ud04/0%Avira URL Cloudsafe
          http://www.ybzert.online/ud04/www.onesome.store0%Avira URL Cloudsafe
          http://www.2creativedesign.online0%Avira URL Cloudsafe
          http://www.2creativedesign.onlineReferer:0%Avira URL Cloudsafe
          http://www.inance15.site0%Avira URL Cloudsafe
          http://www.ualitystore.shop0%Avira URL Cloudsafe
          http://www.tendmtedcpsa.site/ud04/0%Avira URL Cloudsafe
          http://www.ijanarko.netReferer:0%Avira URL Cloudsafe
          http://www.gzvmt.infoReferer:0%Avira URL Cloudsafe
          http://www.ijanarko.net/ud04/0%Avira URL Cloudsafe
          http://www.inance15.siteReferer:0%Avira URL Cloudsafe
          http://www.p-inbox4.click/ud04/0%Avira URL Cloudsafe
          http://www.ovonordisk.online0%Avira URL Cloudsafe
          http://www.ijanarko.net0%Avira URL Cloudsafe
          http://www.tandkite.fun/ud04/www.ualitystore.shop0%Avira URL Cloudsafe
          http://www.elitjatarjoukset.click0%Avira URL Cloudsafe
          http://www.elitjatarjoukset.click/ud04/www.gzvmt.info0%Avira URL Cloudsafe
          http://www.elitjatarjoukset.clickReferer:0%Avira URL Cloudsafe
          http://www.riteon.online/ud04/0%Avira URL Cloudsafe
          http://www.gzvmt.info/ud04/www.riteon.online0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.ualitystore.shop
          		unknown
          		unknowntrue
            		unknown
            www.ovonordisk.online
            		unknown
            		unknowntrue
              		unknown
              www.onesome.store
              		unknown
              		unknowntrue
                		unknown
                www.ijanarko.net
                		unknown
                		unknowntrue
                  		unknown
                  www.elitjatarjoukset.click
                  		unknown
                  		unknowntrue
                    		unknown
                    www.riteon.online
                    		unknown
                    		unknowntrue
                      		unknown
                      www.gzvmt.info
                      		unknown
                      		unknowntrue
                        		unknown
                        www.narchists.info
                        		unknown
                        		unknowntrue
                          		unknown
                          www.p-inbox4.click
                          		unknown
                          		unknowntrue
                            		unknown
                            www.2creativedesign.online
                            		unknown
                            		unknowntrue
                              		unknown
                              www.tandkite.fun
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                www.2creativedesign.online/ud04/true
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://www.narchists.info/ud04/www.ijanarko.netexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://aka.ms/odirmrexplorer.exe, 00000002.00000002.4160238706.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.riteon.onlineReferer:explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.2creativedesign.online/ud04/explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000002.00000003.3106173503.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1719453857.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.narchists.infoexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://excel.office.comexplorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.gzvmt.info/ud04/explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.narchists.info/ud04/explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.2creativedesign.online/ud04/www.tandkite.funexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.inance15.site/ud04/www.df.clinicexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.df.clinicexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.ovonordisk.online/ud04/explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.onesome.store/ud04/www.p-inbox4.clickexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000002.00000002.4167170759.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.lranchomx.xyz/ud04/www.inance15.siteexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.ybzert.online/ud04/explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.lranchomx.xyz/ud04/explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tandkite.funexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.ualitystore.shopReferer:explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://wns.windows.com/Lexplorer.exe, 00000002.00000002.4167170759.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.elitjatarjoukset.click/ud04/explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.lranchomx.xyzexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://word.office.comexplorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.ybzert.onlineexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.onesome.storeReferer:explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.df.clinicReferer:explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.riteon.onlineexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.micrexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1720157919.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.ualitystore.shop/ud04/www.ybzert.onlineexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.p-inbox4.clickexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.onesome.store/ud04/explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.df.clinic/ud04/www.tendmtedcpsa.siteexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.tendmtedcpsa.siteexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://outlook.com_explorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.ovonordisk.online/ud04/www.narchists.infoexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.df.clinic/ud04/explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://schemas.miexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1720157919.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.ybzert.onlineReferer:explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://powerpoint.office.comcemberexplorer.exe, 00000002.00000002.4167170759.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1722046856.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.microexplorer.exe, 00000002.00000000.1720385480.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1718080624.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4162452584.0000000008720000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.ualitystore.shop/ud04/explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.inance15.site/ud04/explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.p-inbox4.clickReferer:explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.ijanarko.net/ud04/www.2creativedesign.onlineexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.lranchomx.xyzReferer:explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.ovonordisk.onlineReferer:explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.onesome.storeexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.tandkite.fun/ud04/explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://www.ybzert.online/ud04/www.onesome.storeexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://www.ualitystore.shopexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://api.msn.com/qexplorer.exe, 00000002.00000003.3106173503.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1719453857.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.2creativedesign.onlineexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.inance15.siteexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000002.00000000.1717133268.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.tendmtedcpsa.site/ud04/explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://www.ijanarko.net/ud04/explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://www.2creativedesign.onlineReferer:explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://www.ijanarko.netReferer:explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://www.gzvmt.infoReferer:explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://www.p-inbox4.click/ud04/explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://www.inance15.siteReferer:explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://www.ovonordisk.onlineexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000002.00000002.4160238706.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.ijanarko.netexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.tandkite.fun/ud04/www.ualitystore.shopexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.riteon.online/ud04/explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.elitjatarjoukset.clickReferer:explorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://aka.ms/Vh5j3kexplorer.exe, 00000002.00000002.4160238706.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1717133268.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.gzvmt.info/ud04/www.riteon.onlineexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://www.elitjatarjoukset.clickexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://api.msn.com/v1/news/Feed/Windows?&explorer.exe, 00000002.00000000.1719453857.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4163164050.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106173503.0000000009701000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.elitjatarjoukset.click/ud04/www.gzvmt.infoexplorer.exe, 00000002.00000002.4164107496.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown

                                                                                                                        World Map of Contacted IPs

                                                                                                                        No contacted IP infos

                                                                                                                        General Information

                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                        Analysis ID:1560294
                                                                                                                        Start date and time:2024-11-21 16:25:15 +01:00
                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                        Overall analysis duration:0h 10m 17s
                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                        Report type:full
                                                                                                                        Cookbook file name:default.jbs
                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                        Number of analysed new started processes analysed:8
                                                                                                                        Number of new started drivers analysed:0
                                                                                                                        Number of existing processes analysed:0
                                                                                                                        Number of existing drivers analysed:0
                                                                                                                        Number of injected processes analysed:1
                                                                                                                        Technologies:
                                                                                                                        • HCA enabled
                                                                                                                        • EGA enabled
                                                                                                                        • AMSI enabled
                                                                                                                        Analysis Mode:default
                                                                                                                        Sample name:(2).docx.exe
                                                                                                                        renamed because original name is a hash value
                                                                                                                        Original Sample Name:11_21-2024_753e373_9-372-- -A1 (2).docx.exe
                                                                                                                        Detection:MAL
                                                                                                                        Classification:mal100.troj.evad.winEXE@108/3@11/0
                                                                                                                        EGA Information:
                                                                                                                        • Successful, ratio: 100%
                                                                                                                        HCA Information:
                                                                                                                        • Successful, ratio: 100%
                                                                                                                        • Number of executed functions: 61
                                                                                                                        • Number of non-executed functions: 292
                                                                                                                        Cookbook Comments:
                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                        Warnings

                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                        • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                        • VT rate limit hit for: (2).docx.exe

                                                                                                                        Simulations

                                                                                                                        Behavior and APIs

                                                                                                                        TimeTypeDescription
                                                                                                                        10:26:54API Interceptor6891258x Sleep call for process: cmstp.exe modified
                                                                                                                        10:26:54API Interceptor7129411x Sleep call for process: explorer.exe modified

                                                                                                                        Joe Sandbox View / Context

                                                                                                                        IPs

                                                                                                                        No context

                                                                                                                        Domains

                                                                                                                        No context

                                                                                                                        ASNs

                                                                                                                        No context

                                                                                                                        JA3 Fingerprints

                                                                                                                        No context

                                                                                                                        Dropped Files

                                                                                                                        No context

                                                                                                                        Created / dropped Files

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                        File Type:JSON data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1019
                                                                                                                        Entropy (8bit):5.236946495216897
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:YqHZ6T06Mhm4ymNib0O0bihmCetmKg6CUXyhmimKgbxdB6hmjmKgz0JahmcmKgbR:YqHZ6T06McoEb0O0bicCewHDUXycLHbR
                                                                                                                        MD5:5D20D9B3F928AC964E07C561FD8A3F42
                                                                                                                        SHA1:B702BE149FCF94831A975F2CD06B2DFE020D9632
                                                                                                                        SHA-256:59A4F22870D7A7DC3339917C89FF6AF09FA762AF39F0624338FDDFF631730492
                                                                                                                        SHA-512:30E5F275FFB475A403439C3A4DCC05F3E12A6914D93F20EB38AF3240A7F693A455C25C005A3681AB39C89BFAD9AE66FAAE3874B987FAC48BB6A5439194FDCEDC
                                                                                                                        Malicious:false
                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                        Preview:{"RecentItems":[{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":7763552,"LastSwitchedHighPart":31061488,"PrePopulated":true},{"AppID":"Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail","PenUsageSec":15,"LastSwitchedLowPart":4292730848,"LastSwitchedHighPart":31061487,"PrePopulated":true},{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":4282730848,"LastSwitchedHighPart":31061487,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4272730848,"LastSwitchedHighPart":31061487,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":4262730848,"LastSwitchedHighPart":31061487,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4252730848,"LastSwitchedHighPart":31061487,"Pr

                                                                                                                        C:\Users\user\AppData\Local\Temp\aut89B9.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\(2).docx.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):177490
                                                                                                                        Entropy (8bit):7.968703204970198
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:0XNKekFMyc7YZo9TNfj30+Mj7pV5t+NnzZ8ZwQaz4MwrUhi+LJUyDleU5e85D:09KejyVZST90+0nt6uZxaEMcUtJUuT
                                                                                                                        MD5:6688EF6B7E0333FAF7D2D73C2B6FB1FC
                                                                                                                        SHA1:90BCCFE3D0A858715614FC1962F9269BB1DAF310
                                                                                                                        SHA-256:512218787D6145CCC0ADEECB12269648CFB57008CB4729BA4B6D6BE9BF94C1C2
                                                                                                                        SHA-512:E786457E65738741A92357294FD81252AF1EE109D694EEEC4C414931C7317B09A5619663AC42EF48256417B9B819954286C2BAF75FEFBE592F6818E9675AFC5D
                                                                                                                        Malicious:false
                                                                                                                        Reputation:low
                                                                                                                        Preview:EA06......a.....A.Xv..&....\..:.+...N...f..G.S.:...9.Pi....... P*.zmG.J.\.3xn.#......I$...i...".N...5.s6.....&.......5..N...3...u;...T?.-l.....?_...M9.~4 ....... ...........m.;J.Pr.n....[.]..Y.O(4..8...... . 7.....A.J@...2.K....*..n.........|...S.:.l.A.. `.@...}@.....S..@..Vz..A.\...`....).p...0.C..............?....p.....7..."..6.M..r....2.C..w6.m....Sx.h.k..R.W.kP.]..[........3'.R....^...o5...a....m>...}`4L..'.....3q..M...P....q.8.e[.....\.Mw...m..f^....qZ*L.m...'x*G..G.l6...K...:.=..B........Q.\h.'....bt.BqB..? ..>.......J]..8..4....V.q....N..).m}.....ft~.`...ct.nv.y..P..O\....ct.&....`.U......Sft.v........+)......F#.....3.LVk.....,...J.M.....=...6[.kS..Jg..gF.L.q3.-.O.Q..>....9F..(...+SI.lm.~-...S"...w._.h...4..8...........*...y...J..q.P....B.F.PM.*...^..._.q.....5'.8..7x<...Y.Ik..f..8.F8..+........rc...x..?....h..&.....8..e/Ow......I.C.{z.....v........~.1.......5....%..0.j\o...`.....:.Zu..o..Y...|..9..].)].`.=..;...F.S.?;.A..w.

                                                                                                                        C:\Users\user\AppData\Local\Temp\gobioid

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\(2).docx.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):189440
                                                                                                                        Entropy (8bit):7.822492196433735
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:q2QCEhmnPDe5kKWJDKMOGkhpAOOjHHbmD0i6xKVMq0Azdip7ZYVyrM+kfvcew:qrN/rIDFOGEAxD7mHZVf1diptOyrM+k6
                                                                                                                        MD5:76C672ACB098C8658729EA7E6491A611
                                                                                                                        SHA1:F4D7186FECD66850FC339870B1F7EE89DC27F883
                                                                                                                        SHA-256:5C48318C5E0A7B71DD2F84C1CBB7A83BFCDD3DF6A4CB2F05BBBA493D316D5524
                                                                                                                        SHA-512:1E22D043419B351AC292E4799915ED0CA42053893738647AF6174871EDDF0C59560F82869D977F37CABA5D7D544DA2AD7F06557FE49288CEFB838A6514533577
                                                                                                                        Malicious:false
                                                                                                                        Reputation:low
                                                                                                                        Preview:.....KCARa..D...s.CR...z:>...LGNOMCQKCAR96AM0LGNOMCQKCAR96A.0LG@P.MQ.J.s.7..../'<m3#$$33T.",^"(:o/&q96/rPXa...g# )&.FNKv96AM0LG.E...%...P...*..O....%..9....*..O....%..PU)..*.NOMCQKCAR96AM0LG..MC.JBA.&..M0LGNOMC.KA@Y8<AM.NGNOMCQKCAR.7AM LGN.OCQK.AR)6AM2LGKOLCQKCAW97AM0LGN.OCQICAR96AO0..NO]CQ[CAR9&AM LGNOMCAKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCA|MS990LG*.OCQ[CAR.4AM LGNOMCQKCAR96Am0L'NOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCAR96AM0LGNOMCQKCA

                                                                                                                        Static File Info

                                                                                                                        General

                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Entropy (8bit):6.961924148949352
                                                                                                                        TrID:
                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                        File name:(2).docx.exe
                                                                                                                        File size:1'310'208 bytes
                                                                                                                        MD5:8c01c51ef925e81212d6f39c098fe65f
                                                                                                                        SHA1:94404d75e90260be4bdea4d3f76d1cab1deca5ff
                                                                                                                        SHA256:f03d10d6d5be51c58642517465216d686f029cb1f85266939eed886f85e68dda
                                                                                                                        SHA512:334765de25735ba92fc9dc449750bc602d58d8292be572fd1c1d7d2381732d6b619ba8e2d25d38a44ae5e3e2431c7b886d0da2fe36dba90779d83ac4a06bde43
                                                                                                                        SSDEEP:24576:1tb20pkaCqT5TBWgNQ7aMokJHs8qKo10vIvrJth6B4q26A:mVg5tQ7afkJHtqKo10QJ6iJ5
                                                                                                                        TLSH:0355BF1333CC82A4CB7251B3B61667117F6BBC798664F51B2FD4367AAEF1161022A723
                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                                                                        File Icon

                                                                                                                        Icon Hash:5339244a27396f6e

                                                                                                                        Static PE Info

                                                                                                                        General

                                                                                                                        Entrypoint:0x425f74
                                                                                                                        Entrypoint Section:.text
                                                                                                                        Digitally signed:false
                                                                                                                        Imagebase:0x400000
                                                                                                                        Subsystem:windows gui
                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                        Time Stamp:0x673EABC6 [Thu Nov 21 03:40:54 2024 UTC]
                                                                                                                        TLS Callbacks:
                                                                                                                        CLR (.Net) Version:
                                                                                                                        OS Version Major:5
                                                                                                                        OS Version Minor:1
                                                                                                                        File Version Major:5
                                                                                                                        File Version Minor:1
                                                                                                                        Subsystem Version Major:5
                                                                                                                        Subsystem Version Minor:1
                                                                                                                        Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                                                                        Entrypoint Preview

                                                                                                                        Instruction
                                                                                                                        call 00007F76DD30533Fh
                                                                                                                        jmp 00007F76DD2F8354h
                                                                                                                        int3
                                                                                                                        int3
                                                                                                                        push edi
                                                                                                                        push esi
                                                                                                                        mov esi, dword ptr [esp+10h]
                                                                                                                        mov ecx, dword ptr [esp+14h]
                                                                                                                        mov edi, dword ptr [esp+0Ch]
                                                                                                                        mov eax, ecx
                                                                                                                        mov edx, ecx
                                                                                                                        add eax, esi
                                                                                                                        cmp edi, esi
                                                                                                                        jbe 00007F76DD2F84DAh
                                                                                                                        cmp edi, eax
                                                                                                                        jc 00007F76DD2F883Eh
                                                                                                                        bt dword ptr [004C0158h], 01h
                                                                                                                        jnc 00007F76DD2F84D9h
                                                                                                                        rep movsb
                                                                                                                        jmp 00007F76DD2F87ECh
                                                                                                                        cmp ecx, 00000080h
                                                                                                                        jc 00007F76DD2F86A4h
                                                                                                                        mov eax, edi
                                                                                                                        xor eax, esi
                                                                                                                        test eax, 0000000Fh
                                                                                                                        jne 00007F76DD2F84E0h
                                                                                                                        bt dword ptr [004BA370h], 01h
                                                                                                                        jc 00007F76DD2F89B0h
                                                                                                                        bt dword ptr [004C0158h], 00000000h
                                                                                                                        jnc 00007F76DD2F867Dh
                                                                                                                        test edi, 00000003h
                                                                                                                        jne 00007F76DD2F868Eh
                                                                                                                        test esi, 00000003h
                                                                                                                        jne 00007F76DD2F866Dh
                                                                                                                        bt edi, 02h
                                                                                                                        jnc 00007F76DD2F84DFh
                                                                                                                        mov eax, dword ptr [esi]
                                                                                                                        sub ecx, 04h
                                                                                                                        lea esi, dword ptr [esi+04h]
                                                                                                                        mov dword ptr [edi], eax
                                                                                                                        lea edi, dword ptr [edi+04h]
                                                                                                                        bt edi, 03h
                                                                                                                        jnc 00007F76DD2F84E3h
                                                                                                                        movq xmm1, qword ptr [esi]
                                                                                                                        sub ecx, 08h
                                                                                                                        lea esi, dword ptr [esi+08h]
                                                                                                                        movq qword ptr [edi], xmm1
                                                                                                                        lea edi, dword ptr [edi+08h]
                                                                                                                        test esi, 00000007h
                                                                                                                        je 00007F76DD2F8535h
                                                                                                                        bt esi, 03h
                                                                                                                        jnc 00007F76DD2F8588h
                                                                                                                        movdqa xmm1, dqword ptr [esi+00h]

                                                                                                                        Rich Headers

                                                                                                                        Programming Language:
                                                                                                                        • [ C ] VS2008 SP1 build 30729
                                                                                                                        • [IMP] VS2008 SP1 build 30729
                                                                                                                        • [ASM] VS2012 UPD4 build 61030
                                                                                                                        • [RES] VS2012 UPD4 build 61030
                                                                                                                        • [LNK] VS2012 UPD4 build 61030

                                                                                                                        Data Directories

                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x76d1c.rsrc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x13b0000x6c4c.reloc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                        Sections

                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                        .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                        .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                        .rsrc0xc40000x76d1c0x76e00e93e74537f61fa666b4cb9f4eeaa0d2dFalse0.715581049553102data7.257856063098861IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .reloc0x13b0000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                        Resources

                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                        RT_ICON0xc46c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                        RT_ICON0xc47f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                        RT_ICON0xc49180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                        RT_ICON0xc4a400xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.5812899786780383
                                                                                                                        RT_ICON0xc58e80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.7080324909747292
                                                                                                                        RT_ICON0xc61900x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishGreat Britain0.7044930875576036
                                                                                                                        RT_ICON0xc68580x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.509393063583815
                                                                                                                        RT_ICON0xc6dc00x8313PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9963343763969602
                                                                                                                        RT_ICON0xcf0d40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishGreat Britain0.22783331361646753
                                                                                                                        RT_ICON0xdf8fc0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishGreat Britain0.3595753626235022
                                                                                                                        RT_ICON0xe8da40x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 26560EnglishGreat Britain0.3624436090225564
                                                                                                                        RT_ICON0xef58c0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishGreat Britain0.3818853974121996
                                                                                                                        RT_ICON0xf4a140x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishGreat Britain0.34529995276334435
                                                                                                                        RT_ICON0xf8c3c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.49522821576763487
                                                                                                                        RT_ICON0xfb1e40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.5333020637898687
                                                                                                                        RT_ICON0xfc28c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishGreat Britain0.6852459016393443
                                                                                                                        RT_ICON0xfcc140x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7296099290780141
                                                                                                                        RT_MENU0xfd07c0x50dataEnglishGreat Britain0.9
                                                                                                                        RT_STRING0xfd0cc0x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                        RT_STRING0xfd6600x68adataEnglishGreat Britain0.2747909199522103
                                                                                                                        RT_STRING0xfdcec0x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                        RT_STRING0xfe17c0x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                        RT_STRING0xfe7780x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                        RT_STRING0xfedd40x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                        RT_STRING0xff23c0x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                        RT_RCDATA0xff3940x3b3f1data1.0003337824974348
                                                                                                                        RT_GROUP_ICON0x13a7880xcadataEnglishGreat Britain0.6683168316831684
                                                                                                                        RT_GROUP_ICON0x13a8540x14dataEnglishGreat Britain1.25
                                                                                                                        RT_GROUP_ICON0x13a8680x14dataEnglishGreat Britain1.15
                                                                                                                        RT_GROUP_ICON0x13a87c0x14dataEnglishGreat Britain1.25
                                                                                                                        RT_VERSION0x13a8900xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                        RT_MANIFEST0x13a96c0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                                                                        Imports

                                                                                                                        DLLImport
                                                                                                                        WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                                                                        VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                        COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                                                                        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                        WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                                                                        PSAPI.DLLGetProcessMemoryInfo
                                                                                                                        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                        USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                        UxTheme.dllIsThemeActive
                                                                                                                        KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                                                                        USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                                                                        GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                                                                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                        ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                                                        OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                                                                        Possible Origin

                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                        EnglishGreat Britain

                                                                                                                        Network Behavior

                                                                                                                        Network Port Distribution

                                                                                                                        UDP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Nov 21, 2024 16:26:46.418514967 CET5520653192.168.2.41.1.1.1
                                                                                                                        Nov 21, 2024 16:26:46.643397093 CET53552061.1.1.1192.168.2.4
                                                                                                                        Nov 21, 2024 16:27:06.808027029 CET6280953192.168.2.41.1.1.1
                                                                                                                        Nov 21, 2024 16:27:07.193931103 CET53628091.1.1.1192.168.2.4
                                                                                                                        Nov 21, 2024 16:27:27.355391979 CET5323253192.168.2.41.1.1.1
                                                                                                                        Nov 21, 2024 16:27:27.729651928 CET53532321.1.1.1192.168.2.4
                                                                                                                        Nov 21, 2024 16:27:47.542737961 CET6371353192.168.2.41.1.1.1
                                                                                                                        Nov 21, 2024 16:27:47.786191940 CET53637131.1.1.1192.168.2.4
                                                                                                                        Nov 21, 2024 16:28:08.074903965 CET6084453192.168.2.41.1.1.1
                                                                                                                        Nov 21, 2024 16:28:08.455416918 CET53608441.1.1.1192.168.2.4
                                                                                                                        Nov 21, 2024 16:28:28.543734074 CET5699153192.168.2.41.1.1.1
                                                                                                                        Nov 21, 2024 16:28:28.788578033 CET53569911.1.1.1192.168.2.4
                                                                                                                        Nov 21, 2024 16:28:48.996417046 CET6220553192.168.2.41.1.1.1
                                                                                                                        Nov 21, 2024 16:28:49.221287966 CET53622051.1.1.1192.168.2.4
                                                                                                                        Nov 21, 2024 16:29:09.417808056 CET5818853192.168.2.41.1.1.1
                                                                                                                        Nov 21, 2024 16:29:09.779545069 CET53581881.1.1.1192.168.2.4
                                                                                                                        Nov 21, 2024 16:29:30.074999094 CET5158053192.168.2.41.1.1.1
                                                                                                                        Nov 21, 2024 16:29:30.296516895 CET53515801.1.1.1192.168.2.4
                                                                                                                        Nov 21, 2024 16:30:12.043200970 CET5584253192.168.2.41.1.1.1
                                                                                                                        Nov 21, 2024 16:30:12.302081108 CET53558421.1.1.1192.168.2.4
                                                                                                                        Nov 21, 2024 16:30:33.371040106 CET5234253192.168.2.41.1.1.1
                                                                                                                        Nov 21, 2024 16:30:33.596828938 CET53523421.1.1.1192.168.2.4

                                                                                                                        DNS Queries

                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                        Nov 21, 2024 16:26:46.418514967 CET192.168.2.41.1.1.10x16e5Standard query (0)www.elitjatarjoukset.clickA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:27:06.808027029 CET192.168.2.41.1.1.10x3a42Standard query (0)www.gzvmt.infoA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:27:27.355391979 CET192.168.2.41.1.1.10xafafStandard query (0)www.riteon.onlineA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:27:47.542737961 CET192.168.2.41.1.1.10xb981Standard query (0)www.ovonordisk.onlineA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:28:08.074903965 CET192.168.2.41.1.1.10x5968Standard query (0)www.narchists.infoA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:28:28.543734074 CET192.168.2.41.1.1.10x30c5Standard query (0)www.ijanarko.netA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:28:48.996417046 CET192.168.2.41.1.1.10xc300Standard query (0)www.2creativedesign.onlineA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:29:09.417808056 CET192.168.2.41.1.1.10x7c3Standard query (0)www.tandkite.funA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:29:30.074999094 CET192.168.2.41.1.1.10xde77Standard query (0)www.ualitystore.shopA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:30:12.043200970 CET192.168.2.41.1.1.10x4530Standard query (0)www.onesome.storeA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:30:33.371040106 CET192.168.2.41.1.1.10xa6c6Standard query (0)www.p-inbox4.clickA (IP address)IN (0x0001)false

                                                                                                                        DNS Answers

                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                        Nov 21, 2024 16:26:46.643397093 CET1.1.1.1192.168.2.40x16e5Name error (3)www.elitjatarjoukset.clicknonenoneA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:27:07.193931103 CET1.1.1.1192.168.2.40x3a42Name error (3)www.gzvmt.infononenoneA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:27:27.729651928 CET1.1.1.1192.168.2.40xafafName error (3)www.riteon.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:27:47.786191940 CET1.1.1.1192.168.2.40xb981Name error (3)www.ovonordisk.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:28:08.455416918 CET1.1.1.1192.168.2.40x5968Name error (3)www.narchists.infononenoneA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:28:28.788578033 CET1.1.1.1192.168.2.40x30c5Name error (3)www.ijanarko.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:28:49.221287966 CET1.1.1.1192.168.2.40xc300Name error (3)www.2creativedesign.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:29:09.779545069 CET1.1.1.1192.168.2.40x7c3Name error (3)www.tandkite.funnonenoneA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:29:30.296516895 CET1.1.1.1192.168.2.40xde77Name error (3)www.ualitystore.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:30:12.302081108 CET1.1.1.1192.168.2.40x4530Name error (3)www.onesome.storenonenoneA (IP address)IN (0x0001)false
                                                                                                                        Nov 21, 2024 16:30:33.596828938 CET1.1.1.1192.168.2.40xa6c6Name error (3)www.p-inbox4.clicknonenoneA (IP address)IN (0x0001)false

                                                                                                                        Statistics

                                                                                                                        CPU Usage

                                                                                                                        Click to jump to process

                                                                                                                        Memory Usage

                                                                                                                        Click to jump to process

                                                                                                                        High Level Behavior Distribution

                                                                                                                        Click to dive into process behavior distribution

                                                                                                                        Behavior

                                                                                                                        Click to jump to process

                                                                                                                        System Behavior

                                                                                                                        General

                                                                                                                        Target ID:0
                                                                                                                        Start time:10:26:09
                                                                                                                        Start date:21/11/2024
                                                                                                                        Path:C:\Users\user\Desktop\(2).docx.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\Desktop\(2).docx.exe"
                                                                                                                        Imagebase:0x2d0000
                                                                                                                        File size:1'310'208 bytes
                                                                                                                        MD5 hash:8C01C51EF925E81212D6F39C098FE65F
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1712953474.0000000001D10000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        Reputation:low
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:1
                                                                                                                        Start time:10:26:11
                                                                                                                        Start date:21/11/2024
                                                                                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\Desktop\(2).docx.exe"
                                                                                                                        Imagebase:0xf90000
                                                                                                                        File size:46'504 bytes
                                                                                                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1770954134.0000000000F10000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1769816274.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1771015115.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:2
                                                                                                                        Start time:10:26:12
                                                                                                                        Start date:21/11/2024
                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\Explorer.EXE
                                                                                                                        Imagebase:0x7ff72b770000
                                                                                                                        File size:5'141'208 bytes
                                                                                                                        MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000002.00000002.4170679439.000000000E64E000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                        Reputation:high
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:3
                                                                                                                        Start time:10:26:14
                                                                                                                        Start date:21/11/2024
                                                                                                                        Path:C:\Windows\SysWOW64\cmstp.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Windows\SysWOW64\cmstp.exe"
                                                                                                                        Imagebase:0x370000
                                                                                                                        File size:81'920 bytes
                                                                                                                        MD5 hash:D7AABFAB5BEFD53BA3A27BD48F3CC675
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.4157701602.00000000026E0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.4158199606.0000000004330000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.4158309338.0000000004360000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        Reputation:moderate
                                                                                                                        Has exited:false

                                                                                                                        General

                                                                                                                        Target ID:4
                                                                                                                        Start time:10:26:18
                                                                                                                        Start date:21/11/2024
                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:/c del "C:\Windows\SysWOW64\svchost.exe"
                                                                                                                        Imagebase:0x240000
                                                                                                                        File size:236'544 bytes
                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        General

                                                                                                                        Target ID:5
                                                                                                                        Start time:10:26:18
                                                                                                                        Start date:21/11/2024
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                        File size:862'208 bytes
                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high
                                                                                                                        Has exited:true

                                                                                                                        Disassembly

                                                                                                                        Reset < >

                                                                                                                          Execution Graph

                                                                                                                          Execution Coverage:4.2%
                                                                                                                          Dynamic/Decrypted Code Coverage:1.2%
                                                                                                                          Signature Coverage:9.3%
                                                                                                                          Total number of Nodes:2000
                                                                                                                          Total number of Limit Nodes:57
                                                                                                                          execution_graph 92459 3419dd 92464 2d4a30 92459->92464 92461 3419f1 92484 2f0f0a 52 API calls __cinit 92461->92484 92463 3419fb 92465 2d4a40 __ftell_nolock 92464->92465 92485 2dd7f7 92465->92485 92469 2d4aff 92497 2d363c 92469->92497 92476 2dd7f7 48 API calls 92477 2d4b32 92476->92477 92519 2d49fb 92477->92519 92479 2d4b43 Mailbox 92479->92461 92480 2d61a6 48 API calls 92483 2d4b3d _wcscat Mailbox __NMSG_WRITE 92480->92483 92482 2d64cf 48 API calls 92482->92483 92483->92479 92483->92480 92483->92482 92533 2dce19 92483->92533 92484->92463 92539 2ef4ea 92485->92539 92487 2dd818 92488 2ef4ea 48 API calls 92487->92488 92489 2d4af6 92488->92489 92490 2d5374 92489->92490 92570 2ff8a0 92490->92570 92493 2dce19 48 API calls 92494 2d53a7 92493->92494 92572 2d660f 92494->92572 92496 2d53b1 Mailbox 92496->92469 92498 2d3649 __ftell_nolock 92497->92498 92619 2d366c GetFullPathNameW 92498->92619 92500 2d365a 92501 2d6a63 48 API calls 92500->92501 92502 2d3669 92501->92502 92503 2d518c 92502->92503 92504 2d5197 92503->92504 92505 2d519f 92504->92505 92506 341ace 92504->92506 92621 2d5130 92505->92621 92508 2d6b4a 48 API calls 92506->92508 92510 341adb __NMSG_WRITE 92508->92510 92509 2d4b18 92513 2d64cf 92509->92513 92511 2eee75 48 API calls 92510->92511 92512 341b07 _memcpy_s 92511->92512 92514 2d651b 92513->92514 92518 2d64dd _memcpy_s 92513->92518 92517 2ef4ea 48 API calls 92514->92517 92515 2ef4ea 48 API calls 92516 2d4b29 92515->92516 92516->92476 92517->92518 92518->92515 92636 2dbcce 92519->92636 92522 2d4a2b 92522->92483 92523 3441cc RegQueryValueExW 92524 3441e5 92523->92524 92525 344246 RegCloseKey 92523->92525 92526 2ef4ea 48 API calls 92524->92526 92527 3441fe 92526->92527 92642 2d47b7 92527->92642 92530 344224 92532 2d6a63 48 API calls 92530->92532 92531 34423b 92531->92525 92532->92531 92534 2dce28 __NMSG_WRITE 92533->92534 92535 2eee75 48 API calls 92534->92535 92536 2dce50 _memcpy_s 92535->92536 92537 2ef4ea 48 API calls 92536->92537 92538 2dce66 92537->92538 92538->92483 92540 2ef4f2 __calloc_impl 92539->92540 92542 2ef50c 92540->92542 92543 2ef50e std::exception::exception 92540->92543 92548 2f395c 92540->92548 92542->92487 92562 2f6805 RaiseException 92543->92562 92545 2ef538 92563 2f673b 47 API calls _free 92545->92563 92547 2ef54a 92547->92487 92549 2f39d7 __calloc_impl 92548->92549 92553 2f3968 __calloc_impl 92548->92553 92569 2f7c0e 47 API calls __getptd_noexit 92549->92569 92552 2f399b RtlAllocateHeap 92552->92553 92561 2f39cf 92552->92561 92553->92552 92555 2f39c3 92553->92555 92556 2f3973 92553->92556 92559 2f39c1 92553->92559 92567 2f7c0e 47 API calls __getptd_noexit 92555->92567 92556->92553 92564 2f81c2 47 API calls __NMSG_WRITE 92556->92564 92565 2f821f 47 API calls 5 library calls 92556->92565 92566 2f1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 92556->92566 92568 2f7c0e 47 API calls __getptd_noexit 92559->92568 92561->92540 92562->92545 92563->92547 92564->92556 92565->92556 92567->92559 92568->92561 92569->92561 92571 2d5381 GetModuleFileNameW 92570->92571 92571->92493 92573 2ff8a0 __ftell_nolock 92572->92573 92574 2d661c GetFullPathNameW 92573->92574 92579 2d6a63 92574->92579 92576 2d6643 92590 2d6571 92576->92590 92580 2d6adf 92579->92580 92582 2d6a6f __NMSG_WRITE 92579->92582 92607 2db18b 92580->92607 92583 2d6a8b 92582->92583 92584 2d6ad7 92582->92584 92594 2d6b4a 92583->92594 92606 2dc369 48 API calls 92584->92606 92587 2d6ab6 _memcpy_s 92587->92576 92588 2d6a95 92597 2eee75 92588->92597 92591 2d657f 92590->92591 92592 2db18b 48 API calls 92591->92592 92593 2d658f 92592->92593 92593->92496 92595 2ef4ea 48 API calls 92594->92595 92596 2d6b54 92595->92596 92596->92588 92599 2ef4ea __calloc_impl 92597->92599 92598 2f395c _W_store_winword 47 API calls 92598->92599 92599->92598 92600 2ef50c 92599->92600 92601 2ef50e std::exception::exception 92599->92601 92600->92587 92611 2f6805 RaiseException 92601->92611 92603 2ef538 92612 2f673b 47 API calls _free 92603->92612 92605 2ef54a 92605->92587 92606->92587 92608 2db199 92607->92608 92610 2db1a2 _memcpy_s 92607->92610 92608->92610 92613 2dbdfa 92608->92613 92610->92587 92611->92603 92612->92605 92614 2dbe0d 92613->92614 92618 2dbe0a _memcpy_s 92613->92618 92615 2ef4ea 48 API calls 92614->92615 92616 2dbe17 92615->92616 92617 2eee75 48 API calls 92616->92617 92617->92618 92618->92610 92620 2d368a 92619->92620 92620->92500 92622 2d513f __NMSG_WRITE 92621->92622 92623 341b27 92622->92623 92624 2d5151 92622->92624 92626 2d6b4a 48 API calls 92623->92626 92631 2dbb85 92624->92631 92628 341b34 92626->92628 92627 2d515e _memcpy_s 92627->92509 92629 2eee75 48 API calls 92628->92629 92630 341b57 _memcpy_s 92629->92630 92632 2dbb9b 92631->92632 92635 2dbb96 _memcpy_s 92631->92635 92633 2eee75 48 API calls 92632->92633 92634 341b77 92632->92634 92633->92635 92634->92634 92635->92627 92637 2dbce8 92636->92637 92638 2d4a0a RegOpenKeyExW 92636->92638 92639 2ef4ea 48 API calls 92637->92639 92638->92522 92638->92523 92640 2dbcf2 92639->92640 92641 2eee75 48 API calls 92640->92641 92641->92638 92643 2ef4ea 48 API calls 92642->92643 92644 2d47c9 RegQueryValueExW 92643->92644 92644->92530 92644->92531 92645 348eb8 92649 31a635 92645->92649 92647 348ec3 92648 31a635 84 API calls 92647->92648 92648->92647 92650 31a66f 92649->92650 92655 31a642 92649->92655 92650->92647 92651 31a671 92690 2eec4e 81 API calls 92651->92690 92652 31a676 92660 2d936c 92652->92660 92655->92650 92655->92651 92655->92652 92658 31a669 92655->92658 92656 31a67d 92680 2d510d 92656->92680 92689 2e4525 61 API calls _memcpy_s 92658->92689 92661 2d9384 92660->92661 92678 2d9380 92660->92678 92662 2d93b0 __itow Mailbox _wcscpy 92661->92662 92663 2d9398 92661->92663 92664 344bbf 92661->92664 92667 344cbd __i64tow 92661->92667 92670 2ef4ea 48 API calls 92662->92670 92691 2f172b 80 API calls 4 library calls 92663->92691 92665 344ca5 92664->92665 92669 344bc8 92664->92669 92692 2f172b 80 API calls 4 library calls 92665->92692 92667->92667 92669->92662 92672 344be7 92669->92672 92671 2d93ba 92670->92671 92673 2dce19 48 API calls 92671->92673 92671->92678 92674 2ef4ea 48 API calls 92672->92674 92673->92678 92675 344c04 92674->92675 92676 2ef4ea 48 API calls 92675->92676 92677 344c2a 92676->92677 92677->92678 92679 2dce19 48 API calls 92677->92679 92678->92656 92679->92678 92681 2d511f 92680->92681 92682 341be7 92680->92682 92693 2db384 92681->92693 92702 30a58f 48 API calls _memcpy_s 92682->92702 92685 2d512b 92685->92650 92686 341bf1 92703 2d6eed 92686->92703 92688 341bf9 Mailbox 92689->92650 92690->92652 92691->92662 92692->92662 92694 2db392 92693->92694 92695 2db3c5 _memcpy_s 92693->92695 92694->92695 92696 2db3fd 92694->92696 92697 2db3b8 92694->92697 92695->92685 92695->92695 92698 2ef4ea 48 API calls 92696->92698 92699 2dbb85 48 API calls 92697->92699 92700 2db407 92698->92700 92699->92695 92701 2ef4ea 48 API calls 92700->92701 92701->92695 92702->92686 92704 2d6ef8 92703->92704 92705 2d6f00 92703->92705 92707 2ddd47 48 API calls _memcpy_s 92704->92707 92705->92688 92707->92705 92708 1258588 92722 12561d8 92708->92722 92710 125862b 92725 1258478 92710->92725 92724 1256863 92722->92724 92728 1259658 GetPEB 92722->92728 92724->92710 92726 1258481 Sleep 92725->92726 92727 125848f 92726->92727 92728->92724 92729 2def80 92732 2e3b70 92729->92732 92731 2def8c 92733 2e3bc8 92732->92733 92734 2e42a5 92732->92734 92735 2e3bef 92733->92735 92737 346fd1 92733->92737 92740 346f7e 92733->92740 92746 346f9b 92733->92746 92839 31cc5c 86 API calls 4 library calls 92734->92839 92736 2ef4ea 48 API calls 92735->92736 92738 2e3c18 92736->92738 92827 32ceca 335 API calls Mailbox 92737->92827 92742 2ef4ea 48 API calls 92738->92742 92740->92735 92743 346f87 92740->92743 92741 346fbe 92826 31cc5c 86 API calls 4 library calls 92741->92826 92759 2e3c2c _memcpy_s __NMSG_WRITE 92742->92759 92824 32d552 335 API calls Mailbox 92743->92824 92746->92741 92825 32da0e 335 API calls 2 library calls 92746->92825 92749 2e3f2b 92749->92731 92750 3473b0 92750->92731 92751 34737a 92845 31cc5c 86 API calls 4 library calls 92751->92845 92752 347297 92835 31cc5c 86 API calls 4 library calls 92752->92835 92757 2edce0 53 API calls 92757->92759 92759->92734 92759->92749 92759->92751 92759->92752 92759->92757 92760 34707e 92759->92760 92765 2dd645 53 API calls 92759->92765 92767 3472d2 92759->92767 92768 2e40df 92759->92768 92769 2dfe30 335 API calls 92759->92769 92771 347350 92759->92771 92773 347363 92759->92773 92775 3472e9 92759->92775 92776 2e42f2 92759->92776 92779 2d6a63 48 API calls 92759->92779 92781 34714c 92759->92781 92782 2dd286 48 API calls 92759->92782 92785 34733f 92759->92785 92791 2eee75 48 API calls 92759->92791 92792 2d6eed 48 API calls 92759->92792 92794 3471e1 92759->92794 92801 2ef4ea 48 API calls 92759->92801 92804 2dd9a0 53 API calls __cinit 92759->92804 92805 2dd83d 53 API calls 92759->92805 92806 2dcdb9 48 API calls 92759->92806 92807 2dd6e9 92759->92807 92811 2ec15c 48 API calls 92759->92811 92812 2ec050 92759->92812 92823 2ebecb 335 API calls 92759->92823 92829 2ddcae 50 API calls Mailbox 92759->92829 92830 32ccdc 48 API calls 92759->92830 92831 31a1eb 50 API calls 92759->92831 92828 31cc5c 86 API calls 4 library calls 92760->92828 92765->92759 92837 31cc5c 86 API calls 4 library calls 92767->92837 92836 31cc5c 86 API calls 4 library calls 92768->92836 92769->92759 92843 31cc5c 86 API calls 4 library calls 92771->92843 92844 31cc5c 86 API calls 4 library calls 92773->92844 92838 31cc5c 86 API calls 4 library calls 92775->92838 92846 31cc5c 86 API calls 4 library calls 92776->92846 92779->92759 92832 32ccdc 48 API calls 92781->92832 92782->92759 92842 31cc5c 86 API calls 4 library calls 92785->92842 92788 3471a1 92834 2ec15c 48 API calls 92788->92834 92791->92759 92792->92759 92794->92749 92841 31cc5c 86 API calls 4 library calls 92794->92841 92795 34715f 92795->92788 92833 32ccdc 48 API calls 92795->92833 92797 3471ce 92798 2ec050 48 API calls 92797->92798 92800 3471d6 92798->92800 92799 3471ab 92799->92734 92799->92797 92800->92794 92802 347313 92800->92802 92801->92759 92840 31cc5c 86 API calls 4 library calls 92802->92840 92804->92759 92805->92759 92806->92759 92808 2dd6f4 92807->92808 92809 2dd71b 92808->92809 92847 2dd764 55 API calls 92808->92847 92809->92759 92811->92759 92813 2ec064 92812->92813 92815 2ec069 Mailbox 92812->92815 92848 2ec1af 48 API calls 92813->92848 92816 2ec077 92815->92816 92849 2ec15c 48 API calls 92815->92849 92818 2ef4ea 48 API calls 92816->92818 92819 2ec152 92816->92819 92820 2ec108 92818->92820 92819->92759 92821 2ef4ea 48 API calls 92820->92821 92822 2ec113 92821->92822 92822->92759 92823->92759 92824->92749 92825->92741 92826->92737 92827->92759 92828->92749 92829->92759 92830->92759 92831->92759 92832->92795 92833->92795 92834->92799 92835->92768 92836->92749 92837->92775 92838->92749 92839->92749 92840->92749 92841->92749 92842->92749 92843->92749 92844->92749 92845->92749 92846->92750 92847->92809 92848->92815 92849->92816 92850 3419ba 92855 2ec75a 92850->92855 92854 3419c9 92856 2dd7f7 48 API calls 92855->92856 92857 2ec7c8 92856->92857 92863 2ed26c 92857->92863 92860 2ec865 92861 2ec881 92860->92861 92866 2ed1fa 48 API calls _memcpy_s 92860->92866 92862 2f0f0a 52 API calls __cinit 92861->92862 92862->92854 92867 2ed298 92863->92867 92866->92860 92868 2ed28b 92867->92868 92869 2ed2a5 92867->92869 92868->92860 92869->92868 92870 2ed2ac RegOpenKeyExW 92869->92870 92870->92868 92871 2ed2c6 RegQueryValueExW 92870->92871 92872 2ed2fc RegCloseKey 92871->92872 92873 2ed2e7 92871->92873 92872->92868 92873->92872 92874 34197b 92879 2edd94 92874->92879 92878 34198a 92880 2ef4ea 48 API calls 92879->92880 92881 2edd9c 92880->92881 92882 2eddb0 92881->92882 92887 2edf3d 92881->92887 92886 2f0f0a 52 API calls __cinit 92882->92886 92886->92878 92888 2edda8 92887->92888 92889 2edf46 92887->92889 92891 2eddc0 92888->92891 92919 2f0f0a 52 API calls __cinit 92889->92919 92892 2dd7f7 48 API calls 92891->92892 92893 2eddd7 GetVersionExW 92892->92893 92894 2d6a63 48 API calls 92893->92894 92895 2ede1a 92894->92895 92920 2edfb4 92895->92920 92898 2d6571 48 API calls 92900 2ede2e 92898->92900 92902 3424c8 92900->92902 92924 2edf77 92900->92924 92903 2edebb 92906 2edee3 92903->92906 92907 2edf31 GetSystemInfo 92903->92907 92904 2edea4 GetCurrentProcess 92933 2edf5f LoadLibraryA GetProcAddress 92904->92933 92927 2ee00c 92906->92927 92908 2edf0e 92907->92908 92910 2edf1c FreeLibrary 92908->92910 92911 2edf21 92908->92911 92910->92911 92911->92882 92913 2edf29 GetSystemInfo 92916 2edf03 92913->92916 92914 2edef9 92930 2edff4 92914->92930 92916->92908 92918 2edf09 FreeLibrary 92916->92918 92918->92908 92919->92888 92921 2edfbd 92920->92921 92922 2db18b 48 API calls 92921->92922 92923 2ede22 92922->92923 92923->92898 92934 2edf89 92924->92934 92938 2ee01e 92927->92938 92931 2ee00c 2 API calls 92930->92931 92932 2edf01 GetNativeSystemInfo 92931->92932 92932->92916 92933->92903 92935 2edea0 92934->92935 92936 2edf92 LoadLibraryA 92934->92936 92935->92903 92935->92904 92936->92935 92937 2edfa3 GetProcAddress 92936->92937 92937->92935 92939 2edef1 92938->92939 92940 2ee027 LoadLibraryA 92938->92940 92939->92913 92939->92914 92940->92939 92941 2ee038 GetProcAddress 92940->92941 92941->92939 92942 2d3742 92943 2d374b 92942->92943 92944 2d3769 92943->92944 92945 2d37c8 92943->92945 92981 2d37c6 92943->92981 92946 2d382c PostQuitMessage 92944->92946 92947 2d3776 92944->92947 92949 2d37ce 92945->92949 92950 341e00 92945->92950 92954 2d37b9 92946->92954 92952 341e88 92947->92952 92953 2d3781 92947->92953 92948 2d37ab DefWindowProcW 92948->92954 92955 2d37f6 SetTimer RegisterWindowMessageW 92949->92955 92956 2d37d3 92949->92956 92997 2d2ff6 16 API calls 92950->92997 93012 314ddd 60 API calls _memset 92952->93012 92958 2d3789 92953->92958 92959 2d3836 92953->92959 92955->92954 92960 2d381f CreatePopupMenu 92955->92960 92962 341da3 92956->92962 92963 2d37da KillTimer 92956->92963 92957 341e27 92998 2ee312 335 API calls Mailbox 92957->92998 92965 341e6d 92958->92965 92966 2d3794 92958->92966 92987 2eeb83 92959->92987 92960->92954 92969 341ddc MoveWindow 92962->92969 92970 341da8 92962->92970 92994 2d3847 Shell_NotifyIconW _memset 92963->92994 92965->92948 93011 30a5f3 48 API calls 92965->93011 92972 2d379f 92966->92972 92973 341e58 92966->92973 92967 341e9a 92967->92948 92967->92954 92969->92954 92974 341dac 92970->92974 92975 341dcb SetFocus 92970->92975 92972->92948 92999 2d3847 Shell_NotifyIconW _memset 92972->92999 93010 3155bd 70 API calls _memset 92973->93010 92974->92972 92979 341db5 92974->92979 92975->92954 92976 2d37ed 92995 2d390f DeleteObject DestroyWindow Mailbox 92976->92995 92996 2d2ff6 16 API calls 92979->92996 92981->92948 92983 341e68 92983->92954 92985 341e4c 93000 2d4ffc 92985->93000 92988 2eec1c 92987->92988 92989 2eeb9a _memset 92987->92989 92988->92954 93013 2d51af 92989->93013 92991 2eec05 KillTimer SetTimer 92991->92988 92992 343c7a Shell_NotifyIconW 92992->92991 92993 2eebc1 92993->92991 92993->92992 92994->92976 92995->92954 92996->92954 92997->92957 92998->92972 92999->92985 93001 2d5027 _memset 93000->93001 93040 2d4c30 93001->93040 93004 2d50ac 93006 2d50ca Shell_NotifyIconW 93004->93006 93007 343d28 Shell_NotifyIconW 93004->93007 93008 2d51af 50 API calls 93006->93008 93009 2d50df 93008->93009 93009->92981 93010->92983 93011->92981 93012->92967 93014 2d51cb 93013->93014 93015 2d52a2 Mailbox 93013->93015 93035 2d6b0f 93014->93035 93015->92993 93018 343ca1 LoadStringW 93022 343cbb 93018->93022 93019 2d51e6 93020 2d6a63 48 API calls 93019->93020 93021 2d51fb 93020->93021 93021->93022 93023 2d520c 93021->93023 93024 2d510d 48 API calls 93022->93024 93025 2d52a7 93023->93025 93026 2d5216 93023->93026 93029 343cc5 93024->93029 93027 2d6eed 48 API calls 93025->93027 93028 2d510d 48 API calls 93026->93028 93032 2d5220 _memset _wcscpy 93027->93032 93028->93032 93030 2d518c 48 API calls 93029->93030 93029->93032 93031 343ce7 93030->93031 93034 2d518c 48 API calls 93031->93034 93033 2d5288 Shell_NotifyIconW 93032->93033 93033->93015 93034->93032 93036 2ef4ea 48 API calls 93035->93036 93037 2d6b34 93036->93037 93038 2d6b4a 48 API calls 93037->93038 93039 2d51d9 93038->93039 93039->93018 93039->93019 93041 343c33 93040->93041 93042 2d4c44 93040->93042 93041->93042 93043 343c3c DestroyIcon 93041->93043 93042->93004 93044 315819 61 API calls _W_store_winword 93042->93044 93043->93042 93044->93004 93045 349c06 93056 2ed3be 93045->93056 93047 349c1c 93055 349c91 Mailbox 93047->93055 93137 2d1caa 49 API calls 93047->93137 93051 349cc5 93052 34a7ab Mailbox 93051->93052 93139 31cc5c 86 API calls 4 library calls 93051->93139 93053 349c71 93053->93051 93138 31b171 48 API calls 93053->93138 93065 2e3200 93055->93065 93057 2ed3dc 93056->93057 93058 2ed3ca 93056->93058 93060 2ed40b 93057->93060 93061 2ed3e2 93057->93061 93140 2ddcae 50 API calls Mailbox 93058->93140 93141 2ddcae 50 API calls Mailbox 93060->93141 93063 2ef4ea 48 API calls 93061->93063 93064 2ed3d4 93063->93064 93064->93047 93142 2dbd30 93065->93142 93067 2e3267 93068 2e32f8 93067->93068 93069 34907a 93067->93069 93128 2e3628 93067->93128 93215 2ec36b 86 API calls 93068->93215 93250 31cc5c 86 API calls 4 library calls 93069->93250 93073 2e3313 93126 2e34eb _memcpy_s Mailbox 93073->93126 93073->93128 93131 3494df 93073->93131 93147 2d2b7a 93073->93147 93075 3491fa 93265 31cc5c 86 API calls 4 library calls 93075->93265 93079 3493c5 93082 2dfe30 335 API calls 93079->93082 93080 34926d 93269 31cc5c 86 API calls 4 library calls 93080->93269 93081 34909a 93081->93075 93251 2dd645 93081->93251 93085 349407 93082->93085 93095 2dd6e9 55 API calls 93085->93095 93085->93128 93087 2e33ce 93092 34945e 93087->93092 93093 2e3465 93087->93093 93087->93126 93089 349114 93102 349128 93089->93102 93111 349152 93089->93111 93090 349220 93266 2d1caa 49 API calls 93090->93266 93275 31c942 50 API calls 93092->93275 93098 2ef4ea 48 API calls 93093->93098 93099 349438 93095->93099 93114 2e346c 93098->93114 93274 31cc5c 86 API calls 4 library calls 93099->93274 93100 34923d 93104 349252 93100->93104 93105 34925e 93100->93105 93261 31cc5c 86 API calls 4 library calls 93102->93261 93267 31cc5c 86 API calls 4 library calls 93104->93267 93268 31cc5c 86 API calls 4 library calls 93105->93268 93107 2ec3c3 48 API calls 93107->93126 93112 349177 93111->93112 93116 349195 93111->93116 93262 32f320 335 API calls 93112->93262 93122 2e351f 93114->93122 93154 2de8d0 93114->93154 93117 34918b 93116->93117 93263 32f5ee 335 API calls 93116->93263 93117->93128 93264 2ec2d6 48 API calls _memcpy_s 93117->93264 93120 2ef4ea 48 API calls 93120->93126 93123 2d6eed 48 API calls 93122->93123 93125 2e3540 93122->93125 93123->93125 93124 349394 93127 2ef4ea 48 API calls 93124->93127 93125->93128 93130 3494b0 93125->93130 93134 2e3585 93125->93134 93126->93079 93126->93080 93126->93081 93126->93099 93126->93107 93126->93120 93126->93122 93126->93124 93126->93128 93217 2dd9a0 53 API calls __cinit 93126->93217 93218 2dd8c0 53 API calls 93126->93218 93219 2ec2d6 48 API calls _memcpy_s 93126->93219 93220 2dfe30 93126->93220 93270 32cda2 82 API calls Mailbox 93126->93270 93271 3180e3 53 API calls 93126->93271 93272 2dd764 55 API calls 93126->93272 93273 2ddcae 50 API calls Mailbox 93126->93273 93127->93079 93136 2e3635 Mailbox 93128->93136 93249 31cc5c 86 API calls 4 library calls 93128->93249 93276 2ddcae 50 API calls Mailbox 93130->93276 93131->93128 93277 31cc5c 86 API calls 4 library calls 93131->93277 93133 2e3615 93216 2ddcae 50 API calls Mailbox 93133->93216 93134->93128 93134->93131 93134->93133 93136->93051 93137->93053 93138->93055 93139->93052 93140->93064 93141->93064 93143 2dbd3f 93142->93143 93146 2dbd5a 93142->93146 93144 2dbdfa 48 API calls 93143->93144 93145 2dbd47 CharUpperBuffW 93144->93145 93145->93146 93146->93067 93148 2d2b8b 93147->93148 93149 34436a 93147->93149 93150 2ef4ea 48 API calls 93148->93150 93151 2d2b92 93150->93151 93152 2d2bb3 93151->93152 93278 2d2bce 48 API calls 93151->93278 93152->93087 93155 2de8f6 93154->93155 93175 2de906 Mailbox 93154->93175 93156 2ded52 93155->93156 93155->93175 93377 2ee3cd 335 API calls 93156->93377 93157 2debc7 93159 2debdd 93157->93159 93378 2d2ff6 16 API calls 93157->93378 93159->93126 93161 2ded63 93161->93159 93162 2ded70 93161->93162 93379 2ee312 335 API calls Mailbox 93162->93379 93163 2de94c PeekMessageW 93163->93175 93165 34526e Sleep 93165->93175 93166 2ded77 LockWindowUpdate DestroyWindow GetMessageW 93166->93159 93168 2deda9 93166->93168 93169 3459ef TranslateMessage DispatchMessageW GetMessageW 93168->93169 93169->93169 93171 345a1f 93169->93171 93171->93159 93172 2ded21 PeekMessageW 93172->93175 93173 2debf7 timeGetTime 93173->93175 93175->93157 93175->93163 93175->93165 93175->93172 93175->93173 93176 2d6eed 48 API calls 93175->93176 93177 345557 WaitForSingleObject 93175->93177 93178 2ef4ea 48 API calls 93175->93178 93179 2ded3a TranslateMessage DispatchMessageW 93175->93179 93180 34588f Sleep 93175->93180 93183 345429 Mailbox 93175->93183 93184 2dedae timeGetTime 93175->93184 93185 345733 Sleep 93175->93185 93191 2d2aae 311 API calls 93175->93191 93193 345445 Sleep 93175->93193 93201 2d1caa 49 API calls 93175->93201 93206 2dfe30 311 API calls 93175->93206 93210 2e3200 311 API calls 93175->93210 93211 2dce19 48 API calls 93175->93211 93212 2dd6e9 55 API calls 93175->93212 93213 31cc5c 86 API calls 93175->93213 93279 2def00 93175->93279 93284 2df110 93175->93284 93349 2e45e0 93175->93349 93366 2ee244 93175->93366 93371 2edc5f 93175->93371 93376 2deed0 335 API calls Mailbox 93175->93376 93381 338d23 48 API calls 93175->93381 93176->93175 93177->93175 93181 345574 GetExitCodeProcess CloseHandle 93177->93181 93178->93175 93179->93172 93180->93183 93181->93175 93182 2dd7f7 48 API calls 93182->93183 93183->93175 93183->93182 93189 345926 GetExitCodeProcess 93183->93189 93192 2edc38 timeGetTime 93183->93192 93183->93193 93196 345432 Sleep 93183->93196 93197 338c4b 108 API calls 93183->93197 93198 2d2c79 107 API calls 93183->93198 93200 3459ae Sleep 93183->93200 93204 2dce19 48 API calls 93183->93204 93207 2dd6e9 55 API calls 93183->93207 93382 314cbe 49 API calls Mailbox 93183->93382 93383 2d1caa 49 API calls 93183->93383 93384 2d2aae 335 API calls 93183->93384 93385 32ccb2 50 API calls 93183->93385 93386 317a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 93183->93386 93387 316532 63 API calls 3 library calls 93183->93387 93380 2d1caa 49 API calls 93184->93380 93185->93183 93194 345952 CloseHandle 93189->93194 93195 34593c WaitForSingleObject 93189->93195 93191->93175 93192->93183 93193->93175 93194->93183 93195->93175 93195->93194 93196->93193 93197->93183 93198->93183 93200->93175 93201->93175 93204->93183 93206->93175 93207->93183 93210->93175 93211->93175 93212->93175 93213->93175 93215->93073 93216->93128 93217->93126 93218->93126 93219->93126 93221 2dfe50 93220->93221 93232 2dfe7e 93220->93232 93222 2ef4ea 48 API calls 93221->93222 93222->93232 93223 2e146e 93224 2d6eed 48 API calls 93223->93224 93234 2dffe1 93224->93234 93225 2e1473 94450 31cc5c 86 API calls 4 library calls 93225->94450 93226 3097ed InterlockedDecrement 93226->93232 93227 2ef4ea 48 API calls 93227->93232 93228 2dd7f7 48 API calls 93228->93232 93230 2e0509 94451 31cc5c 86 API calls 4 library calls 93230->94451 93232->93223 93232->93225 93232->93226 93232->93227 93232->93228 93232->93230 93232->93234 93235 34a246 93232->93235 93240 2d6eed 48 API calls 93232->93240 93242 34a30e 93232->93242 93243 2f0f0a 52 API calls __cinit 93232->93243 93245 34a973 93232->93245 93248 2e15b5 93232->93248 94446 2e1820 335 API calls 2 library calls 93232->94446 94447 2e1d10 59 API calls Mailbox 93232->94447 93234->93126 93237 2d6eed 48 API calls 93235->93237 93236 34a922 93236->93126 93237->93234 93240->93232 93241 34a873 93241->93126 93242->93234 94448 3097ed InterlockedDecrement 93242->94448 93243->93232 94452 31cc5c 86 API calls 4 library calls 93245->94452 93247 34a982 94449 31cc5c 86 API calls 4 library calls 93248->94449 93249->93136 93250->93073 93252 2dd654 93251->93252 93260 2dd67e 93251->93260 93253 2dd65b 93252->93253 93256 2dd6c2 93252->93256 93254 2dd6ab 93253->93254 93255 2dd666 93253->93255 93254->93260 94454 2edce0 53 API calls 93254->94454 94453 2dd9a0 53 API calls __cinit 93255->94453 93256->93254 94455 2edce0 53 API calls 93256->94455 93260->93089 93260->93090 93261->93128 93262->93117 93263->93117 93264->93075 93265->93128 93266->93100 93267->93128 93268->93128 93269->93128 93270->93126 93271->93126 93272->93126 93273->93126 93274->93128 93275->93122 93276->93131 93277->93128 93278->93152 93280 2def2f 93279->93280 93282 2def1d 93279->93282 93388 31cc5c 86 API calls 4 library calls 93280->93388 93282->93175 93283 3486f9 93283->93283 93285 2df130 93284->93285 93287 2dfe30 335 API calls 93285->93287 93289 2df199 93285->93289 93286 2df595 93293 2dd7f7 48 API calls 93286->93293 93314 2df431 Mailbox 93286->93314 93290 348728 93287->93290 93288 3487c8 93409 31cc5c 86 API calls 4 library calls 93288->93409 93289->93286 93296 2dd7f7 48 API calls 93289->93296 93312 2df229 93289->93312 93338 2df3dd 93289->93338 93290->93289 93406 31cc5c 86 API calls 4 library calls 93290->93406 93291 2df418 93297 348b1b 93291->93297 93291->93314 93317 2df6aa 93291->93317 93295 3487a3 93293->93295 93408 2f0f0a 52 API calls __cinit 93295->93408 93298 348772 93296->93298 93318 348b2c 93297->93318 93319 348bcf 93297->93319 93407 2f0f0a 52 API calls __cinit 93298->93407 93300 2df3f2 93300->93291 93410 319af1 48 API calls 93300->93410 93301 2df770 93310 348a45 93301->93310 93330 2df77a 93301->93330 93303 2dd6e9 55 API calls 93303->93314 93305 348c53 93424 31cc5c 86 API calls 4 library calls 93305->93424 93306 348810 93411 32eef8 335 API calls 93306->93411 93307 2dfe30 335 API calls 93307->93317 93308 31cc5c 86 API calls 93308->93314 93309 348b7e 93419 32e40a 335 API calls Mailbox 93309->93419 93416 2ec1af 48 API calls 93310->93416 93312->93286 93312->93291 93312->93314 93312->93338 93314->93303 93314->93305 93314->93308 93314->93309 93320 348beb 93314->93320 93322 2dfe30 335 API calls 93314->93322 93326 2df537 Mailbox 93314->93326 93327 2e1b90 48 API calls 93314->93327 93329 2dfce0 93314->93329 93405 2ddd47 48 API calls _memcpy_s 93314->93405 93417 3097ed InterlockedDecrement 93314->93417 93425 2ec1af 48 API calls 93314->93425 93317->93301 93317->93307 93317->93314 93317->93326 93317->93329 93418 32f5ee 335 API calls 93318->93418 93421 31cc5c 86 API calls 4 library calls 93319->93421 93422 32bdbd 335 API calls Mailbox 93320->93422 93322->93314 93326->93175 93327->93314 93329->93326 93420 31cc5c 86 API calls 4 library calls 93329->93420 93389 2e1b90 93330->93389 93331 348c00 93331->93326 93423 31cc5c 86 API calls 4 library calls 93331->93423 93335 34884b 93412 32ccdc 48 API calls 93335->93412 93336 348823 93336->93291 93336->93335 93338->93288 93338->93300 93338->93314 93339 348857 93341 348865 93339->93341 93342 3488aa 93339->93342 93413 319b72 48 API calls 93341->93413 93345 3488a0 Mailbox 93342->93345 93414 31a69d 48 API calls 93342->93414 93343 2dfe30 335 API calls 93343->93326 93345->93343 93347 3488e7 93415 2dbc74 48 API calls 93347->93415 93350 2e479f 93349->93350 93351 2e4637 93349->93351 93354 2dce19 48 API calls 93350->93354 93352 346e05 93351->93352 93353 2e4643 93351->93353 93488 32e822 93352->93488 93487 2e4300 335 API calls _memcpy_s 93353->93487 93357 2e46e4 Mailbox 93354->93357 93428 316524 93357->93428 93431 2d4252 93357->93431 93437 31fa0c 93357->93437 93478 326ff0 93357->93478 93358 2e4659 93358->93357 93359 2e4739 Mailbox 93358->93359 93360 346e11 93358->93360 93359->93175 93360->93359 93528 31cc5c 86 API calls 4 library calls 93360->93528 93367 34df42 93366->93367 93368 2ee253 93366->93368 93369 34df77 93367->93369 93370 34df59 TranslateAcceleratorW 93367->93370 93368->93175 93370->93368 93372 2edca3 93371->93372 93374 2edc71 93371->93374 93372->93175 93373 2edc96 IsDialogMessageW 93373->93372 93373->93374 93374->93372 93374->93373 93375 34dd1d GetClassLongW 93374->93375 93375->93373 93375->93374 93376->93175 93377->93157 93378->93161 93379->93166 93380->93175 93381->93175 93382->93183 93383->93183 93384->93183 93385->93183 93386->93183 93387->93183 93388->93283 93390 2e1cf6 93389->93390 93393 2e1ba2 93389->93393 93390->93314 93391 2e1bae 93398 2e1bb9 93391->93398 93427 2ec15c 48 API calls 93391->93427 93393->93391 93394 2ef4ea 48 API calls 93393->93394 93395 3449c4 93394->93395 93397 2ef4ea 48 API calls 93395->93397 93396 2e1c5d 93396->93314 93404 3449cf 93397->93404 93398->93396 93399 2ef4ea 48 API calls 93398->93399 93400 2e1c9f 93399->93400 93401 2e1cb2 93400->93401 93426 2d2925 48 API calls 93400->93426 93401->93314 93403 2ef4ea 48 API calls 93403->93404 93404->93391 93404->93403 93405->93314 93406->93289 93407->93312 93408->93314 93409->93326 93410->93306 93411->93336 93412->93339 93413->93345 93414->93347 93415->93345 93416->93314 93417->93314 93418->93314 93419->93329 93420->93326 93421->93326 93422->93331 93423->93326 93424->93326 93425->93314 93426->93401 93427->93398 93529 316ca9 GetFileAttributesW 93428->93529 93432 2d425c 93431->93432 93433 2d4263 93431->93433 93533 2f35e4 93432->93533 93435 2d4283 FreeLibrary 93433->93435 93436 2d4272 93433->93436 93435->93436 93436->93359 93438 31fa1c __ftell_nolock 93437->93438 93439 31fa44 93438->93439 93927 2dd286 48 API calls 93438->93927 93441 2d936c 81 API calls 93439->93441 93442 31fa5e 93441->93442 93443 31fa80 93442->93443 93444 31fb68 93442->93444 93454 31fb92 93442->93454 93445 2d936c 81 API calls 93443->93445 93839 2d41a9 93444->93839 93452 31fa8c _wcscpy _wcschr 93445->93452 93448 31fb8e 93449 2d936c 81 API calls 93448->93449 93448->93454 93451 31fbc7 93449->93451 93450 2d41a9 136 API calls 93450->93448 93863 2f1dfc 93451->93863 93455 31fab0 _wcscat _wcscpy 93452->93455 93456 31fade _wcscat 93452->93456 93454->93359 93459 2d936c 81 API calls 93455->93459 93457 2d936c 81 API calls 93456->93457 93458 31fafc _wcscpy 93457->93458 93928 3172cb GetFileAttributesW 93458->93928 93459->93456 93461 31fb1c __NMSG_WRITE 93461->93454 93462 2d936c 81 API calls 93461->93462 93463 31fb48 93462->93463 93929 3160dd 77 API calls 4 library calls 93463->93929 93464 31fbeb _wcscat _wcscpy 93466 2d936c 81 API calls 93464->93466 93468 31fc82 93466->93468 93467 31fb5c 93467->93454 93866 31690b 93468->93866 93470 31fca2 93471 316524 3 API calls 93470->93471 93472 31fcb1 93471->93472 93473 2d936c 81 API calls 93472->93473 93476 31fce2 93472->93476 93474 31fccb 93473->93474 93872 31bfa4 93474->93872 93477 2d4252 84 API calls 93476->93477 93477->93454 93479 2d936c 81 API calls 93478->93479 93480 32702a 93479->93480 94394 2db470 93480->94394 93482 32703a 93483 32705f 93482->93483 93484 2dfe30 335 API calls 93482->93484 93486 327063 93483->93486 94422 2dcdb9 48 API calls 93483->94422 93484->93483 93486->93359 93487->93358 93489 32e868 93488->93489 93490 32e84e 93488->93490 94439 32ccdc 48 API calls 93489->94439 94438 31cc5c 86 API calls 4 library calls 93490->94438 93493 32e871 93494 2dfe30 334 API calls 93493->93494 93495 32e8cf 93494->93495 93496 32e96a 93495->93496 93498 32e916 93495->93498 93507 32e860 Mailbox 93495->93507 93497 32e978 93496->93497 93501 32e9c7 93496->93501 94441 31a69d 48 API calls 93497->94441 94440 319b72 48 API calls 93498->94440 93500 32e949 93503 2e45e0 334 API calls 93500->93503 93504 2d936c 81 API calls 93501->93504 93501->93507 93503->93507 93506 32e9e1 93504->93506 93505 32e99b 94442 2dbc74 48 API calls 93505->94442 93509 2dbdfa 48 API calls 93506->93509 93507->93360 93511 32ea05 CharUpperBuffW 93509->93511 93510 32e9a3 Mailbox 93512 2e3200 334 API calls 93510->93512 93513 32ea1f 93511->93513 93512->93507 93514 32ea72 93513->93514 93515 32ea26 93513->93515 93516 2d936c 81 API calls 93514->93516 94443 319b72 48 API calls 93515->94443 93517 32ea7a 93516->93517 94444 2d1caa 49 API calls 93517->94444 93520 32ea54 93521 2e45e0 334 API calls 93520->93521 93521->93507 93522 32ea84 93522->93507 93523 2d936c 81 API calls 93522->93523 93524 32ea9f 93523->93524 94445 2dbc74 48 API calls 93524->94445 93526 32eaaf 93527 2e3200 334 API calls 93526->93527 93527->93507 93528->93359 93530 316cc4 FindFirstFileW 93529->93530 93531 316529 93529->93531 93530->93531 93532 316cd9 FindClose 93530->93532 93531->93359 93532->93531 93534 2f35f0 __mtinitlocknum 93533->93534 93535 2f361c 93534->93535 93536 2f3604 93534->93536 93543 2f3614 __mtinitlocknum 93535->93543 93546 2f4e1c 93535->93546 93568 2f7c0e 47 API calls __getptd_noexit 93536->93568 93539 2f3609 93569 2f6e10 8 API calls _memcpy_s 93539->93569 93543->93433 93547 2f4e4e EnterCriticalSection 93546->93547 93548 2f4e2c 93546->93548 93551 2f362e 93547->93551 93548->93547 93549 2f4e34 93548->93549 93571 2f7cf4 93549->93571 93552 2f3578 93551->93552 93553 2f359b 93552->93553 93554 2f3587 93552->93554 93560 2f3597 93553->93560 93616 2f2c84 93553->93616 93656 2f7c0e 47 API calls __getptd_noexit 93554->93656 93556 2f358c 93657 2f6e10 8 API calls _memcpy_s 93556->93657 93570 2f3653 LeaveCriticalSection LeaveCriticalSection _fprintf 93560->93570 93564 2f35b5 93633 2fe9d2 93564->93633 93566 2f35bb 93566->93560 93567 2f1c9d _free 47 API calls 93566->93567 93567->93560 93568->93539 93569->93543 93570->93543 93572 2f7d18 EnterCriticalSection 93571->93572 93573 2f7d05 93571->93573 93572->93551 93578 2f7d7c 93573->93578 93575 2f7d0b 93575->93572 93602 2f115b 47 API calls 3 library calls 93575->93602 93579 2f7d88 __mtinitlocknum 93578->93579 93580 2f7da9 93579->93580 93581 2f7d91 93579->93581 93583 2f7da7 93580->93583 93589 2f7e11 __mtinitlocknum 93580->93589 93603 2f81c2 47 API calls __NMSG_WRITE 93581->93603 93583->93580 93606 2f69d0 47 API calls _W_store_winword 93583->93606 93584 2f7d96 93604 2f821f 47 API calls 5 library calls 93584->93604 93587 2f7dbd 93590 2f7dc4 93587->93590 93591 2f7dd3 93587->93591 93588 2f7d9d 93605 2f1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93588->93605 93589->93575 93607 2f7c0e 47 API calls __getptd_noexit 93590->93607 93594 2f7cf4 __lock 46 API calls 93591->93594 93596 2f7dda 93594->93596 93595 2f7dc9 93595->93589 93597 2f7dfe 93596->93597 93598 2f7de9 InitializeCriticalSectionAndSpinCount 93596->93598 93608 2f1c9d 93597->93608 93599 2f7e04 93598->93599 93614 2f7e1a LeaveCriticalSection _doexit 93599->93614 93603->93584 93604->93588 93606->93587 93607->93595 93609 2f1ca6 RtlFreeHeap 93608->93609 93610 2f1ccf __dosmaperr 93608->93610 93609->93610 93611 2f1cbb 93609->93611 93610->93599 93615 2f7c0e 47 API calls __getptd_noexit 93611->93615 93613 2f1cc1 GetLastError 93613->93610 93614->93589 93615->93613 93617 2f2c97 93616->93617 93621 2f2cbb 93616->93621 93618 2f2933 __fflush_nolock 47 API calls 93617->93618 93617->93621 93619 2f2cb4 93618->93619 93658 2faf61 93619->93658 93622 2feb36 93621->93622 93623 2feb43 93622->93623 93625 2f35af 93622->93625 93624 2f1c9d _free 47 API calls 93623->93624 93623->93625 93624->93625 93626 2f2933 93625->93626 93627 2f293d 93626->93627 93628 2f2952 93626->93628 93795 2f7c0e 47 API calls __getptd_noexit 93627->93795 93628->93564 93630 2f2942 93796 2f6e10 8 API calls _memcpy_s 93630->93796 93632 2f294d 93632->93564 93634 2fe9de __mtinitlocknum 93633->93634 93635 2fe9fe 93634->93635 93636 2fe9e6 93634->93636 93638 2fea7b 93635->93638 93641 2fea28 93635->93641 93812 2f7bda 47 API calls __getptd_noexit 93636->93812 93816 2f7bda 47 API calls __getptd_noexit 93638->93816 93639 2fe9eb 93813 2f7c0e 47 API calls __getptd_noexit 93639->93813 93645 2fa8ed ___lock_fhandle 49 API calls 93641->93645 93643 2fea80 93817 2f7c0e 47 API calls __getptd_noexit 93643->93817 93648 2fea2e 93645->93648 93646 2fe9f3 __mtinitlocknum 93646->93566 93647 2fea88 93818 2f6e10 8 API calls _memcpy_s 93647->93818 93650 2fea4c 93648->93650 93651 2fea41 93648->93651 93814 2f7c0e 47 API calls __getptd_noexit 93650->93814 93797 2fea9c 93651->93797 93654 2fea47 93815 2fea73 LeaveCriticalSection __unlock_fhandle 93654->93815 93656->93556 93657->93560 93659 2faf6d __mtinitlocknum 93658->93659 93660 2faf8d 93659->93660 93661 2faf75 93659->93661 93662 2fb022 93660->93662 93666 2fafbf 93660->93666 93756 2f7bda 47 API calls __getptd_noexit 93661->93756 93761 2f7bda 47 API calls __getptd_noexit 93662->93761 93665 2faf7a 93757 2f7c0e 47 API calls __getptd_noexit 93665->93757 93683 2fa8ed 93666->93683 93667 2fb027 93762 2f7c0e 47 API calls __getptd_noexit 93667->93762 93671 2fafc5 93673 2fafeb 93671->93673 93674 2fafd8 93671->93674 93672 2fb02f 93763 2f6e10 8 API calls _memcpy_s 93672->93763 93758 2f7c0e 47 API calls __getptd_noexit 93673->93758 93692 2fb043 93674->93692 93677 2faf82 __mtinitlocknum 93677->93621 93679 2fafe4 93760 2fb01a LeaveCriticalSection __unlock_fhandle 93679->93760 93680 2faff0 93759 2f7bda 47 API calls __getptd_noexit 93680->93759 93684 2fa8f9 __mtinitlocknum 93683->93684 93685 2fa946 EnterCriticalSection 93684->93685 93687 2f7cf4 __lock 47 API calls 93684->93687 93686 2fa96c __mtinitlocknum 93685->93686 93686->93671 93688 2fa91d 93687->93688 93689 2fa93a 93688->93689 93690 2fa928 InitializeCriticalSectionAndSpinCount 93688->93690 93764 2fa970 LeaveCriticalSection _doexit 93689->93764 93690->93689 93693 2fb050 __ftell_nolock 93692->93693 93694 2fb08d 93693->93694 93695 2fb0ac 93693->93695 93727 2fb082 93693->93727 93774 2f7bda 47 API calls __getptd_noexit 93694->93774 93698 2fb105 93695->93698 93699 2fb0e9 93695->93699 93703 2fb11c 93698->93703 93780 2ff82f 49 API calls 3 library calls 93698->93780 93777 2f7bda 47 API calls __getptd_noexit 93699->93777 93700 2fb86b 93700->93679 93701 2fb092 93775 2f7c0e 47 API calls __getptd_noexit 93701->93775 93765 303bf2 93703->93765 93705 2fb0ee 93778 2f7c0e 47 API calls __getptd_noexit 93705->93778 93707 2fb099 93776 2f6e10 8 API calls _memcpy_s 93707->93776 93711 2fb12a 93712 2fb44b 93711->93712 93781 2f7a0d 47 API calls 2 library calls 93711->93781 93714 2fb7b8 WriteFile 93712->93714 93715 2fb463 93712->93715 93713 2fb0f5 93779 2f6e10 8 API calls _memcpy_s 93713->93779 93719 2fb7e1 GetLastError 93714->93719 93729 2fb410 93714->93729 93718 2fb55a 93715->93718 93726 2fb479 93715->93726 93722 2fb663 93718->93722 93731 2fb565 93718->93731 93719->93729 93720 2fb150 GetConsoleMode 93720->93712 93723 2fb189 93720->93723 93721 2fb81b 93721->93727 93786 2f7c0e 47 API calls __getptd_noexit 93721->93786 93722->93721 93737 2fb6d8 WideCharToMultiByte 93722->93737 93723->93712 93724 2fb199 GetConsoleCP 93723->93724 93724->93729 93752 2fb1c2 93724->93752 93725 2fb4e9 WriteFile 93725->93719 93732 2fb526 93725->93732 93726->93721 93726->93725 93788 2fa70c 93727->93788 93729->93721 93729->93727 93730 2fb7f7 93729->93730 93734 2fb7fe 93730->93734 93735 2fb812 93730->93735 93731->93721 93736 2fb5de WriteFile 93731->93736 93732->93726 93732->93729 93741 2fb555 93732->93741 93733 2fb843 93787 2f7bda 47 API calls __getptd_noexit 93733->93787 93783 2f7c0e 47 API calls __getptd_noexit 93734->93783 93785 2f7bed 47 API calls 3 library calls 93735->93785 93736->93719 93744 2fb62d 93736->93744 93737->93719 93749 2fb71f 93737->93749 93741->93729 93742 2fb803 93784 2f7bda 47 API calls __getptd_noexit 93742->93784 93743 2fb727 WriteFile 93746 2fb77a GetLastError 93743->93746 93743->93749 93744->93729 93744->93731 93744->93741 93746->93749 93748 305884 WriteConsoleW CreateFileW __chsize_nolock 93754 2fb2f6 93748->93754 93749->93722 93749->93729 93749->93741 93749->93743 93750 3040f7 59 API calls __chsize_nolock 93750->93752 93751 2fb28f WideCharToMultiByte 93751->93729 93753 2fb2ca WriteFile 93751->93753 93752->93729 93752->93750 93752->93751 93752->93754 93782 2f1688 57 API calls __isleadbyte_l 93752->93782 93753->93719 93753->93754 93754->93719 93754->93729 93754->93748 93754->93752 93755 2fb321 WriteFile 93754->93755 93755->93719 93755->93754 93756->93665 93757->93677 93758->93680 93759->93679 93760->93677 93761->93667 93762->93672 93763->93677 93764->93685 93766 303c0a 93765->93766 93767 303bfd 93765->93767 93770 303c16 93766->93770 93771 2f7c0e __mtinitlocknum 47 API calls 93766->93771 93768 2f7c0e __mtinitlocknum 47 API calls 93767->93768 93769 303c02 93768->93769 93769->93711 93770->93711 93772 303c37 93771->93772 93773 2f6e10 _memcpy_s 8 API calls 93772->93773 93773->93769 93774->93701 93775->93707 93776->93727 93777->93705 93778->93713 93779->93727 93780->93703 93781->93720 93782->93752 93783->93742 93784->93727 93785->93727 93786->93733 93787->93727 93789 2fa716 IsProcessorFeaturePresent 93788->93789 93790 2fa714 93788->93790 93792 3037b0 93789->93792 93790->93700 93793 30375f ___raise_securityfailure 5 API calls 93792->93793 93794 303893 93793->93794 93794->93700 93795->93630 93796->93632 93819 2faba4 93797->93819 93799 2feb00 93832 2fab1e 48 API calls 2 library calls 93799->93832 93801 2feaaa 93801->93799 93802 2feade 93801->93802 93805 2faba4 __lseek_nolock 47 API calls 93801->93805 93802->93799 93803 2faba4 __lseek_nolock 47 API calls 93802->93803 93806 2feaea CloseHandle 93803->93806 93804 2feb08 93807 2feb2a 93804->93807 93833 2f7bed 47 API calls 3 library calls 93804->93833 93808 2fead5 93805->93808 93806->93799 93809 2feaf6 GetLastError 93806->93809 93807->93654 93811 2faba4 __lseek_nolock 47 API calls 93808->93811 93809->93799 93811->93802 93812->93639 93813->93646 93814->93654 93815->93646 93816->93643 93817->93647 93818->93646 93820 2fabaf 93819->93820 93821 2fabc4 93819->93821 93834 2f7bda 47 API calls __getptd_noexit 93820->93834 93825 2fabe9 93821->93825 93836 2f7bda 47 API calls __getptd_noexit 93821->93836 93824 2fabb4 93835 2f7c0e 47 API calls __getptd_noexit 93824->93835 93825->93801 93826 2fabf3 93837 2f7c0e 47 API calls __getptd_noexit 93826->93837 93828 2fabbc 93828->93801 93830 2fabfb 93838 2f6e10 8 API calls _memcpy_s 93830->93838 93832->93804 93833->93807 93834->93824 93835->93828 93836->93826 93837->93830 93838->93828 93930 2d4214 93839->93930 93844 344f73 93847 2d4252 84 API calls 93844->93847 93845 2d41d4 LoadLibraryExW 93940 2d4291 93845->93940 93849 344f7a 93847->93849 93851 2d4291 3 API calls 93849->93851 93853 344f82 93851->93853 93852 2d41fb 93852->93853 93854 2d4207 93852->93854 93966 2d44ed 93853->93966 93856 2d4252 84 API calls 93854->93856 93858 2d420c 93856->93858 93858->93448 93858->93450 93860 344fa9 93974 2d4950 93860->93974 94254 2f1e46 93863->94254 93867 316918 _wcschr __ftell_nolock 93866->93867 93868 2f1dfc __wsplitpath 47 API calls 93867->93868 93871 31692e _wcscat _wcscpy 93867->93871 93869 31695d 93868->93869 93870 2f1dfc __wsplitpath 47 API calls 93869->93870 93870->93871 93871->93470 93873 31bfb1 __ftell_nolock 93872->93873 93874 2ef4ea 48 API calls 93873->93874 93875 31c00e 93874->93875 93876 2d47b7 48 API calls 93875->93876 93877 31c018 93876->93877 93878 31bdb4 GetSystemTimeAsFileTime 93877->93878 93879 31c023 93878->93879 93880 2d4517 83 API calls 93879->93880 93881 31c036 _wcscmp 93880->93881 93882 31c107 93881->93882 93883 31c05a 93881->93883 93884 31c56d 94 API calls 93882->93884 94297 31c56d 93883->94297 93900 31c0d3 _wcscat 93884->93900 93887 2f1dfc __wsplitpath 47 API calls 93892 31c088 _wcscat _wcscpy 93887->93892 93888 2d44ed 64 API calls 93890 31c12c 93888->93890 93889 31c110 93889->93476 93891 2d44ed 64 API calls 93890->93891 93893 31c13c 93891->93893 93895 2f1dfc __wsplitpath 47 API calls 93892->93895 93894 2d44ed 64 API calls 93893->93894 93896 31c157 93894->93896 93895->93900 93897 2d44ed 64 API calls 93896->93897 93898 31c167 93897->93898 93899 2d44ed 64 API calls 93898->93899 93901 31c182 93899->93901 93900->93888 93900->93889 93902 2d44ed 64 API calls 93901->93902 93903 31c192 93902->93903 93904 2d44ed 64 API calls 93903->93904 93905 31c1a2 93904->93905 93906 2d44ed 64 API calls 93905->93906 93907 31c1b2 93906->93907 94280 31c71a GetTempPathW GetTempFileNameW 93907->94280 93909 31c1be 93927->93439 93928->93461 93929->93467 93979 2d4339 93930->93979 93934 2d41bb 93937 2f3499 93934->93937 93935 2d4244 FreeLibrary 93935->93934 93936 2d423c 93936->93934 93936->93935 93987 2f34ae 93937->93987 93939 2d41c8 93939->93844 93939->93845 94066 2d42e4 93940->94066 93944 2d41ec 93947 2d4380 93944->93947 93945 2d42c1 FreeLibrary 93945->93944 93946 2d42b8 93946->93944 93946->93945 93948 2ef4ea 48 API calls 93947->93948 93949 2d4395 93948->93949 93950 2d47b7 48 API calls 93949->93950 93951 2d43a1 _memcpy_s 93950->93951 93952 2d43dc 93951->93952 93953 2d4499 93951->93953 93954 2d44d1 93951->93954 93955 2d4950 57 API calls 93952->93955 94074 2d406b CreateStreamOnHGlobal 93953->94074 94085 31c750 93 API calls 93954->94085 93963 2d43e5 93955->93963 93958 2d44ed 64 API calls 93958->93963 93959 2d4479 93959->93852 93961 344ed7 93962 2d4517 83 API calls 93961->93962 93964 344eeb 93962->93964 93963->93958 93963->93959 93963->93961 94080 2d4517 93963->94080 93965 2d44ed 64 API calls 93964->93965 93965->93959 93967 2d44ff 93966->93967 93968 344fc0 93966->93968 94103 2f381e 93967->94103 93971 31bf5a 94231 31bdb4 93971->94231 93973 31bf70 93973->93860 93975 2d495f 93974->93975 93976 345002 93974->93976 94236 2f3e65 93975->94236 93978 2d4967 93983 2d434b 93979->93983 93982 2d4321 LoadLibraryA GetProcAddress 93982->93936 93984 2d422f 93983->93984 93985 2d4354 LoadLibraryA 93983->93985 93984->93936 93984->93982 93985->93984 93986 2d4365 GetProcAddress 93985->93986 93986->93984 93990 2f34ba __mtinitlocknum 93987->93990 93988 2f34cd 94035 2f7c0e 47 API calls __getptd_noexit 93988->94035 93990->93988 93992 2f34fe 93990->93992 93991 2f34d2 94036 2f6e10 8 API calls _memcpy_s 93991->94036 94006 2fe4c8 93992->94006 93995 2f3503 93996 2f350c 93995->93996 93997 2f3519 93995->93997 94037 2f7c0e 47 API calls __getptd_noexit 93996->94037 93999 2f3543 93997->93999 94000 2f3523 93997->94000 94020 2fe5e0 93999->94020 94038 2f7c0e 47 API calls __getptd_noexit 94000->94038 94002 2f34dd __mtinitlocknum @_EH4_CallFilterFunc@8 94002->93939 94007 2fe4d4 __mtinitlocknum 94006->94007 94008 2f7cf4 __lock 47 API calls 94007->94008 94018 2fe4e2 94008->94018 94009 2fe552 94040 2fe5d7 94009->94040 94010 2fe559 94045 2f69d0 47 API calls _W_store_winword 94010->94045 94013 2fe560 94013->94009 94015 2fe56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 94013->94015 94014 2fe5cc __mtinitlocknum 94014->93995 94015->94009 94016 2f7d7c __mtinitlocknum 47 API calls 94016->94018 94018->94009 94018->94010 94018->94016 94043 2f4e5b 48 API calls __lock 94018->94043 94044 2f4ec5 LeaveCriticalSection LeaveCriticalSection _doexit 94018->94044 94029 2fe600 __wopenfile 94020->94029 94021 2fe61a 94050 2f7c0e 47 API calls __getptd_noexit 94021->94050 94022 2fe7d5 94022->94021 94026 2fe838 94022->94026 94024 2fe61f 94051 2f6e10 8 API calls _memcpy_s 94024->94051 94047 3063c9 94026->94047 94027 2f354e 94039 2f3570 LeaveCriticalSection LeaveCriticalSection _fprintf 94027->94039 94029->94021 94029->94022 94052 2f185b 59 API calls 3 library calls 94029->94052 94031 2fe7ce 94031->94022 94053 2f185b 59 API calls 3 library calls 94031->94053 94033 2fe7ed 94033->94022 94054 2f185b 59 API calls 3 library calls 94033->94054 94035->93991 94036->94002 94037->94002 94038->94002 94039->94002 94046 2f7e58 LeaveCriticalSection 94040->94046 94042 2fe5de 94042->94014 94043->94018 94044->94018 94045->94013 94046->94042 94055 305bb1 94047->94055 94049 3063e2 94049->94027 94050->94024 94051->94027 94052->94031 94053->94033 94054->94022 94058 305bbd __mtinitlocknum 94055->94058 94056 305bcf 94057 2f7c0e __mtinitlocknum 47 API calls 94056->94057 94059 305bd4 94057->94059 94058->94056 94060 305c06 94058->94060 94061 2f6e10 _memcpy_s 8 API calls 94059->94061 94062 305c78 __wsopen_helper 110 API calls 94060->94062 94065 305bde __mtinitlocknum 94061->94065 94063 305c23 94062->94063 94064 305c4c __wsopen_helper LeaveCriticalSection 94063->94064 94064->94065 94065->94049 94070 2d42f6 94066->94070 94069 2d42cc LoadLibraryA GetProcAddress 94069->93946 94071 2d42aa 94070->94071 94072 2d42ff LoadLibraryA 94070->94072 94071->93946 94071->94069 94072->94071 94073 2d4310 GetProcAddress 94072->94073 94073->94071 94075 2d4085 FindResourceExW 94074->94075 94079 2d40a2 94074->94079 94076 344f16 LoadResource 94075->94076 94075->94079 94077 344f2b SizeofResource 94076->94077 94076->94079 94078 344f3f LockResource 94077->94078 94077->94079 94078->94079 94079->93952 94081 2d4526 94080->94081 94084 344fe0 94080->94084 94086 2f3a8d 94081->94086 94083 2d4534 94083->93963 94085->93952 94087 2f3a99 __mtinitlocknum 94086->94087 94088 2f3aa7 94087->94088 94090 2f3acd 94087->94090 94099 2f7c0e 47 API calls __getptd_noexit 94088->94099 94092 2f4e1c __lock_file 48 API calls 94090->94092 94091 2f3aac 94100 2f6e10 8 API calls _memcpy_s 94091->94100 94094 2f3ad3 94092->94094 94101 2f39fe 81 API calls 5 library calls 94094->94101 94096 2f3ae2 94102 2f3b04 LeaveCriticalSection LeaveCriticalSection _fprintf 94096->94102 94098 2f3ab7 __mtinitlocknum 94098->94083 94099->94091 94100->94098 94101->94096 94102->94098 94106 2f3839 94103->94106 94105 2d4510 94105->93971 94107 2f3845 __mtinitlocknum 94106->94107 94108 2f3888 94107->94108 94109 2f3880 __mtinitlocknum 94107->94109 94114 2f385b _memset 94107->94114 94110 2f4e1c __lock_file 48 API calls 94108->94110 94109->94105 94111 2f388e 94110->94111 94119 2f365b 94111->94119 94133 2f7c0e 47 API calls __getptd_noexit 94114->94133 94115 2f3875 94134 2f6e10 8 API calls _memcpy_s 94115->94134 94123 2f3676 _memset 94119->94123 94126 2f3691 94119->94126 94120 2f3681 94227 2f7c0e 47 API calls __getptd_noexit 94120->94227 94122 2f3686 94228 2f6e10 8 API calls _memcpy_s 94122->94228 94123->94120 94123->94126 94131 2f36cf 94123->94131 94135 2f38c2 LeaveCriticalSection LeaveCriticalSection _fprintf 94126->94135 94127 2f37e0 _memset 94230 2f7c0e 47 API calls __getptd_noexit 94127->94230 94129 2f2933 __fflush_nolock 47 API calls 94129->94131 94131->94126 94131->94127 94131->94129 94136 2fee0e 94131->94136 94207 2feb66 94131->94207 94229 2fec87 47 API calls 3 library calls 94131->94229 94133->94115 94134->94109 94135->94109 94137 2fee2f 94136->94137 94138 2fee46 94136->94138 94139 2f7bda __lseeki64 47 API calls 94137->94139 94140 2ff57e 94138->94140 94145 2fee80 94138->94145 94142 2fee34 94139->94142 94141 2f7bda __lseeki64 47 API calls 94140->94141 94143 2ff583 94141->94143 94144 2f7c0e __mtinitlocknum 47 API calls 94142->94144 94146 2f7c0e __mtinitlocknum 47 API calls 94143->94146 94149 2fee3b 94144->94149 94147 2fee88 94145->94147 94153 2fee9f 94145->94153 94148 2fee94 94146->94148 94150 2f7bda __lseeki64 47 API calls 94147->94150 94152 2f6e10 _memcpy_s 8 API calls 94148->94152 94149->94131 94151 2fee8d 94150->94151 94155 2f7c0e __mtinitlocknum 47 API calls 94151->94155 94152->94149 94153->94149 94154 2feeb4 94153->94154 94157 2feece 94153->94157 94158 2feeec 94153->94158 94156 2f7bda __lseeki64 47 API calls 94154->94156 94155->94148 94156->94151 94157->94154 94163 2feed9 94157->94163 94160 2f69d0 __malloc_crt 47 API calls 94158->94160 94161 2feefc 94160->94161 94164 2fef1f 94161->94164 94165 2fef04 94161->94165 94162 303bf2 __flswbuf 47 API calls 94166 2fefed 94162->94166 94163->94162 94169 2ff82f __lseeki64_nolock 49 API calls 94164->94169 94167 2f7c0e __mtinitlocknum 47 API calls 94165->94167 94168 2ff066 ReadFile 94166->94168 94173 2ff003 GetConsoleMode 94166->94173 94170 2fef09 94167->94170 94171 2ff088 94168->94171 94172 2ff546 GetLastError 94168->94172 94174 2fef2d 94169->94174 94175 2f7bda __lseeki64 47 API calls 94170->94175 94171->94172 94181 2ff058 94171->94181 94176 2ff046 94172->94176 94177 2ff553 94172->94177 94178 2ff017 94173->94178 94179 2ff063 94173->94179 94174->94163 94180 2fef14 94175->94180 94184 2f7bed __dosmaperr 47 API calls 94176->94184 94193 2ff04c 94176->94193 94182 2f7c0e __mtinitlocknum 47 API calls 94177->94182 94178->94179 94183 2ff01d ReadConsoleW 94178->94183 94179->94168 94180->94149 94189 2ff32a 94181->94189 94191 2ff0bd 94181->94191 94181->94193 94185 2ff558 94182->94185 94183->94181 94186 2ff040 GetLastError 94183->94186 94184->94193 94187 2f7bda __lseeki64 47 API calls 94185->94187 94186->94176 94187->94193 94188 2f1c9d _free 47 API calls 94188->94149 94189->94193 94194 2ff430 ReadFile 94189->94194 94192 2ff129 ReadFile 94191->94192 94199 2ff1aa 94191->94199 94195 2ff14a GetLastError 94192->94195 94204 2ff154 94192->94204 94193->94149 94193->94188 94198 2ff453 GetLastError 94194->94198 94206 2ff461 94194->94206 94195->94204 94196 2ff267 94201 2ff217 MultiByteToWideChar 94196->94201 94202 2ff82f __lseeki64_nolock 49 API calls 94196->94202 94197 2ff257 94200 2f7c0e __mtinitlocknum 47 API calls 94197->94200 94198->94206 94199->94193 94199->94196 94199->94197 94199->94201 94200->94193 94201->94186 94201->94193 94202->94201 94203 2ff82f __lseeki64_nolock 49 API calls 94203->94204 94204->94191 94204->94203 94205 2ff82f __lseeki64_nolock 49 API calls 94205->94206 94206->94189 94206->94205 94208 2feb71 94207->94208 94212 2feb86 94207->94212 94209 2f7c0e __mtinitlocknum 47 API calls 94208->94209 94210 2feb76 94209->94210 94211 2f6e10 _memcpy_s 8 API calls 94210->94211 94221 2feb81 94211->94221 94213 303e24 __getbuf 47 API calls 94212->94213 94214 2febbb 94212->94214 94212->94221 94213->94214 94215 2f2933 __fflush_nolock 47 API calls 94214->94215 94216 2febcf 94215->94216 94217 2fed06 __filbuf 62 API calls 94216->94217 94218 2febd6 94217->94218 94219 2f2933 __fflush_nolock 47 API calls 94218->94219 94218->94221 94220 2febf9 94219->94220 94220->94221 94222 2f2933 __fflush_nolock 47 API calls 94220->94222 94221->94131 94223 2fec05 94222->94223 94223->94221 94224 2f2933 __fflush_nolock 47 API calls 94223->94224 94225 2fec12 94224->94225 94226 2f2933 __fflush_nolock 47 API calls 94225->94226 94226->94221 94227->94122 94228->94126 94229->94131 94230->94122 94234 2f344a GetSystemTimeAsFileTime 94231->94234 94233 31bdc3 94233->93973 94235 2f3478 __aulldiv 94234->94235 94235->94233 94237 2f3e71 __mtinitlocknum 94236->94237 94238 2f3e7f 94237->94238 94239 2f3e94 94237->94239 94250 2f7c0e 47 API calls __getptd_noexit 94238->94250 94240 2f4e1c __lock_file 48 API calls 94239->94240 94243 2f3e9a 94240->94243 94242 2f3e84 94251 2f6e10 8 API calls _memcpy_s 94242->94251 94252 2f3b0c 55 API calls 7 library calls 94243->94252 94246 2f3ea5 94253 2f3ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 94246->94253 94248 2f3eb7 94249 2f3e8f __mtinitlocknum 94248->94249 94249->93978 94250->94242 94251->94249 94252->94246 94253->94248 94255 2f1e61 94254->94255 94258 2f1e55 94254->94258 94278 2f7c0e 47 API calls __getptd_noexit 94255->94278 94257 2f2019 94263 2f1e41 94257->94263 94279 2f6e10 8 API calls _memcpy_s 94257->94279 94258->94255 94269 2f1ed4 94258->94269 94273 2f9d6b 47 API calls 2 library calls 94258->94273 94261 2f1fa0 94261->94255 94261->94263 94264 2f1fb0 94261->94264 94262 2f1f5f 94262->94255 94265 2f1f7b 94262->94265 94275 2f9d6b 47 API calls 2 library calls 94262->94275 94263->93464 94277 2f9d6b 47 API calls 2 library calls 94264->94277 94265->94255 94265->94263 94268 2f1f91 94265->94268 94276 2f9d6b 47 API calls 2 library calls 94268->94276 94269->94255 94272 2f1f41 94269->94272 94274 2f9d6b 47 API calls 2 library calls 94269->94274 94272->94261 94272->94262 94273->94269 94274->94272 94275->94265 94276->94263 94277->94263 94278->94257 94279->94263 94280->93909 94302 31c581 __tzset_nolock _wcscmp 94297->94302 94298 2d44ed 64 API calls 94298->94302 94299 31c05f 94299->93887 94299->93889 94300 31bf5a GetSystemTimeAsFileTime 94300->94302 94301 2d4517 83 API calls 94301->94302 94302->94298 94302->94299 94302->94300 94302->94301 94395 2d6b0f 48 API calls 94394->94395 94413 2db495 94395->94413 94396 2db69b 94425 2dba85 94396->94425 94398 2db6b5 Mailbox 94398->93482 94401 34397b 94436 3126bc 88 API calls 4 library calls 94401->94436 94404 2db9e4 94437 3126bc 88 API calls 4 library calls 94404->94437 94405 343973 94405->94398 94407 2dba85 48 API calls 94407->94413 94409 2dbcce 48 API calls 94409->94413 94410 343989 94411 2dba85 48 API calls 94410->94411 94411->94405 94412 343909 94415 2d6b4a 48 API calls 94412->94415 94413->94396 94413->94401 94413->94404 94413->94407 94413->94409 94413->94412 94414 2dbb85 48 API calls 94413->94414 94418 2dbdfa 48 API calls 94413->94418 94421 343939 _memcpy_s 94413->94421 94423 2dc413 59 API calls 94413->94423 94424 2dbc74 48 API calls 94413->94424 94433 2dc6a5 49 API calls 94413->94433 94434 2dc799 48 API calls _memcpy_s 94413->94434 94414->94413 94417 343914 94415->94417 94420 2ef4ea 48 API calls 94417->94420 94419 2db66c CharUpperBuffW 94418->94419 94419->94413 94420->94421 94435 3126bc 88 API calls 4 library calls 94421->94435 94422->93486 94423->94413 94424->94413 94426 2dbb25 94425->94426 94430 2dba98 _memcpy_s 94425->94430 94428 2ef4ea 48 API calls 94426->94428 94427 2ef4ea 48 API calls 94429 2dba9f 94427->94429 94428->94430 94431 2ef4ea 48 API calls 94429->94431 94432 2dbac8 94429->94432 94430->94427 94431->94432 94432->94398 94433->94413 94434->94413 94435->94405 94436->94410 94437->94405 94438->93507 94439->93493 94440->93500 94441->93505 94442->93510 94443->93520 94444->93522 94445->93526 94446->93232 94447->93232 94448->93234 94449->93234 94450->93241 94451->93236 94452->93247 94453->93260 94454->93260 94455->93254 94456 2f5dfd 94457 2f5e09 __mtinitlocknum 94456->94457 94493 2f7eeb GetStartupInfoW 94457->94493 94459 2f5e0e 94495 2f9ca7 GetProcessHeap 94459->94495 94461 2f5e66 94462 2f5e71 94461->94462 94580 2f5f4d 47 API calls 3 library calls 94461->94580 94496 2f7b47 94462->94496 94465 2f5e77 94466 2f5e82 __RTC_Initialize 94465->94466 94581 2f5f4d 47 API calls 3 library calls 94465->94581 94517 2facb3 94466->94517 94469 2f5e91 94470 2f5e9d GetCommandLineW 94469->94470 94582 2f5f4d 47 API calls 3 library calls 94469->94582 94536 302e7d GetEnvironmentStringsW 94470->94536 94473 2f5e9c 94473->94470 94477 2f5ec2 94549 302cb4 94477->94549 94480 2f5ec8 94481 2f5ed3 94480->94481 94584 2f115b 47 API calls 3 library calls 94480->94584 94563 2f1195 94481->94563 94484 2f5edb 94485 2f5ee6 __wwincmdln 94484->94485 94585 2f115b 47 API calls 3 library calls 94484->94585 94567 2d3a0f 94485->94567 94494 2f7f01 94493->94494 94494->94459 94495->94461 94588 2f123a 30 API calls 2 library calls 94496->94588 94498 2f7b4c 94589 2f7e23 InitializeCriticalSectionAndSpinCount 94498->94589 94500 2f7b51 94501 2f7b55 94500->94501 94591 2f7e6d TlsAlloc 94500->94591 94590 2f7bbd 50 API calls 2 library calls 94501->94590 94504 2f7b5a 94504->94465 94505 2f7b67 94505->94501 94506 2f7b72 94505->94506 94592 2f6986 94506->94592 94509 2f7bb4 94600 2f7bbd 50 API calls 2 library calls 94509->94600 94512 2f7bb9 94512->94465 94513 2f7b93 94513->94509 94514 2f7b99 94513->94514 94599 2f7a94 47 API calls 4 library calls 94514->94599 94516 2f7ba1 GetCurrentThreadId 94516->94465 94518 2facbf __mtinitlocknum 94517->94518 94519 2f7cf4 __lock 47 API calls 94518->94519 94520 2facc6 94519->94520 94521 2f6986 __calloc_crt 47 API calls 94520->94521 94523 2facd7 94521->94523 94522 2fad42 GetStartupInfoW 94530 2fae80 94522->94530 94533 2fad57 94522->94533 94523->94522 94524 2face2 __mtinitlocknum @_EH4_CallFilterFunc@8 94523->94524 94524->94469 94525 2faf44 94609 2faf58 LeaveCriticalSection _doexit 94525->94609 94527 2faec9 GetStdHandle 94527->94530 94528 2f6986 __calloc_crt 47 API calls 94528->94533 94529 2faedb GetFileType 94529->94530 94530->94525 94530->94527 94530->94529 94532 2faf08 InitializeCriticalSectionAndSpinCount 94530->94532 94531 2fada5 94531->94530 94534 2fadd7 GetFileType 94531->94534 94535 2fade5 InitializeCriticalSectionAndSpinCount 94531->94535 94532->94530 94533->94528 94533->94530 94533->94531 94534->94531 94534->94535 94535->94531 94537 2f5ead 94536->94537 94538 302e8e 94536->94538 94543 302a7b GetModuleFileNameW 94537->94543 94610 2f69d0 47 API calls _W_store_winword 94538->94610 94541 302eb4 _memcpy_s 94542 302eca FreeEnvironmentStringsW 94541->94542 94542->94537 94544 302aaf _wparse_cmdline 94543->94544 94545 2f5eb7 94544->94545 94546 302ae9 94544->94546 94545->94477 94583 2f115b 47 API calls 3 library calls 94545->94583 94611 2f69d0 47 API calls _W_store_winword 94546->94611 94548 302aef _wparse_cmdline 94548->94545 94550 302ccd __NMSG_WRITE 94549->94550 94554 302cc5 94549->94554 94551 2f6986 __calloc_crt 47 API calls 94550->94551 94556 302cf6 __NMSG_WRITE 94551->94556 94552 302d4d 94553 2f1c9d _free 47 API calls 94552->94553 94553->94554 94554->94480 94555 2f6986 __calloc_crt 47 API calls 94555->94556 94556->94552 94556->94554 94556->94555 94557 302d72 94556->94557 94560 302d89 94556->94560 94612 302567 47 API calls 2 library calls 94556->94612 94559 2f1c9d _free 47 API calls 94557->94559 94559->94554 94613 2f6e20 IsProcessorFeaturePresent 94560->94613 94562 302d95 94562->94480 94564 2f11a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 94563->94564 94566 2f11e0 __IsNonwritableInCurrentImage 94564->94566 94628 2f0f0a 52 API calls __cinit 94564->94628 94566->94484 94568 341ebf 94567->94568 94569 2d3a29 94567->94569 94570 2d3a63 IsThemeActive 94569->94570 94629 2f1405 94570->94629 94574 2d3a8f 94641 2d3adb SystemParametersInfoW SystemParametersInfoW 94574->94641 94576 2d3a9b 94642 2d3d19 94576->94642 94580->94462 94581->94466 94582->94473 94588->94498 94589->94500 94590->94504 94591->94505 94595 2f698d 94592->94595 94594 2f69ca 94594->94509 94598 2f7ec9 TlsSetValue 94594->94598 94595->94594 94596 2f69ab Sleep 94595->94596 94601 3030aa 94595->94601 94597 2f69c2 94596->94597 94597->94594 94597->94595 94598->94513 94599->94516 94600->94512 94602 3030b5 94601->94602 94607 3030d0 __calloc_impl 94601->94607 94603 3030c1 94602->94603 94602->94607 94608 2f7c0e 47 API calls __getptd_noexit 94603->94608 94605 3030e0 HeapAlloc 94606 3030c6 94605->94606 94605->94607 94606->94595 94607->94605 94607->94606 94608->94606 94609->94524 94610->94541 94611->94548 94612->94556 94614 2f6e2b 94613->94614 94619 2f6cb5 94614->94619 94618 2f6e46 94618->94562 94620 2f6ccf _memset ___raise_securityfailure 94619->94620 94621 2f6cef IsDebuggerPresent 94620->94621 94627 2f81ac SetUnhandledExceptionFilter UnhandledExceptionFilter 94621->94627 94623 2fa70c ___strgtold12_l 6 API calls 94624 2f6dd6 94623->94624 94626 2f8197 GetCurrentProcess TerminateProcess 94624->94626 94625 2f6db3 ___raise_securityfailure 94625->94623 94626->94618 94627->94625 94628->94566 94630 2f7cf4 __lock 47 API calls 94629->94630 94631 2f1410 94630->94631 94694 2f7e58 LeaveCriticalSection 94631->94694 94633 2d3a88 94634 2f146d 94633->94634 94635 2f1477 94634->94635 94636 2f1491 94634->94636 94635->94636 94695 2f7c0e 47 API calls __getptd_noexit 94635->94695 94636->94574 94638 2f1481 94696 2f6e10 8 API calls _memcpy_s 94638->94696 94640 2f148c 94640->94574 94641->94576 94643 2d3d26 __ftell_nolock 94642->94643 94644 2dd7f7 48 API calls 94643->94644 94645 2d3d31 GetCurrentDirectoryW 94644->94645 94697 2d61ca 94645->94697 94647 2d3d57 IsDebuggerPresent 94648 341cc1 MessageBoxA 94647->94648 94649 2d3d65 94647->94649 94651 341cd9 94648->94651 94650 2d3e3a 94649->94650 94649->94651 94652 2d3d82 94649->94652 94812 2ec682 48 API calls 94651->94812 94694->94633 94695->94638 94696->94640 94814 2ee99b 94697->94814 94701 2d61eb 94702 2d5374 50 API calls 94701->94702 94703 2d61ff 94702->94703 94704 2dce19 48 API calls 94703->94704 94705 2d620c 94704->94705 94831 2d39db 94705->94831 94707 2d6216 Mailbox 94708 2d6eed 48 API calls 94707->94708 94709 2d622b 94708->94709 94843 2d9048 94709->94843 94712 2dce19 48 API calls 94713 2d6244 94712->94713 94714 2dd6e9 55 API calls 94713->94714 94715 2d6254 Mailbox 94714->94715 94716 2dce19 48 API calls 94715->94716 94717 2d627c 94716->94717 94718 2dd6e9 55 API calls 94717->94718 94719 2d628f Mailbox 94718->94719 94720 2dce19 48 API calls 94719->94720 94721 2d62a0 94720->94721 94722 2dd645 53 API calls 94721->94722 94723 2d62b2 Mailbox 94722->94723 94724 2dd7f7 48 API calls 94723->94724 94725 2d62c5 94724->94725 94846 2d63fc 94725->94846 94729 2d62df 94730 2d62e9 94729->94730 94731 341c08 94729->94731 94733 2f0fa7 _W_store_winword 59 API calls 94730->94733 94732 2d63fc 48 API calls 94731->94732 94734 341c1c 94732->94734 94735 2d62f4 94733->94735 94737 2d63fc 48 API calls 94734->94737 94735->94734 94736 2d62fe 94735->94736 94738 2f0fa7 _W_store_winword 59 API calls 94736->94738 94739 341c38 94737->94739 94740 2d6309 94738->94740 94742 2d5374 50 API calls 94739->94742 94740->94739 94741 2d6313 94740->94741 94743 2f0fa7 _W_store_winword 59 API calls 94741->94743 94745 341c5d 94742->94745 94744 2d631e 94743->94744 94746 2d635f 94744->94746 94750 2d63fc 48 API calls 94744->94750 94761 341c86 94744->94761 94747 2d63fc 48 API calls 94745->94747 94748 2d636c 94746->94748 94746->94761 94749 341c69 94747->94749 94755 2ec050 48 API calls 94748->94755 94752 2d6eed 48 API calls 94749->94752 94753 2d6342 94750->94753 94751 2d6eed 48 API calls 94754 341ca8 94751->94754 94756 341c77 94752->94756 94757 2d6eed 48 API calls 94753->94757 94758 2d63fc 48 API calls 94754->94758 94759 2d6384 94755->94759 94760 2d63fc 48 API calls 94756->94760 94762 2d6350 94757->94762 94763 341cb5 94758->94763 94764 2e1b90 48 API calls 94759->94764 94760->94761 94761->94751 94765 2d63fc 48 API calls 94762->94765 94763->94763 94768 2d6394 94764->94768 94765->94746 94766 2e1b90 48 API calls 94766->94768 94768->94766 94769 2d63fc 48 API calls 94768->94769 94770 2d63d6 Mailbox 94768->94770 94862 2d6b68 48 API calls 94768->94862 94769->94768 94770->94647 94815 2dd7f7 48 API calls 94814->94815 94816 2d61db 94815->94816 94817 2d6009 94816->94817 94818 2d6016 __ftell_nolock 94817->94818 94819 2d6a63 48 API calls 94818->94819 94824 2d617c Mailbox 94818->94824 94821 2d6048 94819->94821 94830 2d607e Mailbox 94821->94830 94863 2d61a6 94821->94863 94822 2d61a6 48 API calls 94822->94830 94823 2d614f 94823->94824 94825 2dce19 48 API calls 94823->94825 94824->94701 94826 2d6170 94825->94826 94828 2d64cf 48 API calls 94826->94828 94827 2dce19 48 API calls 94827->94830 94828->94824 94829 2d64cf 48 API calls 94829->94830 94830->94822 94830->94823 94830->94824 94830->94827 94830->94829 94832 2d41a9 136 API calls 94831->94832 94833 2d39fe 94832->94833 94834 2d3a06 94833->94834 94866 31c396 94833->94866 94834->94707 94837 342ff0 94839 2f1c9d _free 47 API calls 94837->94839 94838 2d4252 84 API calls 94838->94837 94840 342ffd 94839->94840 94841 2d4252 84 API calls 94840->94841 94842 343006 94841->94842 94842->94842 94844 2ef4ea 48 API calls 94843->94844 94845 2d6237 94844->94845 94845->94712 94847 2d641f 94846->94847 94848 2d6406 94846->94848 94850 2d6a63 48 API calls 94847->94850 94849 2d6eed 48 API calls 94848->94849 94851 2d62d1 94849->94851 94850->94851 94852 2f0fa7 94851->94852 94853 2f1028 94852->94853 94854 2f0fb3 94852->94854 94903 2f103a 59 API calls 4 library calls 94853->94903 94861 2f0fd8 94854->94861 94901 2f7c0e 47 API calls __getptd_noexit 94854->94901 94857 2f1035 94857->94729 94858 2f0fbf 94902 2f6e10 8 API calls _memcpy_s 94858->94902 94860 2f0fca 94860->94729 94861->94729 94862->94768 94864 2dbdfa 48 API calls 94863->94864 94865 2d61b1 94864->94865 94865->94821 94867 2d4517 83 API calls 94866->94867 94868 31c405 94867->94868 94869 31c56d 94 API calls 94868->94869 94870 31c417 94869->94870 94871 2d44ed 64 API calls 94870->94871 94899 31c41b 94870->94899 94872 31c432 94871->94872 94873 2d44ed 64 API calls 94872->94873 94874 31c442 94873->94874 94875 2d44ed 64 API calls 94874->94875 94876 31c45d 94875->94876 94877 2d44ed 64 API calls 94876->94877 94878 31c478 94877->94878 94879 2d4517 83 API calls 94878->94879 94880 31c48f 94879->94880 94881 2f395c _W_store_winword 47 API calls 94880->94881 94882 31c496 94881->94882 94883 2f395c _W_store_winword 47 API calls 94882->94883 94884 31c4a0 94883->94884 94885 2d44ed 64 API calls 94884->94885 94886 31c4b4 94885->94886 94887 31bf5a GetSystemTimeAsFileTime 94886->94887 94888 31c4c7 94887->94888 94889 31c4f1 94888->94889 94890 31c4dc 94888->94890 94892 31c4f7 94889->94892 94893 31c556 94889->94893 94891 2f1c9d _free 47 API calls 94890->94891 94894 31c4e2 94891->94894 94895 31b965 118 API calls 94892->94895 94896 2f1c9d _free 47 API calls 94893->94896 94897 2f1c9d _free 47 API calls 94894->94897 94898 31c54e 94895->94898 94896->94899 94897->94899 94900 2f1c9d _free 47 API calls 94898->94900 94899->94837 94899->94838 94900->94899 94901->94858 94902->94860 94903->94857 95114 1258b33 95117 12587a8 95114->95117 95116 1258b7f 95118 12561d8 GetPEB 95117->95118 95121 1258847 95118->95121 95120 1258878 CreateFileW 95120->95121 95126 1258885 95120->95126 95122 12588a1 VirtualAlloc 95121->95122 95121->95126 95128 12589a8 CloseHandle 95121->95128 95129 12589b8 VirtualFree 95121->95129 95130 12596b8 GetPEB 95121->95130 95123 12588c2 ReadFile 95122->95123 95122->95126 95123->95126 95127 12588e0 VirtualAlloc 95123->95127 95124 1258a94 VirtualFree 95125 1258aa2 95124->95125 95125->95116 95126->95124 95126->95125 95127->95121 95127->95126 95128->95121 95129->95121 95131 12596e2 95130->95131 95131->95120 95132 349bec 95145 2e0ae0 _memcpy_s Mailbox 95132->95145 95134 2e1526 Mailbox 95224 31cc5c 86 API calls 4 library calls 95134->95224 95137 2dfec8 95138 2e1473 95137->95138 95140 2ef4ea 48 API calls 95137->95140 95141 2e0509 95137->95141 95142 2dffe1 Mailbox 95137->95142 95143 2e146e 95137->95143 95148 34a246 95137->95148 95154 2d6eed 48 API calls 95137->95154 95156 34a30e 95137->95156 95157 3097ed InterlockedDecrement 95137->95157 95158 2dd7f7 48 API calls 95137->95158 95161 34a973 95137->95161 95162 2f0f0a 52 API calls __cinit 95137->95162 95166 2e15b5 95137->95166 95219 2e1820 335 API calls 2 library calls 95137->95219 95220 2e1d10 59 API calls Mailbox 95137->95220 95226 31cc5c 86 API calls 4 library calls 95138->95226 95140->95137 95227 31cc5c 86 API calls 4 library calls 95141->95227 95149 2d6eed 48 API calls 95143->95149 95145->95134 95145->95137 95145->95142 95159 2dce19 48 API calls 95145->95159 95165 32e822 335 API calls 95145->95165 95167 2ef4ea 48 API calls 95145->95167 95168 2dfe30 335 API calls 95145->95168 95169 34a706 95145->95169 95171 3097ed InterlockedDecrement 95145->95171 95172 326ff0 335 API calls 95145->95172 95175 330d09 95145->95175 95178 330d1d 95145->95178 95181 32f0ac 95145->95181 95213 31a6ef 95145->95213 95221 32ef61 82 API calls 2 library calls 95145->95221 95151 2d6eed 48 API calls 95148->95151 95149->95142 95150 34a922 95151->95142 95154->95137 95155 34a873 95156->95142 95222 3097ed InterlockedDecrement 95156->95222 95157->95137 95158->95137 95159->95145 95228 31cc5c 86 API calls 4 library calls 95161->95228 95162->95137 95164 34a982 95165->95145 95225 31cc5c 86 API calls 4 library calls 95166->95225 95167->95145 95168->95145 95223 31cc5c 86 API calls 4 library calls 95169->95223 95171->95145 95172->95145 95229 32f8ae 95175->95229 95177 330d19 95177->95145 95179 32f8ae 129 API calls 95178->95179 95180 330d2d 95179->95180 95180->95145 95182 2dd7f7 48 API calls 95181->95182 95183 32f0c0 95182->95183 95184 2dd7f7 48 API calls 95183->95184 95185 32f0c8 95184->95185 95186 2dd7f7 48 API calls 95185->95186 95187 32f0d0 95186->95187 95188 2d936c 81 API calls 95187->95188 95212 32f0de 95188->95212 95189 2d6a63 48 API calls 95189->95212 95190 32f2cc 95191 32f2f9 Mailbox 95190->95191 95331 2d6b68 48 API calls 95190->95331 95191->95145 95193 32f2b3 95194 2d518c 48 API calls 95193->95194 95196 32f2c0 95194->95196 95195 32f2ce 95198 2d518c 48 API calls 95195->95198 95201 2d510d 48 API calls 95196->95201 95197 2dc799 48 API calls 95197->95212 95202 32f2dd 95198->95202 95199 2d6eed 48 API calls 95199->95212 95200 2dbdfa 48 API calls 95203 32f175 CharUpperBuffW 95200->95203 95201->95190 95204 2d510d 48 API calls 95202->95204 95206 2dd645 53 API calls 95203->95206 95204->95190 95205 2dbdfa 48 API calls 95207 32f23a CharUpperBuffW 95205->95207 95206->95212 95330 2ed922 55 API calls 2 library calls 95207->95330 95209 2d936c 81 API calls 95209->95212 95210 2d518c 48 API calls 95210->95212 95211 2d510d 48 API calls 95211->95212 95212->95189 95212->95190 95212->95191 95212->95193 95212->95195 95212->95197 95212->95199 95212->95200 95212->95205 95212->95209 95212->95210 95212->95211 95214 31a6fb 95213->95214 95215 2ef4ea 48 API calls 95214->95215 95216 31a709 95215->95216 95217 2dd7f7 48 API calls 95216->95217 95218 31a717 95216->95218 95217->95218 95218->95145 95219->95137 95220->95137 95221->95145 95222->95142 95223->95134 95224->95142 95225->95142 95226->95155 95227->95150 95228->95164 95230 2d936c 81 API calls 95229->95230 95231 32f8ea 95230->95231 95254 32f92c Mailbox 95231->95254 95265 330567 95231->95265 95233 32fb8b 95234 32fcfa 95233->95234 95238 32fb95 95233->95238 95313 330688 89 API calls Mailbox 95234->95313 95237 32fd07 95237->95238 95240 32fd13 95237->95240 95278 32f70a 95238->95278 95239 2d936c 81 API calls 95259 32f984 Mailbox 95239->95259 95240->95254 95245 32fbc9 95292 2eed18 95245->95292 95248 32fbe3 95311 31cc5c 86 API calls 4 library calls 95248->95311 95249 32fbfd 95251 2ec050 48 API calls 95249->95251 95252 32fc14 95251->95252 95255 32fc3e 95252->95255 95256 2e1b90 48 API calls 95252->95256 95253 32fbee GetCurrentProcess TerminateProcess 95253->95249 95254->95177 95257 32fd65 95255->95257 95261 2e1b90 48 API calls 95255->95261 95296 33040f 95255->95296 95312 2ddcae 50 API calls Mailbox 95255->95312 95258 32fc2d 95256->95258 95257->95254 95262 32fd7e FreeLibrary 95257->95262 95260 33040f 105 API calls 95258->95260 95259->95233 95259->95239 95259->95254 95259->95259 95309 3329e8 48 API calls _memcpy_s 95259->95309 95310 32fda5 60 API calls 2 library calls 95259->95310 95260->95255 95261->95255 95262->95254 95266 2dbdfa 48 API calls 95265->95266 95267 330582 CharLowerBuffW 95266->95267 95314 311f11 95267->95314 95271 2dd7f7 48 API calls 95272 3305bb 95271->95272 95321 2d69e9 48 API calls _memcpy_s 95272->95321 95274 3305d2 95275 2db18b 48 API calls 95274->95275 95276 3305de Mailbox 95275->95276 95277 33061a Mailbox 95276->95277 95322 32fda5 60 API calls 2 library calls 95276->95322 95277->95259 95279 32f725 95278->95279 95283 32f77a 95278->95283 95280 2ef4ea 48 API calls 95279->95280 95282 32f747 95280->95282 95281 2ef4ea 48 API calls 95281->95282 95282->95281 95282->95283 95284 330828 95283->95284 95285 330a53 Mailbox 95284->95285 95291 33084b _strcat _wcscpy __NMSG_WRITE 95284->95291 95285->95245 95286 2dcf93 58 API calls 95286->95291 95287 2dd286 48 API calls 95287->95291 95288 2d936c 81 API calls 95288->95291 95289 2f395c 47 API calls _W_store_winword 95289->95291 95291->95285 95291->95286 95291->95287 95291->95288 95291->95289 95325 318035 50 API calls __NMSG_WRITE 95291->95325 95293 2eed2d 95292->95293 95294 2eedc5 VirtualProtect 95293->95294 95295 2eed93 95293->95295 95294->95295 95295->95248 95295->95249 95297 330427 95296->95297 95306 330443 95296->95306 95299 3304f8 95297->95299 95300 33044f 95297->95300 95301 33042e 95297->95301 95297->95306 95298 33051e 95298->95255 95329 319dc5 103 API calls 95299->95329 95328 2dcdb9 48 API calls 95300->95328 95326 317c56 50 API calls _strlen 95301->95326 95304 2f1c9d _free 47 API calls 95304->95298 95306->95298 95306->95304 95307 330438 95327 2dcdb9 48 API calls 95307->95327 95309->95259 95310->95259 95311->95253 95312->95255 95313->95237 95315 311f3b __NMSG_WRITE 95314->95315 95316 311f79 95315->95316 95317 311f6f 95315->95317 95319 311ffa 95315->95319 95316->95271 95316->95276 95317->95316 95323 2ed37a 60 API calls 95317->95323 95319->95316 95324 2ed37a 60 API calls 95319->95324 95321->95274 95322->95277 95323->95317 95324->95319 95325->95291 95326->95307 95327->95306 95328->95306 95329->95306 95330->95212 95331->95191 95332 2df030 95333 2e3b70 335 API calls 95332->95333 95334 2df03c 95333->95334 95335 3419cb 95340 2d2322 95335->95340 95337 3419d1 95373 2f0f0a 52 API calls __cinit 95337->95373 95339 3419db 95341 2d2344 95340->95341 95374 2d26df 95341->95374 95346 2dd7f7 48 API calls 95347 2d2384 95346->95347 95348 2dd7f7 48 API calls 95347->95348 95349 2d238e 95348->95349 95350 2dd7f7 48 API calls 95349->95350 95351 2d2398 95350->95351 95352 2dd7f7 48 API calls 95351->95352 95353 2d23de 95352->95353 95354 2dd7f7 48 API calls 95353->95354 95355 2d24c1 95354->95355 95382 2d263f 95355->95382 95359 2d24f1 95360 2dd7f7 48 API calls 95359->95360 95361 2d24fb 95360->95361 95411 2d2745 95361->95411 95363 2d2546 95364 2d2556 GetStdHandle 95363->95364 95365 34501d 95364->95365 95366 2d25b1 95364->95366 95365->95366 95368 345026 95365->95368 95367 2d25b7 CoInitialize 95366->95367 95367->95337 95418 3192d4 53 API calls 95368->95418 95370 34502d 95419 3199f9 CreateThread 95370->95419 95372 345039 CloseHandle 95372->95367 95373->95339 95420 2d2854 95374->95420 95377 2d6a63 48 API calls 95378 2d234a 95377->95378 95379 2d272e 95378->95379 95434 2d27ec 6 API calls 95379->95434 95381 2d237a 95381->95346 95383 2dd7f7 48 API calls 95382->95383 95384 2d264f 95383->95384 95385 2dd7f7 48 API calls 95384->95385 95386 2d2657 95385->95386 95435 2d26a7 95386->95435 95389 2d26a7 48 API calls 95390 2d2667 95389->95390 95391 2dd7f7 48 API calls 95390->95391 95392 2d2672 95391->95392 95393 2ef4ea 48 API calls 95392->95393 95394 2d24cb 95393->95394 95395 2d22a4 95394->95395 95396 2d22b2 95395->95396 95397 2dd7f7 48 API calls 95396->95397 95398 2d22bd 95397->95398 95399 2dd7f7 48 API calls 95398->95399 95400 2d22c8 95399->95400 95401 2dd7f7 48 API calls 95400->95401 95402 2d22d3 95401->95402 95403 2dd7f7 48 API calls 95402->95403 95404 2d22de 95403->95404 95405 2d26a7 48 API calls 95404->95405 95406 2d22e9 95405->95406 95407 2ef4ea 48 API calls 95406->95407 95408 2d22f0 95407->95408 95409 341fe7 95408->95409 95410 2d22f9 RegisterWindowMessageW 95408->95410 95410->95359 95412 2d2755 95411->95412 95413 345f4d 95411->95413 95414 2ef4ea 48 API calls 95412->95414 95440 31c942 50 API calls 95413->95440 95417 2d275d 95414->95417 95416 345f58 95417->95363 95418->95370 95419->95372 95441 3199df 54 API calls 95419->95441 95427 2d2870 95420->95427 95423 2d2870 48 API calls 95424 2d2864 95423->95424 95425 2dd7f7 48 API calls 95424->95425 95426 2d2716 95425->95426 95426->95377 95428 2dd7f7 48 API calls 95427->95428 95429 2d287b 95428->95429 95430 2dd7f7 48 API calls 95429->95430 95431 2d2883 95430->95431 95432 2dd7f7 48 API calls 95431->95432 95433 2d285c 95432->95433 95433->95423 95434->95381 95436 2dd7f7 48 API calls 95435->95436 95437 2d26b0 95436->95437 95438 2dd7f7 48 API calls 95437->95438 95439 2d265f 95438->95439 95439->95389 95440->95416

                                                                                                                          Executed Functions

                                                                                                                          Function 002FB043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 856 2fb043-2fb080 call 2ff8a0 859 2fb089-2fb08b 856->859 860 2fb082-2fb084 856->860 862 2fb08d-2fb0a7 call 2f7bda call 2f7c0e call 2f6e10 859->862 863 2fb0ac-2fb0d9 859->863 861 2fb860-2fb86c call 2fa70c 860->861 862->861 866 2fb0db-2fb0de 863->866 867 2fb0e0-2fb0e7 863->867 866->867 868 2fb10b-2fb110 866->868 869 2fb0e9-2fb100 call 2f7bda call 2f7c0e call 2f6e10 867->869 870 2fb105 867->870 874 2fb11f-2fb12d call 303bf2 868->874 875 2fb112-2fb11c call 2ff82f 868->875 902 2fb851-2fb854 869->902 870->868 885 2fb44b-2fb45d 874->885 886 2fb133-2fb145 874->886 875->874 890 2fb7b8-2fb7d5 WriteFile 885->890 891 2fb463-2fb473 885->891 886->885 889 2fb14b-2fb183 call 2f7a0d GetConsoleMode 886->889 889->885 908 2fb189-2fb18f 889->908 897 2fb7d7-2fb7df 890->897 898 2fb7e1-2fb7e7 GetLastError 890->898 894 2fb55a-2fb55f 891->894 895 2fb479-2fb484 891->895 904 2fb565-2fb56e 894->904 905 2fb663-2fb66e 894->905 900 2fb81b-2fb833 895->900 901 2fb48a-2fb49a 895->901 903 2fb7e9 897->903 898->903 910 2fb83e-2fb84e call 2f7c0e call 2f7bda 900->910 911 2fb835-2fb838 900->911 909 2fb4a0-2fb4a3 901->909 907 2fb85e-2fb85f 902->907 913 2fb7ef-2fb7f1 903->913 904->900 906 2fb574 904->906 905->900 912 2fb674 905->912 914 2fb57e-2fb595 906->914 907->861 915 2fb199-2fb1bc GetConsoleCP 908->915 916 2fb191-2fb193 908->916 917 2fb4e9-2fb520 WriteFile 909->917 918 2fb4a5-2fb4be 909->918 910->902 911->910 919 2fb83a-2fb83c 911->919 920 2fb67e-2fb693 912->920 922 2fb856-2fb85c 913->922 923 2fb7f3-2fb7f5 913->923 925 2fb59b-2fb59e 914->925 926 2fb1c2-2fb1ca 915->926 927 2fb440-2fb446 915->927 916->885 916->915 917->898 930 2fb526-2fb538 917->930 928 2fb4cb-2fb4e7 918->928 929 2fb4c0-2fb4ca 918->929 919->907 931 2fb699-2fb69b 920->931 922->907 923->900 924 2fb7f7-2fb7fc 923->924 933 2fb7fe-2fb810 call 2f7c0e call 2f7bda 924->933 934 2fb812-2fb819 call 2f7bed 924->934 935 2fb5de-2fb627 WriteFile 925->935 936 2fb5a0-2fb5b6 925->936 937 2fb1d4-2fb1d6 926->937 927->923 928->909 928->917 929->928 930->913 938 2fb53e-2fb54f 930->938 939 2fb69d-2fb6b3 931->939 940 2fb6d8-2fb719 WideCharToMultiByte 931->940 933->902 934->902 935->898 948 2fb62d-2fb645 935->948 945 2fb5cd-2fb5dc 936->945 946 2fb5b8-2fb5ca 936->946 949 2fb1dc-2fb1fe 937->949 950 2fb36b-2fb36e 937->950 938->901 951 2fb555 938->951 952 2fb6c7-2fb6d6 939->952 953 2fb6b5-2fb6c4 939->953 940->898 944 2fb71f-2fb721 940->944 957 2fb727-2fb75a WriteFile 944->957 945->925 945->935 946->945 948->913 959 2fb64b-2fb658 948->959 960 2fb217-2fb223 call 2f1688 949->960 961 2fb200-2fb215 949->961 954 2fb375-2fb3a2 950->954 955 2fb370-2fb373 950->955 951->913 952->931 952->940 953->952 962 2fb3a8-2fb3ab 954->962 955->954 955->962 964 2fb75c-2fb776 957->964 965 2fb77a-2fb78e GetLastError 957->965 959->914 966 2fb65e 959->966 980 2fb269-2fb26b 960->980 981 2fb225-2fb239 960->981 967 2fb271-2fb283 call 3040f7 961->967 969 2fb3ad-2fb3b0 962->969 970 2fb3b2-2fb3c5 call 305884 962->970 964->957 972 2fb778 964->972 974 2fb794-2fb796 965->974 966->913 983 2fb289 967->983 984 2fb435-2fb43b 967->984 969->970 976 2fb407-2fb40a 969->976 970->898 990 2fb3cb-2fb3d5 970->990 972->974 974->903 979 2fb798-2fb7b0 974->979 976->937 986 2fb410 976->986 979->920 985 2fb7b6 979->985 980->967 987 2fb23f-2fb254 call 3040f7 981->987 988 2fb412-2fb42d 981->988 991 2fb28f-2fb2c4 WideCharToMultiByte 983->991 984->903 985->913 986->984 987->984 996 2fb25a-2fb267 987->996 988->984 993 2fb3fb-2fb401 990->993 994 2fb3d7-2fb3ee call 305884 990->994 991->984 995 2fb2ca-2fb2f0 WriteFile 991->995 993->976 994->898 1001 2fb3f4-2fb3f5 994->1001 995->898 998 2fb2f6-2fb30e 995->998 996->991 998->984 1000 2fb314-2fb31b 998->1000 1000->993 1002 2fb321-2fb34c WriteFile 1000->1002 1001->993 1002->898 1003 2fb352-2fb359 1002->1003 1003->984 1004 2fb35f-2fb366 1003->1004 1004->993
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 69626e79747b15d79e0601c7c2d163d36abf4d43b8cf2d3ccfe6a22cea8de7db
                                                                                                                          • Instruction ID: 6c121514653c79f4bc2e388c703c2c72ee9fed20b3b723c83aba6109d189c198
                                                                                                                          • Opcode Fuzzy Hash: 69626e79747b15d79e0601c7c2d163d36abf4d43b8cf2d3ccfe6a22cea8de7db
                                                                                                                          • Instruction Fuzzy Hash: C0328E75A222298FCB269F14DC406E9F7B9FF46350F0840E9E50AE7A91D7309E90CF52
                                                                                                                          Function 002D3D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,002D3AA3,?), ref: 002D3D45
                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,002D3AA3,?), ref: 002D3D57
                                                                                                                          • GetFullPathNameW.KERNEL32(00007FFF,?,?,00391148,00391130,?,?,?,?,002D3AA3,?), ref: 002D3DC8
                                                                                                                            • Part of subcall function 002D6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,002D3DEE,00391148,?,?,?,?,?,002D3AA3,?), ref: 002D6471
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,002D3AA3,?), ref: 002D3E48
                                                                                                                          • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003828F4,00000010), ref: 00341CCE
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,00391148,?,?,?,?,?,002D3AA3,?), ref: 00341D06
                                                                                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0036DAB4,00391148,?,?,?,?,?,002D3AA3,?), ref: 00341D89
                                                                                                                          • ShellExecuteW.SHELL32(00000000,?,?,?,?,002D3AA3), ref: 00341D90
                                                                                                                            • Part of subcall function 002D3E6E: GetSysColorBrush.USER32(0000000F), ref: 002D3E79
                                                                                                                            • Part of subcall function 002D3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 002D3E88
                                                                                                                            • Part of subcall function 002D3E6E: LoadIconW.USER32(00000063), ref: 002D3E9E
                                                                                                                            • Part of subcall function 002D3E6E: LoadIconW.USER32(000000A4), ref: 002D3EB0
                                                                                                                            • Part of subcall function 002D3E6E: LoadIconW.USER32(000000A2), ref: 002D3EC2
                                                                                                                            • Part of subcall function 002D3E6E: RegisterClassExW.USER32(?), ref: 002D3F30
                                                                                                                            • Part of subcall function 002D36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002D36E6
                                                                                                                            • Part of subcall function 002D36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002D3707
                                                                                                                            • Part of subcall function 002D36B8: ShowWindow.USER32(00000000,?,?,?,?,002D3AA3,?), ref: 002D371B
                                                                                                                            • Part of subcall function 002D36B8: ShowWindow.USER32(00000000,?,?,?,?,002D3AA3,?), ref: 002D3724
                                                                                                                            • Part of subcall function 002D4FFC: _memset.LIBCMT ref: 002D5022
                                                                                                                            • Part of subcall function 002D4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002D50CB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                                                                          • String ID: ()8$This is a third-party compiled AutoIt script.$runas
                                                                                                                          • API String ID: 438480954-2717195811
                                                                                                                          • Opcode ID: 17aa182a0caaa056802c47d7f002bf8411ce3f999eebd0977a97c61424b982ef
                                                                                                                          • Instruction ID: 8a27252d7e9336559c8909bfc5d188d24d641f2a2c811c1adf688acfa0f7fb95
                                                                                                                          • Opcode Fuzzy Hash: 17aa182a0caaa056802c47d7f002bf8411ce3f999eebd0977a97c61424b982ef
                                                                                                                          • Instruction Fuzzy Hash: A351D231A2424ABACF13EBB0DC45AEE7B799F05740F004067F551663A2DA719E65CB22
                                                                                                                          Function 002EDDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1288 2eddc0-2ede4f call 2dd7f7 GetVersionExW call 2d6a63 call 2edfb4 call 2d6571 1297 2ede55-2ede56 1288->1297 1298 3424c8-3424cb 1288->1298 1301 2ede58-2ede63 1297->1301 1302 2ede92-2edea2 call 2edf77 1297->1302 1299 3424e4-3424e8 1298->1299 1300 3424cd 1298->1300 1305 3424d3-3424dc 1299->1305 1306 3424ea-3424f3 1299->1306 1304 3424d0 1300->1304 1307 2ede69-2ede6b 1301->1307 1308 34244e-342454 1301->1308 1317 2edec7-2edee1 1302->1317 1318 2edea4-2edec1 GetCurrentProcess call 2edf5f 1302->1318 1304->1305 1305->1299 1306->1304 1314 3424f5-3424f8 1306->1314 1309 342469-342475 1307->1309 1310 2ede71-2ede74 1307->1310 1312 342456-342459 1308->1312 1313 34245e-342464 1308->1313 1319 342477-34247a 1309->1319 1320 34247f-342485 1309->1320 1315 342495-342498 1310->1315 1316 2ede7a-2ede89 1310->1316 1312->1302 1313->1302 1314->1305 1315->1302 1321 34249e-3424b3 1315->1321 1322 2ede8f 1316->1322 1323 34248a-342490 1316->1323 1325 2edee3-2edef7 call 2ee00c 1317->1325 1326 2edf31-2edf3b GetSystemInfo 1317->1326 1318->1317 1340 2edec3 1318->1340 1319->1302 1320->1302 1327 3424b5-3424b8 1321->1327 1328 3424bd-3424c3 1321->1328 1322->1302 1323->1302 1335 2edf29-2edf2f GetSystemInfo 1325->1335 1336 2edef9-2edf01 call 2edff4 GetNativeSystemInfo 1325->1336 1330 2edf0e-2edf1a 1326->1330 1327->1302 1328->1302 1332 2edf1c-2edf1f FreeLibrary 1330->1332 1333 2edf21-2edf26 1330->1333 1332->1333 1339 2edf03-2edf07 1335->1339 1336->1339 1339->1330 1342 2edf09-2edf0c FreeLibrary 1339->1342 1340->1317 1342->1330
                                                                                                                          APIs
                                                                                                                          • GetVersionExW.KERNEL32(?), ref: 002EDDEC
                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,0036DC38,?,?), ref: 002EDEAC
                                                                                                                          • GetNativeSystemInfo.KERNELBASE(?,0036DC38,?,?), ref: 002EDF01
                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 002EDF0C
                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 002EDF1F
                                                                                                                          • GetSystemInfo.KERNEL32(?,0036DC38,?,?), ref: 002EDF29
                                                                                                                          • GetSystemInfo.KERNEL32(?,0036DC38,?,?), ref: 002EDF35
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3851250370-0
                                                                                                                          • Opcode ID: 9e2cafa20939e41479f451e7f29dfc1be5425d3855c07be1893b82949a1ab466
                                                                                                                          • Instruction ID: 90cbb633de29ee120d3b497c426ca83ca5bb9530de02165794c88911bc599fa3
                                                                                                                          • Opcode Fuzzy Hash: 9e2cafa20939e41479f451e7f29dfc1be5425d3855c07be1893b82949a1ab466
                                                                                                                          • Instruction Fuzzy Hash: DE61A0B182A3C4CBCF16CF6998C41EA7FB4AF29300B5989D9D845AF247C624C958CB65
                                                                                                                          Function 002D406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1360 2d406b-2d4083 CreateStreamOnHGlobal 1361 2d4085-2d409c FindResourceExW 1360->1361 1362 2d40a3-2d40a6 1360->1362 1363 344f16-344f25 LoadResource 1361->1363 1364 2d40a2 1361->1364 1363->1364 1365 344f2b-344f39 SizeofResource 1363->1365 1364->1362 1365->1364 1366 344f3f-344f4a LockResource 1365->1366 1366->1364 1367 344f50-344f6e 1366->1367 1367->1364
                                                                                                                          APIs
                                                                                                                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,002D449E,?,?,00000000,00000001), ref: 002D407B
                                                                                                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002D449E,?,?,00000000,00000001), ref: 002D4092
                                                                                                                          • LoadResource.KERNEL32(?,00000000,?,?,002D449E,?,?,00000000,00000001,?,?,?,?,?,?,002D41FB), ref: 00344F1A
                                                                                                                          • SizeofResource.KERNEL32(?,00000000,?,?,002D449E,?,?,00000000,00000001,?,?,?,?,?,?,002D41FB), ref: 00344F2F
                                                                                                                          • LockResource.KERNEL32(002D449E,?,?,002D449E,?,?,00000000,00000001,?,?,?,?,?,?,002D41FB,00000000), ref: 00344F42
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                          • String ID: SCRIPT
                                                                                                                          • API String ID: 3051347437-3967369404
                                                                                                                          • Opcode ID: 77a1cdd7d079e1278cdb4a657a9c3ecf62b5c9bdb5d57d7491f317f8ceafcc11
                                                                                                                          • Instruction ID: 518f17d39686934005c35cfc29fcfad4ab2bc9a742132259465d1df38f2fabb9
                                                                                                                          • Opcode Fuzzy Hash: 77a1cdd7d079e1278cdb4a657a9c3ecf62b5c9bdb5d57d7491f317f8ceafcc11
                                                                                                                          • Instruction Fuzzy Hash: 19115A70244701AFE7369B25EC49F277BBDEBC5B52F10856EF602866A0DA71DC008A21
                                                                                                                          Function 002E3B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Exception@8Throwstd::exception::exception
                                                                                                                          • String ID: @$ 9$ 9$ 9
                                                                                                                          • API String ID: 3728558374-128113746
                                                                                                                          • Opcode ID: 6a6af90f691ba0107be9cbcc95b079fa2389330fec388ee4df9e498fc1c3e964
                                                                                                                          • Instruction ID: 4fb481b24f52d0ae7a10a9b4a782aa7bfe205105627d33cd1e6bca5bff393df7
                                                                                                                          • Opcode Fuzzy Hash: 6a6af90f691ba0107be9cbcc95b079fa2389330fec388ee4df9e498fc1c3e964
                                                                                                                          • Instruction Fuzzy Hash: 21720F30E60249EFCF25EF95C885ABEB7B5EF08300F54805AE909AB351C771AE55CB91
                                                                                                                          Function 00316CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFileAttributesW.KERNELBASE(?,00342F49), ref: 00316CB9
                                                                                                                          • FindFirstFileW.KERNELBASE(?,?), ref: 00316CCA
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00316CDA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FileFind$AttributesCloseFirst
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 48322524-0
                                                                                                                          • Opcode ID: 6dce89ec286854f37318a1af76fec5a9ab1715259a89b65f8be49f8dd32fc714
                                                                                                                          • Instruction ID: a66f09f008fefb4945dcaf302ccc1acfcad4c3cfd7e9eeaf12c8685b46905217
                                                                                                                          • Opcode Fuzzy Hash: 6dce89ec286854f37318a1af76fec5a9ab1715259a89b65f8be49f8dd32fc714
                                                                                                                          • Instruction Fuzzy Hash: E1E080318159155782356778EC0E4ED7B6CDE0933AF104715F575C11F0E770DE9445E5
                                                                                                                          Function 002E3200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharUpper
                                                                                                                          • String ID: 9
                                                                                                                          • API String ID: 3964851224-783300662
                                                                                                                          • Opcode ID: 15bd6f1fd010bf3b676a1f65665d23b9ce3dbb67604b6bd10c9c735d2f6a49f5
                                                                                                                          • Instruction ID: 886246a4837c855e512af62b332891a0555db96582a60180844b427f41616093
                                                                                                                          • Opcode Fuzzy Hash: 15bd6f1fd010bf3b676a1f65665d23b9ce3dbb67604b6bd10c9c735d2f6a49f5
                                                                                                                          • Instruction Fuzzy Hash: E092AA70618381CFD725CF19C484B6AB7E4BF88308F54885EE88A8B362D771ED55CB92
                                                                                                                          Function 002DE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002DE959
                                                                                                                          • timeGetTime.WINMM ref: 002DEBFA
                                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002DED2E
                                                                                                                          • TranslateMessage.USER32(?), ref: 002DED3F
                                                                                                                          • DispatchMessageW.USER32(?), ref: 002DED4A
                                                                                                                          • LockWindowUpdate.USER32(00000000), ref: 002DED79
                                                                                                                          • DestroyWindow.USER32 ref: 002DED85
                                                                                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002DED9F
                                                                                                                          • Sleep.KERNEL32(0000000A), ref: 00345270
                                                                                                                          • TranslateMessage.USER32(?), ref: 003459F7
                                                                                                                          • DispatchMessageW.USER32(?), ref: 00345A05
                                                                                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00345A19
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                                                                          • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                                                          • API String ID: 2641332412-570651680
                                                                                                                          • Opcode ID: b230c10788e4b9b60ba14c23809bd236f9d09ab0d6d5987d0ea1dbf491064b09
                                                                                                                          • Instruction ID: dc85854466607ca53352cc9876bcb6a682148970586aa52ed844ea0b22d7dfd2
                                                                                                                          • Opcode Fuzzy Hash: b230c10788e4b9b60ba14c23809bd236f9d09ab0d6d5987d0ea1dbf491064b09
                                                                                                                          • Instruction Fuzzy Hash: 2D62C170518341DFDB26EF24C885BAA77E8BF44304F15486BE9468F292DBB1AC58CB52
                                                                                                                          Function 00305C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ___createFile.LIBCMT ref: 00305EC3
                                                                                                                          • ___createFile.LIBCMT ref: 00305F04
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00305F2D
                                                                                                                          • __dosmaperr.LIBCMT ref: 00305F34
                                                                                                                          • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00305F47
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00305F6A
                                                                                                                          • __dosmaperr.LIBCMT ref: 00305F73
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00305F7C
                                                                                                                          • __set_osfhnd.LIBCMT ref: 00305FAC
                                                                                                                          • __lseeki64_nolock.LIBCMT ref: 00306016
                                                                                                                          • __close_nolock.LIBCMT ref: 0030603C
                                                                                                                          • __chsize_nolock.LIBCMT ref: 0030606C
                                                                                                                          • __lseeki64_nolock.LIBCMT ref: 0030607E
                                                                                                                          • __lseeki64_nolock.LIBCMT ref: 00306176
                                                                                                                          • __lseeki64_nolock.LIBCMT ref: 0030618B
                                                                                                                          • __close_nolock.LIBCMT ref: 003061EB
                                                                                                                            • Part of subcall function 002FEA9C: CloseHandle.KERNELBASE(00000000,0037EEF4,00000000,?,00306041,0037EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 002FEAEC
                                                                                                                            • Part of subcall function 002FEA9C: GetLastError.KERNEL32(?,00306041,0037EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 002FEAF6
                                                                                                                            • Part of subcall function 002FEA9C: __free_osfhnd.LIBCMT ref: 002FEB03
                                                                                                                            • Part of subcall function 002FEA9C: __dosmaperr.LIBCMT ref: 002FEB25
                                                                                                                            • Part of subcall function 002F7C0E: __getptd_noexit.LIBCMT ref: 002F7C0E
                                                                                                                          • __lseeki64_nolock.LIBCMT ref: 0030620D
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00306342
                                                                                                                          • ___createFile.LIBCMT ref: 00306361
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0030636E
                                                                                                                          • __dosmaperr.LIBCMT ref: 00306375
                                                                                                                          • __free_osfhnd.LIBCMT ref: 00306395
                                                                                                                          • __invoke_watson.LIBCMT ref: 003063C3
                                                                                                                          • __wsopen_helper.LIBCMT ref: 003063DD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                                                                          • String ID: @
                                                                                                                          • API String ID: 3896587723-2766056989
                                                                                                                          • Opcode ID: b027069845be2caec9ad0275aab79b63d83d0815e3d9b10df3f7415a8118d46a
                                                                                                                          • Instruction ID: 7ac719e0f1a982e59bab02cfc9940849b40ce108a7c1620a413cf594be11cfaa
                                                                                                                          • Opcode Fuzzy Hash: b027069845be2caec9ad0275aab79b63d83d0815e3d9b10df3f7415a8118d46a
                                                                                                                          • Instruction Fuzzy Hash: D322667190660A9FEF2B9F68CC66BBE7B25EF00314F254229E5119B2E5C3358D60CF91
                                                                                                                          Function 0031FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          • _wcscpy.LIBCMT ref: 0031FA96
                                                                                                                          • _wcschr.LIBCMT ref: 0031FAA4
                                                                                                                          • _wcscpy.LIBCMT ref: 0031FABB
                                                                                                                          • _wcscat.LIBCMT ref: 0031FACA
                                                                                                                          • _wcscat.LIBCMT ref: 0031FAE8
                                                                                                                          • _wcscpy.LIBCMT ref: 0031FB09
                                                                                                                          • __wsplitpath.LIBCMT ref: 0031FBE6
                                                                                                                          • _wcscpy.LIBCMT ref: 0031FC0B
                                                                                                                          • _wcscpy.LIBCMT ref: 0031FC1D
                                                                                                                          • _wcscpy.LIBCMT ref: 0031FC32
                                                                                                                          • _wcscat.LIBCMT ref: 0031FC47
                                                                                                                          • _wcscat.LIBCMT ref: 0031FC59
                                                                                                                          • _wcscat.LIBCMT ref: 0031FC6E
                                                                                                                            • Part of subcall function 0031BFA4: _wcscmp.LIBCMT ref: 0031C03E
                                                                                                                            • Part of subcall function 0031BFA4: __wsplitpath.LIBCMT ref: 0031C083
                                                                                                                            • Part of subcall function 0031BFA4: _wcscpy.LIBCMT ref: 0031C096
                                                                                                                            • Part of subcall function 0031BFA4: _wcscat.LIBCMT ref: 0031C0A9
                                                                                                                            • Part of subcall function 0031BFA4: __wsplitpath.LIBCMT ref: 0031C0CE
                                                                                                                            • Part of subcall function 0031BFA4: _wcscat.LIBCMT ref: 0031C0E4
                                                                                                                            • Part of subcall function 0031BFA4: _wcscat.LIBCMT ref: 0031C0F7
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                                                                          • String ID: >>>AUTOIT SCRIPT<<<$t28
                                                                                                                          • API String ID: 2955681530-2758471287
                                                                                                                          • Opcode ID: e3db8dbc3d862ab681aa0953ccf8b41acad42a602d2e8e46ba90019d3ff2d3ff
                                                                                                                          • Instruction ID: 924a1ca07050e9c751cb2dd72abb4d2e8f4a36a4e65076d77225d5b2a44f134d
                                                                                                                          • Opcode Fuzzy Hash: e3db8dbc3d862ab681aa0953ccf8b41acad42a602d2e8e46ba90019d3ff2d3ff
                                                                                                                          • Instruction Fuzzy Hash: 8191C4725147459FCB15FB54C891FAAB3E8BF88300F04486AF94997292DB30ED94CF92
                                                                                                                          Function 002FEE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __getptd_noexit
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3074181302-0
                                                                                                                          • Opcode ID: 335f318270782c4b57e7218ba6f5999a82c7b4cdedb226c3bbb3674bf8ce614e
                                                                                                                          • Instruction ID: 5cc7b411b965114fa0d78d70d70b58dd10e1566fcd6c975435346f3e76bc612a
                                                                                                                          • Opcode Fuzzy Hash: 335f318270782c4b57e7218ba6f5999a82c7b4cdedb226c3bbb3674bf8ce614e
                                                                                                                          • Instruction Fuzzy Hash: 92326C71E2425ECFDB218F58C940BBDFBB1AF45394F24407AEA559F2A2C7709851CB60
                                                                                                                          Function 002D3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 002D3F86
                                                                                                                          • RegisterClassExW.USER32(00000030), ref: 002D3FB0
                                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002D3FC1
                                                                                                                          • InitCommonControlsEx.COMCTL32(?), ref: 002D3FDE
                                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002D3FEE
                                                                                                                          • LoadIconW.USER32(000000A9), ref: 002D4004
                                                                                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002D4013
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                          • API String ID: 2914291525-1005189915
                                                                                                                          • Opcode ID: 7ebaf3fe5b355c6ebfc928ae9e23d0c0bf875a0048ad2f2dc48beb5003a1e9a2
                                                                                                                          • Instruction ID: b25ca69d42dac3da6791c4efdaef1b23527a8e659753fabb4b39c37cb77ed191
                                                                                                                          • Opcode Fuzzy Hash: 7ebaf3fe5b355c6ebfc928ae9e23d0c0bf875a0048ad2f2dc48beb5003a1e9a2
                                                                                                                          • Instruction Fuzzy Hash: 5F21C5B5D00359AFDB12DFA5EC89BCEBBB8FB08711F00411AF915B62A0D7B545448F91
                                                                                                                          Function 0031BFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1073 31bfa4-31c054 call 2ff8a0 call 2ef4ea call 2d47b7 call 31bdb4 call 2d4517 call 2f15e3 1086 31c107-31c10e call 31c56d 1073->1086 1087 31c05a-31c061 call 31c56d 1073->1087 1092 31c110-31c112 1086->1092 1093 31c117 1086->1093 1087->1092 1094 31c067-31c105 call 2f1dfc call 2f0d23 call 2f0cf4 call 2f1dfc call 2f0cf4 * 2 1087->1094 1095 31c367-31c368 1092->1095 1097 31c11a-31c1d6 call 2d44ed * 8 call 31c71a call 2f3499 1093->1097 1094->1097 1098 31c385-31c393 call 2d47e2 1095->1098 1132 31c1d8-31c1da 1097->1132 1133 31c1df-31c1fa call 31bdf8 1097->1133 1132->1095 1136 31c200-31c208 1133->1136 1137 31c28c-31c298 call 2f35e4 1133->1137 1138 31c210 1136->1138 1139 31c20a-31c20e 1136->1139 1144 31c29a-31c2a9 DeleteFileW 1137->1144 1145 31c2ae-31c2b2 1137->1145 1141 31c215-31c233 call 2d44ed 1138->1141 1139->1141 1151 31c235-31c23b 1141->1151 1152 31c25d-31c273 call 31b791 call 2f2aae 1141->1152 1144->1095 1147 31c342-31c356 CopyFileW 1145->1147 1148 31c2b8-31c32f call 31c81d call 31c845 call 31b965 1145->1148 1149 31c358-31c365 DeleteFileW 1147->1149 1150 31c36a-31c380 DeleteFileW call 31c6d9 1147->1150 1148->1150 1169 31c331-31c340 DeleteFileW 1148->1169 1149->1095 1150->1098 1155 31c23d-31c250 call 31bf2e 1151->1155 1164 31c278-31c283 1152->1164 1165 31c252-31c25b 1155->1165 1164->1136 1167 31c289 1164->1167 1165->1152 1167->1137 1169->1095
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0031BDB4: __time64.LIBCMT ref: 0031BDBE
                                                                                                                            • Part of subcall function 002D4517: _fseek.LIBCMT ref: 002D452F
                                                                                                                          • __wsplitpath.LIBCMT ref: 0031C083
                                                                                                                            • Part of subcall function 002F1DFC: __wsplitpath_helper.LIBCMT ref: 002F1E3C
                                                                                                                          • _wcscpy.LIBCMT ref: 0031C096
                                                                                                                          • _wcscat.LIBCMT ref: 0031C0A9
                                                                                                                          • __wsplitpath.LIBCMT ref: 0031C0CE
                                                                                                                          • _wcscat.LIBCMT ref: 0031C0E4
                                                                                                                          • _wcscat.LIBCMT ref: 0031C0F7
                                                                                                                          • _wcscmp.LIBCMT ref: 0031C03E
                                                                                                                            • Part of subcall function 0031C56D: _wcscmp.LIBCMT ref: 0031C65D
                                                                                                                            • Part of subcall function 0031C56D: _wcscmp.LIBCMT ref: 0031C670
                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0031C2A1
                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0031C338
                                                                                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0031C34E
                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0031C35F
                                                                                                                          • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0031C371
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2378138488-0
                                                                                                                          • Opcode ID: 824eb95d74fdfcb4f19fcfef735ab06e68be35603f97fd3daa8696b34023440f
                                                                                                                          • Instruction ID: be519d82e79ab914eb689033ed17932c71a169ad4eb34fd9fc49fbc8fcec470b
                                                                                                                          • Opcode Fuzzy Hash: 824eb95d74fdfcb4f19fcfef735ab06e68be35603f97fd3daa8696b34023440f
                                                                                                                          • Instruction Fuzzy Hash: 72C13DB1D50219AFDF26EF95CC81EEEB7BDAF49340F0040A6F609E6151DB309A948F61
                                                                                                                          Function 002D3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1170 2d3742-2d3762 1172 2d3764-2d3767 1170->1172 1173 2d37c2-2d37c4 1170->1173 1174 2d3769-2d3770 1172->1174 1175 2d37c8 1172->1175 1173->1172 1176 2d37c6 1173->1176 1177 2d382c-2d3834 PostQuitMessage 1174->1177 1178 2d3776-2d377b 1174->1178 1180 2d37ce-2d37d1 1175->1180 1181 341e00-341e2e call 2d2ff6 call 2ee312 1175->1181 1179 2d37ab-2d37b3 DefWindowProcW 1176->1179 1185 2d37f2-2d37f4 1177->1185 1183 341e88-341e9c call 314ddd 1178->1183 1184 2d3781-2d3783 1178->1184 1186 2d37b9-2d37bf 1179->1186 1187 2d37f6-2d381d SetTimer RegisterWindowMessageW 1180->1187 1188 2d37d3-2d37d4 1180->1188 1215 341e33-341e3a 1181->1215 1183->1185 1208 341ea2 1183->1208 1190 2d3789-2d378e 1184->1190 1191 2d3836-2d3840 call 2eeb83 1184->1191 1185->1186 1187->1185 1192 2d381f-2d382a CreatePopupMenu 1187->1192 1194 341da3-341da6 1188->1194 1195 2d37da-2d37ed KillTimer call 2d3847 call 2d390f 1188->1195 1197 341e6d-341e74 1190->1197 1198 2d3794-2d3799 1190->1198 1209 2d3845 1191->1209 1192->1185 1201 341ddc-341dfb MoveWindow 1194->1201 1202 341da8-341daa 1194->1202 1195->1185 1197->1179 1204 341e7a-341e83 call 30a5f3 1197->1204 1206 2d379f-2d37a5 1198->1206 1207 341e58-341e68 call 3155bd 1198->1207 1201->1185 1210 341dac-341daf 1202->1210 1211 341dcb-341dd7 SetFocus 1202->1211 1204->1179 1206->1179 1206->1215 1207->1185 1208->1179 1209->1185 1210->1206 1216 341db5-341dc6 call 2d2ff6 1210->1216 1211->1185 1215->1179 1219 341e40-341e53 call 2d3847 call 2d4ffc 1215->1219 1216->1185 1219->1179
                                                                                                                          APIs
                                                                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 002D37B3
                                                                                                                          • KillTimer.USER32(?,00000001), ref: 002D37DD
                                                                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002D3800
                                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002D380B
                                                                                                                          • CreatePopupMenu.USER32 ref: 002D381F
                                                                                                                          • PostQuitMessage.USER32(00000000), ref: 002D382E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                          • String ID: TaskbarCreated
                                                                                                                          • API String ID: 129472671-2362178303
                                                                                                                          • Opcode ID: 3e63ee7efff879cca3780435a6f3520baf82148f28818fa1a51d0cf31a193fc0
                                                                                                                          • Instruction ID: 2dbd6a595eecc1f05e50500eae97d107d0757d31ed44126bddb2af5e668677cc
                                                                                                                          • Opcode Fuzzy Hash: 3e63ee7efff879cca3780435a6f3520baf82148f28818fa1a51d0cf31a193fc0
                                                                                                                          • Instruction Fuzzy Hash: 4F4116F5134A47ABEB26DF68DC4AB7A7799F700341F400117F902E63E1CAA19DB09663
                                                                                                                          Function 002D3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 002D3E79
                                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 002D3E88
                                                                                                                          • LoadIconW.USER32(00000063), ref: 002D3E9E
                                                                                                                          • LoadIconW.USER32(000000A4), ref: 002D3EB0
                                                                                                                          • LoadIconW.USER32(000000A2), ref: 002D3EC2
                                                                                                                            • Part of subcall function 002D4024: LoadImageW.USER32(002D0000,00000063,00000001,00000010,00000010,00000000), ref: 002D4048
                                                                                                                          • RegisterClassExW.USER32(?), ref: 002D3F30
                                                                                                                            • Part of subcall function 002D3F53: GetSysColorBrush.USER32(0000000F), ref: 002D3F86
                                                                                                                            • Part of subcall function 002D3F53: RegisterClassExW.USER32(00000030), ref: 002D3FB0
                                                                                                                            • Part of subcall function 002D3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002D3FC1
                                                                                                                            • Part of subcall function 002D3F53: InitCommonControlsEx.COMCTL32(?), ref: 002D3FDE
                                                                                                                            • Part of subcall function 002D3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002D3FEE
                                                                                                                            • Part of subcall function 002D3F53: LoadIconW.USER32(000000A9), ref: 002D4004
                                                                                                                            • Part of subcall function 002D3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002D4013
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                          • String ID: #$0$AutoIt v3
                                                                                                                          • API String ID: 423443420-4155596026
                                                                                                                          • Opcode ID: 0bd45e164b3cd13eed643ca0f39f2c4c45ce14bcefd062fbc42d946a4b1ad222
                                                                                                                          • Instruction ID: 06719dfd1c1e474fa6834fc507076f4400627155b59d378a91e2c5cd37db6705
                                                                                                                          • Opcode Fuzzy Hash: 0bd45e164b3cd13eed643ca0f39f2c4c45ce14bcefd062fbc42d946a4b1ad222
                                                                                                                          • Instruction Fuzzy Hash: 802131B0D04305ABDB52DFA9EC46A9ABFF9EB48314F00411BE614B73B0D77646508F91
                                                                                                                          Function 012587A8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1234 12587a8-1258856 call 12561d8 1237 125885d-1258883 call 12596b8 CreateFileW 1234->1237 1240 1258885 1237->1240 1241 125888a-125889a 1237->1241 1242 12589d5-12589d9 1240->1242 1248 12588a1-12588bb VirtualAlloc 1241->1248 1249 125889c 1241->1249 1243 1258a1b-1258a1e 1242->1243 1244 12589db-12589df 1242->1244 1250 1258a21-1258a28 1243->1250 1246 12589e1-12589e4 1244->1246 1247 12589eb-12589ef 1244->1247 1246->1247 1251 12589f1-12589fb 1247->1251 1252 12589ff-1258a03 1247->1252 1253 12588c2-12588d9 ReadFile 1248->1253 1254 12588bd 1248->1254 1249->1242 1255 1258a7d-1258a92 1250->1255 1256 1258a2a-1258a35 1250->1256 1251->1252 1259 1258a05-1258a0f 1252->1259 1260 1258a13 1252->1260 1261 12588e0-1258920 VirtualAlloc 1253->1261 1262 12588db 1253->1262 1254->1242 1257 1258a94-1258a9f VirtualFree 1255->1257 1258 1258aa2-1258aaa 1255->1258 1263 1258a37 1256->1263 1264 1258a39-1258a45 1256->1264 1257->1258 1259->1260 1260->1243 1267 1258927-1258942 call 1259908 1261->1267 1268 1258922 1261->1268 1262->1242 1263->1255 1265 1258a47-1258a57 1264->1265 1266 1258a59-1258a65 1264->1266 1269 1258a7b 1265->1269 1270 1258a67-1258a70 1266->1270 1271 1258a72-1258a78 1266->1271 1274 125894d-1258957 1267->1274 1268->1242 1269->1250 1270->1269 1271->1269 1275 1258959-1258988 call 1259908 1274->1275 1276 125898a-125899e call 1259718 1274->1276 1275->1274 1282 12589a0 1276->1282 1283 12589a2-12589a6 1276->1283 1282->1242 1284 12589b2-12589b6 1283->1284 1285 12589a8-12589ac CloseHandle 1283->1285 1286 12589c6-12589cf 1284->1286 1287 12589b8-12589c3 VirtualFree 1284->1287 1285->1284 1286->1237 1286->1242 1287->1286
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01258879
                                                                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01258A9F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1712784061.0000000001256000.00000040.00000020.00020000.00000000.sdmp, Offset: 01256000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_1256000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateFileFreeVirtual
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 204039940-0
                                                                                                                          • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                                                                          • Instruction ID: 3e75a7bafca4a98f2b43009b6ee009339d5f72316006e8b15bc02d8e271dd22d
                                                                                                                          • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                                                                          • Instruction Fuzzy Hash: DCA12970E10209EBDB54CFA5C895BEEBBB5FF48304F208159EA01BB280D7B59A80CF55
                                                                                                                          Function 002D49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1343 2d49fb-2d4a25 call 2dbcce RegOpenKeyExW 1346 2d4a2b-2d4a2f 1343->1346 1347 3441cc-3441e3 RegQueryValueExW 1343->1347 1348 3441e5-344222 call 2ef4ea call 2d47b7 RegQueryValueExW 1347->1348 1349 344246-34424f RegCloseKey 1347->1349 1354 344224-34423b call 2d6a63 1348->1354 1355 34423d-344245 call 2d47e2 1348->1355 1354->1355 1355->1349
                                                                                                                          APIs
                                                                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 002D4A1D
                                                                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003441DB
                                                                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0034421A
                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00344249
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: QueryValue$CloseOpen
                                                                                                                          • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                                                          • API String ID: 1586453840-614718249
                                                                                                                          • Opcode ID: 05195badeb3e45442d33cad0605f83b1b0db9f57ad35f38476384a447c0e3d28
                                                                                                                          • Instruction ID: ee3f08ef7b762377720ca34aa0ab14efcd39b673a0bc57c4e5688d470339b503
                                                                                                                          • Opcode Fuzzy Hash: 05195badeb3e45442d33cad0605f83b1b0db9f57ad35f38476384a447c0e3d28
                                                                                                                          • Instruction Fuzzy Hash: 29113A71A11209BFEB15ABA4CD86EEF7BACEF04344F104069B506E71A1EA70AE519B50
                                                                                                                          Function 002D36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1370 2d36b8-2d3728 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                          APIs
                                                                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002D36E6
                                                                                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002D3707
                                                                                                                          • ShowWindow.USER32(00000000,?,?,?,?,002D3AA3,?), ref: 002D371B
                                                                                                                          • ShowWindow.USER32(00000000,?,?,?,?,002D3AA3,?), ref: 002D3724
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$CreateShow
                                                                                                                          • String ID: AutoIt v3$edit
                                                                                                                          • API String ID: 1584632944-3779509399
                                                                                                                          • Opcode ID: 887911c7ea8a11f6ae4e208460bc9f552d74c934496203912889da3adf04a655
                                                                                                                          • Instruction ID: ea66fc41668ff62c335cfdb035faf8ad9c8edd9579be413ee6e8d1b27c7c412a
                                                                                                                          • Opcode Fuzzy Hash: 887911c7ea8a11f6ae4e208460bc9f552d74c934496203912889da3adf04a655
                                                                                                                          • Instruction Fuzzy Hash: A5F0DA75A402D27AEB325B57BC09E672E7DD7C6F24F00401BBA08A22B0C5630895DAB1
                                                                                                                          Function 01258588 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 1475 1258588-12586a1 call 12561d8 call 1258478 CreateFileW 1482 12586a3 1475->1482 1483 12586a8-12586b8 1475->1483 1484 1258758-125875d 1482->1484 1486 12586bf-12586d9 VirtualAlloc 1483->1486 1487 12586ba 1483->1487 1488 12586dd-12586f4 ReadFile 1486->1488 1489 12586db 1486->1489 1487->1484 1490 12586f6 1488->1490 1491 12586f8-1258732 call 12584b8 call 1257478 1488->1491 1489->1484 1490->1484 1496 1258734-1258749 call 1258508 1491->1496 1497 125874e-1258756 ExitProcess 1491->1497 1496->1497 1497->1484
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 01258478: Sleep.KERNELBASE(000001F4), ref: 01258489
                                                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01258697
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1712784061.0000000001256000.00000040.00000020.00020000.00000000.sdmp, Offset: 01256000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_1256000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateFileSleep
                                                                                                                          • String ID: NOMCQKCAR96AM0LG
                                                                                                                          • API String ID: 2694422964-13277757
                                                                                                                          • Opcode ID: 1f1c138560460f9f19765f7644293c2613efacc26cd56cd5924fdece16999f78
                                                                                                                          • Instruction ID: 43958c1a5a6b68f8a5642b4a3add7606a22a89dfa4bac9433420085f871ccad1
                                                                                                                          • Opcode Fuzzy Hash: 1f1c138560460f9f19765f7644293c2613efacc26cd56cd5924fdece16999f78
                                                                                                                          • Instruction Fuzzy Hash: 75518371D1424ADBEF11DBA4C849BEFBBB5AF15300F004599EA08BB2C0D7B90B45CB65
                                                                                                                          Function 002D4A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002D5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00391148,?,002D61FF,?,00000000,00000001,00000000), ref: 002D5392
                                                                                                                            • Part of subcall function 002D49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 002D4A1D
                                                                                                                          • _wcscat.LIBCMT ref: 00342D80
                                                                                                                          • _wcscat.LIBCMT ref: 00342DB5
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcscat$FileModuleNameOpen
                                                                                                                          • String ID: 8!9$\$\Include\
                                                                                                                          • API String ID: 3592542968-3920107229
                                                                                                                          • Opcode ID: a063e51067141bb69f455525d97cab58121238d088e83d1c7a526a7790372315
                                                                                                                          • Instruction ID: 84cb939c583c945b24f90a78dc3b3ca1f95d67d9e867537050633e02c87acb29
                                                                                                                          • Opcode Fuzzy Hash: a063e51067141bb69f455525d97cab58121238d088e83d1c7a526a7790372315
                                                                                                                          • Instruction Fuzzy Hash: 75517075814740AFC716EF55D8818ABB7F8BE59300F80452FF64897361EB319928CF56
                                                                                                                          Function 002D51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 002D522F
                                                                                                                          • _wcscpy.LIBCMT ref: 002D5283
                                                                                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 002D5293
                                                                                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00343CB0
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                                                                          • String ID: Line:
                                                                                                                          • API String ID: 1053898822-1585850449
                                                                                                                          • Opcode ID: 81fc67ccc9d5cad2f2eaced5a88a20ba6d77e268e9acc515c7d5faffb5380b8d
                                                                                                                          • Instruction ID: 2b41b50ab16e063da7402bc7030a6d10d37cf7b653793ec55062b49a9a5d034b
                                                                                                                          • Opcode Fuzzy Hash: 81fc67ccc9d5cad2f2eaced5a88a20ba6d77e268e9acc515c7d5faffb5380b8d
                                                                                                                          • Instruction Fuzzy Hash: 8731C1710287516FD322EB60DC46FDE77DCAF44300F00451BF589A2291EBB0AA68CF96
                                                                                                                          Function 002D4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002D41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002D39FE,?,00000001), ref: 002D41DB
                                                                                                                          • _free.LIBCMT ref: 003436B7
                                                                                                                          • _free.LIBCMT ref: 003436FE
                                                                                                                            • Part of subcall function 002DC833: __wsplitpath.LIBCMT ref: 002DC93E
                                                                                                                            • Part of subcall function 002DC833: _wcscpy.LIBCMT ref: 002DC953
                                                                                                                            • Part of subcall function 002DC833: _wcscat.LIBCMT ref: 002DC968
                                                                                                                            • Part of subcall function 002DC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 002DC978
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                                                                          • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                          • API String ID: 805182592-1757145024
                                                                                                                          • Opcode ID: 277dbedfb62b72449c855c4fd8a757cad813d8640d17b71606fdff6b73537bf6
                                                                                                                          • Instruction ID: 0cdaae07f05266f8d5d1db72ecf3ffd3613dd393ab58b394fcbc1160e8ea54f0
                                                                                                                          • Opcode Fuzzy Hash: 277dbedfb62b72449c855c4fd8a757cad813d8640d17b71606fdff6b73537bf6
                                                                                                                          • Instruction Fuzzy Hash: D7918D71920219AFCF05EFA5CC919EEB7B4BF19310F50402AF816AB291DB34AE55CF90
                                                                                                                          Function 002D40E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00343725
                                                                                                                          • GetOpenFileNameW.COMDLG32 ref: 0034376F
                                                                                                                            • Part of subcall function 002D660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D53B1,?,?,002D61FF,?,00000000,00000001,00000000), ref: 002D662F
                                                                                                                            • Part of subcall function 002D40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002D40C6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                          • String ID: X$t38
                                                                                                                          • API String ID: 3777226403-1853904476
                                                                                                                          • Opcode ID: 8d4715f075e4cc4ff446ec7b4c1c1502ab24abe53d286db6570a325e15c72768
                                                                                                                          • Instruction ID: 3468752b4bdd6473ca42365669225650c7df13792c635e37416fe3236aeb517f
                                                                                                                          • Opcode Fuzzy Hash: 8d4715f075e4cc4ff446ec7b4c1c1502ab24abe53d286db6570a325e15c72768
                                                                                                                          • Instruction Fuzzy Hash: E021D871A202889BCF02EFD4C8457EEBBFC9F49304F00405AE544A7341DBF49A998F61
                                                                                                                          Function 002F34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __getstream.LIBCMT ref: 002F34FE
                                                                                                                            • Part of subcall function 002F7C0E: __getptd_noexit.LIBCMT ref: 002F7C0E
                                                                                                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 002F3539
                                                                                                                          • __wopenfile.LIBCMT ref: 002F3549
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                                                                          • String ID: <G
                                                                                                                          • API String ID: 1820251861-2138716496
                                                                                                                          • Opcode ID: a900a0f2141e3dfd10702ce6f975b5d1a7408eace6c5d648e5588fe3f265aacb
                                                                                                                          • Instruction ID: d17b5e8683aef947bbf8624486a049d574382566dfa53d987d05aa6c2ddba86d
                                                                                                                          • Opcode Fuzzy Hash: a900a0f2141e3dfd10702ce6f975b5d1a7408eace6c5d648e5588fe3f265aacb
                                                                                                                          • Instruction Fuzzy Hash: 00112770A2020E9ADB12FF708C4267EF6A0AF447D0B158435E615D7281EB70CA309BB1
                                                                                                                          Function 002ED298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,002ED28B,SwapMouseButtons,00000004,?), ref: 002ED2BC
                                                                                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,002ED28B,SwapMouseButtons,00000004,?,?,?,?,002EC865), ref: 002ED2DD
                                                                                                                          • RegCloseKey.KERNELBASE(00000000,?,?,002ED28B,SwapMouseButtons,00000004,?,?,?,?,002EC865), ref: 002ED2FF
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                          • String ID: Control Panel\Mouse
                                                                                                                          • API String ID: 3677997916-824357125
                                                                                                                          • Opcode ID: cb71c92358ae0ee84847ba482c463f8e7faa2a3650915784ebe7b01c8d947d94
                                                                                                                          • Instruction ID: 7fa1342387d4644e4063f1ecedb8f290f675750674a454b8f4aacd5f5cd9a0be
                                                                                                                          • Opcode Fuzzy Hash: cb71c92358ae0ee84847ba482c463f8e7faa2a3650915784ebe7b01c8d947d94
                                                                                                                          • Instruction Fuzzy Hash: 73117975A61249BFDB218FA6CC84EAF7BBCEF04740F404569E901E7120E771AE509B60
                                                                                                                          Function 01257478 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 01257C33
                                                                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01257CC9
                                                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01257CEB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1712784061.0000000001256000.00000040.00000020.00020000.00000000.sdmp, Offset: 01256000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_1256000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2438371351-0
                                                                                                                          • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                                                                          • Instruction ID: 956932aba1b6141197bfd20223ffc21678e9cc05b20658e223e94d22b3d950f6
                                                                                                                          • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                                                                          • Instruction Fuzzy Hash: C9620F30A24218DBEB64CFA4C841BDEB775EF58300F5091A9D60DEB390E7759E81CB59
                                                                                                                          Function 002F365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3877424927-0
                                                                                                                          • Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
                                                                                                                          • Instruction ID: 24355029c8321623041b1f6c7a386d174ff9f77179251e3622ee19c50e150ae5
                                                                                                                          • Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
                                                                                                                          • Instruction Fuzzy Hash: 0B5199B1A2020EABDB24DF69888457EF7A5AF403A0F244739FA25D62D0D7749F708F54
                                                                                                                          Function 0031C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002D4517: _fseek.LIBCMT ref: 002D452F
                                                                                                                            • Part of subcall function 0031C56D: _wcscmp.LIBCMT ref: 0031C65D
                                                                                                                            • Part of subcall function 0031C56D: _wcscmp.LIBCMT ref: 0031C670
                                                                                                                          • _free.LIBCMT ref: 0031C4DD
                                                                                                                          • _free.LIBCMT ref: 0031C4E4
                                                                                                                          • _free.LIBCMT ref: 0031C54F
                                                                                                                            • Part of subcall function 002F1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,002F7A85), ref: 002F1CB1
                                                                                                                            • Part of subcall function 002F1C9D: GetLastError.KERNEL32(00000000,?,002F7A85), ref: 002F1CC3
                                                                                                                          • _free.LIBCMT ref: 0031C557
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1552873950-0
                                                                                                                          • Opcode ID: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
                                                                                                                          • Instruction ID: f38b12e6f2fb04d8fbe1c6f4ca52fa0a2b79348068605cb2b47cd93353781942
                                                                                                                          • Opcode Fuzzy Hash: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
                                                                                                                          • Instruction Fuzzy Hash: 00516CB1914218AFDF199F64DC81BEEBBB9EF48300F1000AEB209A7241DB715E908F59
                                                                                                                          Function 002EEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 002EEBB2
                                                                                                                            • Part of subcall function 002D51AF: _memset.LIBCMT ref: 002D522F
                                                                                                                            • Part of subcall function 002D51AF: _wcscpy.LIBCMT ref: 002D5283
                                                                                                                            • Part of subcall function 002D51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 002D5293
                                                                                                                          • KillTimer.USER32(?,00000001,?,?), ref: 002EEC07
                                                                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002EEC16
                                                                                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00343C88
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1378193009-0
                                                                                                                          • Opcode ID: 7b31a7f8b87498c8db7427e2ffb9a85048a39d671626bbadea97607460b08b3e
                                                                                                                          • Instruction ID: 3f9e64ecabf7651253d4d7a64d3370a2847a993c22a1c377357acb4fd93f8e96
                                                                                                                          • Opcode Fuzzy Hash: 7b31a7f8b87498c8db7427e2ffb9a85048a39d671626bbadea97607460b08b3e
                                                                                                                          • Instruction Fuzzy Hash: E621D7709047949FEB339B288895BEBBBEC9B15308F15048EE68E6B241C3742E858B51
                                                                                                                          Function 0031C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 0031C72F
                                                                                                                          • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0031C746
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Temp$FileNamePath
                                                                                                                          • String ID: aut
                                                                                                                          • API String ID: 3285503233-3010740371
                                                                                                                          • Opcode ID: 1cd39b24902addf0e258a818eb2c3949add5f3b80d0b565ff88f7411893fe10e
                                                                                                                          • Instruction ID: ac67984e441c27598e918c7561c1167476ac68a1cbed35677e22acb8f32ef7ca
                                                                                                                          • Opcode Fuzzy Hash: 1cd39b24902addf0e258a818eb2c3949add5f3b80d0b565ff88f7411893fe10e
                                                                                                                          • Instruction Fuzzy Hash: F7D05E7150030EABDB21AB90DC0EFCA776CA700705F0005A0B650A50B1DBB4E6998B55
                                                                                                                          Function 0032F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 3a045ff28c30d914678a169329a1e83d9310ca9884b4a2e3ed87bc6a4e0e77a9
                                                                                                                          • Instruction ID: a19a9db78840677f01bfefb29148780688b1661bdddd51705e3d3d05f1ff5980
                                                                                                                          • Opcode Fuzzy Hash: 3a045ff28c30d914678a169329a1e83d9310ca9884b4a2e3ed87bc6a4e0e77a9
                                                                                                                          • Instruction Fuzzy Hash: EFF167716083519FC715DF28D881B6AB7F5BF88314F10892EF9999B292DB30E945CF82
                                                                                                                          Function 002D4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 002D5022
                                                                                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 002D50CB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: IconNotifyShell__memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 928536360-0
                                                                                                                          • Opcode ID: f54608976f519e1e2b88a136c03e99a151fc5fa293748589c1eda8c8e6dc119c
                                                                                                                          • Instruction ID: d4221e3e81895519b1c8432b0be8f3672bfd6bf6d84b9b463ff409c25b67ac51
                                                                                                                          • Opcode Fuzzy Hash: f54608976f519e1e2b88a136c03e99a151fc5fa293748589c1eda8c8e6dc119c
                                                                                                                          • Instruction Fuzzy Hash: 09319FB0514712DFC322DF24D88569BBBE8FB48305F00092FF59A87351E7B26954CB92
                                                                                                                          Function 002F395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __FF_MSGBANNER.LIBCMT ref: 002F3973
                                                                                                                            • Part of subcall function 002F81C2: __NMSG_WRITE.LIBCMT ref: 002F81E9
                                                                                                                            • Part of subcall function 002F81C2: __NMSG_WRITE.LIBCMT ref: 002F81F3
                                                                                                                          • __NMSG_WRITE.LIBCMT ref: 002F397A
                                                                                                                            • Part of subcall function 002F821F: GetModuleFileNameW.KERNEL32(00000000,00390312,00000104,00000000,00000001,00000000), ref: 002F82B1
                                                                                                                            • Part of subcall function 002F821F: ___crtMessageBoxW.LIBCMT ref: 002F835F
                                                                                                                            • Part of subcall function 002F1145: ___crtCorExitProcess.LIBCMT ref: 002F114B
                                                                                                                            • Part of subcall function 002F1145: ExitProcess.KERNEL32 ref: 002F1154
                                                                                                                            • Part of subcall function 002F7C0E: __getptd_noexit.LIBCMT ref: 002F7C0E
                                                                                                                          • RtlAllocateHeap.NTDLL(01020000,00000000,00000001,00000001,00000000,?,?,002EF507,?,0000000E), ref: 002F399F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1372826849-0
                                                                                                                          • Opcode ID: 8a801e3137e015bb3ebbabe387d64102d4e1f60e34b89da0d9abf43fd4fcb390
                                                                                                                          • Instruction ID: b0e1bb0966ff1d215b8cfe4eb137e09cf3b2fda7e566de843b5d2c7ada72a329
                                                                                                                          • Opcode Fuzzy Hash: 8a801e3137e015bb3ebbabe387d64102d4e1f60e34b89da0d9abf43fd4fcb390
                                                                                                                          • Instruction Fuzzy Hash: 7401963127560E9AE6267B34EC52B7EE3489F817E0F210136F705D6191DBF09D608AA0
                                                                                                                          Function 0031C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0031C385,?,?,?,?,?,00000004), ref: 0031C6F2
                                                                                                                          • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0031C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0031C708
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,0031C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0031C70F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$CloseCreateHandleTime
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3397143404-0
                                                                                                                          • Opcode ID: d6f2bbcff8916b92576efdc3e1886074aacebf279b8beeda624865d00a566c1e
                                                                                                                          • Instruction ID: 05061f756e4dc7fb33fd983dd9aa468555384bf8ddf5b6350f17b909088a4ca6
                                                                                                                          • Opcode Fuzzy Hash: d6f2bbcff8916b92576efdc3e1886074aacebf279b8beeda624865d00a566c1e
                                                                                                                          • Instruction Fuzzy Hash: 70E08632180714BBD7321B54AC0AFCA7F5CEB05761F104110FB54690F097B126518799
                                                                                                                          Function 0031BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _free.LIBCMT ref: 0031BB72
                                                                                                                            • Part of subcall function 002F1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,002F7A85), ref: 002F1CB1
                                                                                                                            • Part of subcall function 002F1C9D: GetLastError.KERNEL32(00000000,?,002F7A85), ref: 002F1CC3
                                                                                                                          • _free.LIBCMT ref: 0031BB83
                                                                                                                          • _free.LIBCMT ref: 0031BB95
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 776569668-0
                                                                                                                          • Opcode ID: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
                                                                                                                          • Instruction ID: ae8e882abc94e1a4b611ce898c124d9c553b91dd4aabc3ddabac5cf52ff6f7f9
                                                                                                                          • Opcode Fuzzy Hash: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
                                                                                                                          • Instruction Fuzzy Hash: 4CE0C2A120470083CA2865386E44FF393CC0F08390784082EB519E318ACF20E8A088A4
                                                                                                                          Function 002D2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002D22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,002D24F1), ref: 002D2303
                                                                                                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002D25A1
                                                                                                                          • CoInitialize.OLE32(00000000), ref: 002D2618
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0034503A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3815369404-0
                                                                                                                          • Opcode ID: 430444732b7494c57ca8bbe14160801b6697df73fde95e68394f47eb4cf42604
                                                                                                                          • Instruction ID: 57d961ee686d35944d35eb4260b14e16d61b76b0e11d9505f1d23ada36baf00e
                                                                                                                          • Opcode Fuzzy Hash: 430444732b7494c57ca8bbe14160801b6697df73fde95e68394f47eb4cf42604
                                                                                                                          • Instruction Fuzzy Hash: 2D71BCB89113838B8717FF6AA990555BBBCBB99340B814A6FD099E73B1CB724814CF14
                                                                                                                          Function 0031BBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __fread_nolock
                                                                                                                          • String ID: EA06
                                                                                                                          • API String ID: 2638373210-3962188686
                                                                                                                          • Opcode ID: 81944423a3b0fdd7064afc52e24dcb6b0d43fa143ac10814f4e25a49f6f2f107
                                                                                                                          • Instruction ID: 0da10f2d8231d6017b498b606e401e204b840caf0659ef6fcc2c0104766ca3c4
                                                                                                                          • Opcode Fuzzy Hash: 81944423a3b0fdd7064afc52e24dcb6b0d43fa143ac10814f4e25a49f6f2f107
                                                                                                                          • Instruction Fuzzy Hash: 2601F9729042187EDB19C798C816FFDBBFC9B05301F00419AF193D2181D574A7048B60
                                                                                                                          Function 00330828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _strcat.LIBCMT ref: 003308FD
                                                                                                                            • Part of subcall function 002D936C: __swprintf.LIBCMT ref: 002D93AB
                                                                                                                            • Part of subcall function 002D936C: __itow.LIBCMT ref: 002D93DF
                                                                                                                          • _wcscpy.LIBCMT ref: 0033098C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __itow__swprintf_strcat_wcscpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1012013722-0
                                                                                                                          • Opcode ID: 9b87fd9ae7aa9cdd6822d508613e38fe12d2c4d5db1fff674b3bfe99e75c80a5
                                                                                                                          • Instruction ID: 769d3d1bcca8a7957e5f37fcd2b07959bbbf98c0e21276c20dd003bbde464106
                                                                                                                          • Opcode Fuzzy Hash: 9b87fd9ae7aa9cdd6822d508613e38fe12d2c4d5db1fff674b3bfe99e75c80a5
                                                                                                                          • Instruction Fuzzy Hash: AD913934A10604DFCB19DF28D5E19A9B7E5EF49310B5180AAF85A8F7A2DB30ED51CF80
                                                                                                                          Function 002D3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsThemeActive.UXTHEME ref: 002D3A73
                                                                                                                            • Part of subcall function 002F1405: __lock.LIBCMT ref: 002F140B
                                                                                                                            • Part of subcall function 002D3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 002D3AF3
                                                                                                                            • Part of subcall function 002D3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002D3B08
                                                                                                                            • Part of subcall function 002D3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,002D3AA3,?), ref: 002D3D45
                                                                                                                            • Part of subcall function 002D3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,002D3AA3,?), ref: 002D3D57
                                                                                                                            • Part of subcall function 002D3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00391148,00391130,?,?,?,?,002D3AA3,?), ref: 002D3DC8
                                                                                                                            • Part of subcall function 002D3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,002D3AA3,?), ref: 002D3E48
                                                                                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002D3AB3
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 924797094-0
                                                                                                                          • Opcode ID: 5c4fe0e3fb85306b13f7c9f238a3aaa995909ce05600af88079333a2fe3fc6cf
                                                                                                                          • Instruction ID: 799d602c1573dbaa3daaf76c4f5b7faac464dd41a0d940530f69bb892476c082
                                                                                                                          • Opcode Fuzzy Hash: 5c4fe0e3fb85306b13f7c9f238a3aaa995909ce05600af88079333a2fe3fc6cf
                                                                                                                          • Instruction Fuzzy Hash: 4D11AE715143429BC301EF26E80591AFBECEB94750F00491FF585972B1DBB29964CF92
                                                                                                                          Function 002FE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ___lock_fhandle.LIBCMT ref: 002FEA29
                                                                                                                          • __close_nolock.LIBCMT ref: 002FEA42
                                                                                                                            • Part of subcall function 002F7BDA: __getptd_noexit.LIBCMT ref: 002F7BDA
                                                                                                                            • Part of subcall function 002F7C0E: __getptd_noexit.LIBCMT ref: 002F7C0E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1046115767-0
                                                                                                                          • Opcode ID: 7f9b98d9f11924c967572e9346a3185ffac7538cd15a7934238bcbfa1e6e909a
                                                                                                                          • Instruction ID: 915b4823c27b9b0dea635f551ba1106a9a887ff288dfe4b2eacffbc5827bf6cc
                                                                                                                          • Opcode Fuzzy Hash: 7f9b98d9f11924c967572e9346a3185ffac7538cd15a7934238bcbfa1e6e909a
                                                                                                                          • Instruction Fuzzy Hash: AF11A372435A1C9ADB13BF64C852778FA616F817B1F170361E6215F1F2C7B488208AA1
                                                                                                                          Function 002EF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002F395C: __FF_MSGBANNER.LIBCMT ref: 002F3973
                                                                                                                            • Part of subcall function 002F395C: __NMSG_WRITE.LIBCMT ref: 002F397A
                                                                                                                            • Part of subcall function 002F395C: RtlAllocateHeap.NTDLL(01020000,00000000,00000001,00000001,00000000,?,?,002EF507,?,0000000E), ref: 002F399F
                                                                                                                          • std::exception::exception.LIBCMT ref: 002EF51E
                                                                                                                          • __CxxThrowException@8.LIBCMT ref: 002EF533
                                                                                                                            • Part of subcall function 002F6805: RaiseException.KERNEL32(?,?,0000000E,00386A30,?,?,?,002EF538,0000000E,00386A30,?,00000001), ref: 002F6856
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3902256705-0
                                                                                                                          • Opcode ID: 3a7c290fd8cda7b99c3183fb42f190e40e0b1a11b5cab1a4170be6cbb7e80b72
                                                                                                                          • Instruction ID: 0fc808a6b4ebe995c61771ae09faec99a1ea72b692cd0ce16e260892a1db6962
                                                                                                                          • Opcode Fuzzy Hash: 3a7c290fd8cda7b99c3183fb42f190e40e0b1a11b5cab1a4170be6cbb7e80b72
                                                                                                                          • Instruction Fuzzy Hash: EAF0F43206024EA7C715BF99D9029EFB7ACAF00394FA04139FE04D2181DBB096648AA5
                                                                                                                          Function 002F3839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __lock_file_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 26237723-0
                                                                                                                          • Opcode ID: ef0ebe52de87fc6834188e8f5b94503366377d6cd5b68d7b36369874cd8a83ca
                                                                                                                          • Instruction ID: ffd918dfd71a9f4e0eda7778deb1eff95b22d1503944c8ff6be46969428fdfbe
                                                                                                                          • Opcode Fuzzy Hash: ef0ebe52de87fc6834188e8f5b94503366377d6cd5b68d7b36369874cd8a83ca
                                                                                                                          • Instruction Fuzzy Hash: 77015E7181020DAACF22AFA58C068BEBA61AF807E0F144139FA24562A1D7758B71DF91
                                                                                                                          Function 002F35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002F7C0E: __getptd_noexit.LIBCMT ref: 002F7C0E
                                                                                                                          • __lock_file.LIBCMT ref: 002F3629
                                                                                                                            • Part of subcall function 002F4E1C: __lock.LIBCMT ref: 002F4E3F
                                                                                                                          • __fclose_nolock.LIBCMT ref: 002F3634
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2800547568-0
                                                                                                                          • Opcode ID: e2eaf23640599eb5c3cc27be6a76649366ba63ac002d4ec273455bf9a9498baf
                                                                                                                          • Instruction ID: b5c0a1d06d55e92de559c8bcd2640536b5ab6202b5dc42a6afe5845597af5727
                                                                                                                          • Opcode Fuzzy Hash: e2eaf23640599eb5c3cc27be6a76649366ba63ac002d4ec273455bf9a9498baf
                                                                                                                          • Instruction Fuzzy Hash: A6F0963282120DAAE711BF65880677EFAA46F407B4F258129E610EB2C1C77886219F59
                                                                                                                          Function 01257475 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 01257C33
                                                                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01257CC9
                                                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01257CEB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1712784061.0000000001256000.00000040.00000020.00020000.00000000.sdmp, Offset: 01256000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_1256000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2438371351-0
                                                                                                                          • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                                                                          • Instruction ID: db7aefffc9d717eadd5cedc3e059a83df2557186f553e2f6c9553c13c7c4c64f
                                                                                                                          • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                                                                          • Instruction Fuzzy Hash: 5512CF24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F81CF5A
                                                                                                                          Function 002DE8A0 Relevance: 1.7, APIs: 1, Instructions: 199windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002DE959
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessagePeek
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2222842502-0
                                                                                                                          • Opcode ID: 9b18ee362f901cbce7524073c11ead39aec20bbdd3c28fd3d02411bdf57d26cb
                                                                                                                          • Instruction ID: 50fb0ae0d83c4fb7bb4872a679783d12273bf9612489232698a0f9adbd069eb2
                                                                                                                          • Opcode Fuzzy Hash: 9b18ee362f901cbce7524073c11ead39aec20bbdd3c28fd3d02411bdf57d26cb
                                                                                                                          • Instruction Fuzzy Hash: 6571D4709083819FEF27DF24C48476A7BD4AB55304F0A49BBD8859F3A2D375AC85CB52
                                                                                                                          Function 002F2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __flush.LIBCMT ref: 002F2A0B
                                                                                                                            • Part of subcall function 002F7C0E: __getptd_noexit.LIBCMT ref: 002F7C0E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __flush__getptd_noexit
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4101623367-0
                                                                                                                          • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                                                          • Instruction ID: 2954dc88a68a9919c7ce853391468adb5f845aeb1f431b06d94a18f72d1398df
                                                                                                                          • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                                                          • Instruction Fuzzy Hash: A041B83162070FDFDB288E69C4919BEF7A6AF463E0B24853DE655C7244D6B0DD688B40
                                                                                                                          Function 002EED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ProtectVirtual
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 544645111-0
                                                                                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                          • Instruction ID: dd17eb3f6802473c823ec5db8b2d21e5fc91454ad4a30492c8eae74adfb7fabf
                                                                                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                          • Instruction Fuzzy Hash: 1A31FC70A50146DBCB18DF5AC880A69F7BAFF49340BA586A5E409CB355DB31EDD1CB80
                                                                                                                          Function 0033040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 269201875-0
                                                                                                                          • Opcode ID: c752a3f2b12397686aeaa10176ceb8fa6ef836ae70835b7068dd0f1e4220e6d4
                                                                                                                          • Instruction ID: f58dda1629dd6e3d9ac74941d31df51052670fca077c1113ed6c45b96c73fbb5
                                                                                                                          • Opcode Fuzzy Hash: c752a3f2b12397686aeaa10176ceb8fa6ef836ae70835b7068dd0f1e4220e6d4
                                                                                                                          • Instruction Fuzzy Hash: E931C536104918CFCF0A9F01D0E066E77B5FF49720F21844AEA961F386D770A915CF81
                                                                                                                          Function 00349A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClearVariant
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1473721057-0
                                                                                                                          • Opcode ID: 8c3bd87294841e1f0be9899a2cf4def13adb030ea1dd6b4fb7c92e4076e13faf
                                                                                                                          • Instruction ID: e599a166dbc9ede549becc651cbf7ef765d54926e9682f3e9e390803da982fcd
                                                                                                                          • Opcode Fuzzy Hash: 8c3bd87294841e1f0be9899a2cf4def13adb030ea1dd6b4fb7c92e4076e13faf
                                                                                                                          • Instruction Fuzzy Hash: 4A418A705146418FDB25DF19C484B1ABBE0BF44304F6989ACE99A4B362C372FC96CF52
                                                                                                                          Function 002FED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __getptd_noexit
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3074181302-0
                                                                                                                          • Opcode ID: 17e34a434fb87e555c8d9469ffafd3f642ebbbcade79ce9551a088b1a9236e30
                                                                                                                          • Instruction ID: 494184017e08515c7db36cc8c650ed2af1482b5b84a1f222e0c7bb1e40092f72
                                                                                                                          • Opcode Fuzzy Hash: 17e34a434fb87e555c8d9469ffafd3f642ebbbcade79ce9551a088b1a9236e30
                                                                                                                          • Instruction Fuzzy Hash: B121807283460C8FDB137F64D845778B6559F427B5F260661E7614B1F2DBB488208FA1
                                                                                                                          Function 002D41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002D4214: FreeLibrary.KERNEL32(00000000,?), ref: 002D4247
                                                                                                                          • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002D39FE,?,00000001), ref: 002D41DB
                                                                                                                            • Part of subcall function 002D4291: FreeLibrary.KERNEL32(00000000), ref: 002D42C4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Library$Free$Load
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2391024519-0
                                                                                                                          • Opcode ID: a149c13b0dee9aa3ebd7becccf02c080f6260facd05d28125817e23cc8e7495b
                                                                                                                          • Instruction ID: 684051f2350853ed7a2f7be7d94d2df80ec339a0e6f7e1382713bb29de853b73
                                                                                                                          • Opcode Fuzzy Hash: a149c13b0dee9aa3ebd7becccf02c080f6260facd05d28125817e23cc8e7495b
                                                                                                                          • Instruction Fuzzy Hash: 6911E731620305ABCB11BB74DC1AF9E77E99F40700F10843AF996AA2C5DF709E249F60
                                                                                                                          Function 00349B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClearVariant
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1473721057-0
                                                                                                                          • Opcode ID: ad519b4191cea7b41395f9462cc95365e2003a6487db6b8dc3f28e97e5d7e0ae
                                                                                                                          • Instruction ID: 3f36d416fe8fd11f81d84e35e6eb0dbee2e30c7829c3f6a4be4375725ca4f1e0
                                                                                                                          • Opcode Fuzzy Hash: ad519b4191cea7b41395f9462cc95365e2003a6487db6b8dc3f28e97e5d7e0ae
                                                                                                                          • Instruction Fuzzy Hash: D42177705587418FDB24DF65C484B1ABBE1BF84304FA48968E5964B221C771F8A6CF52
                                                                                                                          Function 002FAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ___lock_fhandle.LIBCMT ref: 002FAFC0
                                                                                                                            • Part of subcall function 002F7BDA: __getptd_noexit.LIBCMT ref: 002F7BDA
                                                                                                                            • Part of subcall function 002F7C0E: __getptd_noexit.LIBCMT ref: 002F7C0E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __getptd_noexit$___lock_fhandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1144279405-0
                                                                                                                          • Opcode ID: 8cc3f96d5076c20e73414f9dfb2f5f1b80b5d719eddb653681809b708df0fc6b
                                                                                                                          • Instruction ID: cd90a8899f2d74b1ffc763c66c51578e837e42a80021913a9a7f26a05ffa8e6f
                                                                                                                          • Opcode Fuzzy Hash: 8cc3f96d5076c20e73414f9dfb2f5f1b80b5d719eddb653681809b708df0fc6b
                                                                                                                          • Instruction Fuzzy Hash: DD11D0728246089FD7137FA4C842779F660AF417B5F190274E6344F1E2CBB589208FA1
                                                                                                                          Function 002D39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LibraryLoad
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1029625771-0
                                                                                                                          • Opcode ID: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
                                                                                                                          • Instruction ID: a713f31006806ba4f7aab81ef540bd45165fa4115d311fd25c80b94b5ef07fe1
                                                                                                                          • Opcode Fuzzy Hash: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
                                                                                                                          • Instruction Fuzzy Hash: CA01363151010DAFCF05EF64C8928FEBB74AF14344F508027B56697195EA30AE59DF61
                                                                                                                          Function 002F2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __lock_file.LIBCMT ref: 002F2AED
                                                                                                                            • Part of subcall function 002F7C0E: __getptd_noexit.LIBCMT ref: 002F7C0E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __getptd_noexit__lock_file
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2597487223-0
                                                                                                                          • Opcode ID: 7f18576db0b4f7326cb74cbf660d445d8b81c9902ba7ae9572b4283554e0fab9
                                                                                                                          • Instruction ID: 7345499544174b86dcff910e80c001ff470f32481932970c4fd80f0388ad8ceb
                                                                                                                          • Opcode Fuzzy Hash: 7f18576db0b4f7326cb74cbf660d445d8b81c9902ba7ae9572b4283554e0fab9
                                                                                                                          • Instruction Fuzzy Hash: 7DF0AF3152060EEBDF22AF658C067BFB6A5BF01394F144435B6109A191C7B88A36DF41
                                                                                                                          Function 002D4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FreeLibrary.KERNEL32(?,?,?,?,?,002D39FE,?,00000001), ref: 002D4286
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeLibrary
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3664257935-0
                                                                                                                          • Opcode ID: 51db7a498b35f23de82c0a016fa5d725059210f98f587bf48d4f049c2a2c28db
                                                                                                                          • Instruction ID: 55dc3407259a4cc5d76a66c9d3303f6aa9b68cf5e811c3f176daec3c488f8bb9
                                                                                                                          • Opcode Fuzzy Hash: 51db7a498b35f23de82c0a016fa5d725059210f98f587bf48d4f049c2a2c28db
                                                                                                                          • Instruction Fuzzy Hash: 79F01571525742CFCB34AF64D898826BBE4AF043263248A3FF9D682620C7729DA0DF50
                                                                                                                          Function 002D40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002D40C6
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LongNamePath
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 82841172-0
                                                                                                                          • Opcode ID: 40f8ec9ae0fff882177ca15ac07f88d471e1035aece52fe16e2c318601e4c7e5
                                                                                                                          • Instruction ID: f8a5238f406a4a1095771876450080fd6a52601e8f5d4efc5cb6425a68731e5a
                                                                                                                          • Opcode Fuzzy Hash: 40f8ec9ae0fff882177ca15ac07f88d471e1035aece52fe16e2c318601e4c7e5
                                                                                                                          • Instruction Fuzzy Hash: 17E0CD365002255BC7119654CC46FFA779DDF887D0F050075F905D7354DD649DC18A90
                                                                                                                          Function 002D5374 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00391148,?,002D61FF,?,00000000,00000001,00000000), ref: 002D5392
                                                                                                                            • Part of subcall function 002D660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D53B1,?,?,002D61FF,?,00000000,00000001,00000000), ref: 002D662F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Name$FileFullModulePath
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1235081036-0
                                                                                                                          • Opcode ID: 104362bc87c67818731bc7dbd55475771b17dce8d41bd09e1f958d4487677c32
                                                                                                                          • Instruction ID: 3b7ddb8917f128d960da84c26a3a4ddac181bae18b341d8780f5bfd55200507c
                                                                                                                          • Opcode Fuzzy Hash: 104362bc87c67818731bc7dbd55475771b17dce8d41bd09e1f958d4487677c32
                                                                                                                          • Instruction Fuzzy Hash: 5FE0127151012E5BCB15E750DC52EEE736CEF04744F000476B556A6291EEB0EA54CE90
                                                                                                                          Function 0031BCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __fread_nolock
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2638373210-0
                                                                                                                          • Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
                                                                                                                          • Instruction ID: 56f202ffc21493161b65cecd9187ca3c7076b8bbef6244be7393edbb0f1fba2c
                                                                                                                          • Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
                                                                                                                          • Instruction Fuzzy Hash: 2DE092B0104B049BD7398E24D800BE3B3E0EB09305F00095CF29B83241EB6278818A59
                                                                                                                          Function 01258474 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNELBASE(000001F4), ref: 01258489
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1712784061.0000000001256000.00000040.00000020.00020000.00000000.sdmp, Offset: 01256000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_1256000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Sleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3472027048-0
                                                                                                                          • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                          • Instruction ID: b3e3cd776fd921dc358b9f87594bb95ac644652322e487bd3b35b3b3083e2880
                                                                                                                          • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                          • Instruction Fuzzy Hash: 06E04F3484010DEFCB00DFA4D9496DD7BB4EF00301F1005A0FD01D7680DB309E508A62
                                                                                                                          Function 01258478 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNELBASE(000001F4), ref: 01258489
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1712784061.0000000001256000.00000040.00000020.00020000.00000000.sdmp, Offset: 01256000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_1256000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Sleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3472027048-0
                                                                                                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                          • Instruction ID: c0e2cfad645f879d10e748c2cc6923b7634ce741e2b0fdd179731a3e7efbeb61
                                                                                                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                          • Instruction Fuzzy Hash: 4EE0E67494010DDFDB40DFB4D94969D7FB4EF04301F104165FD01D2281D6709D509A62

                                                                                                                          Non-executed Functions

                                                                                                                          Function 0033F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EB34E: GetWindowLongW.USER32(?,000000EB), ref: 002EB35F
                                                                                                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0033F87D
                                                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0033F8DC
                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0033F919
                                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0033F940
                                                                                                                          • SendMessageW.USER32 ref: 0033F966
                                                                                                                          • _wcsncpy.LIBCMT ref: 0033F9D2
                                                                                                                          • GetKeyState.USER32(00000011), ref: 0033F9F3
                                                                                                                          • GetKeyState.USER32(00000009), ref: 0033FA00
                                                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0033FA16
                                                                                                                          • GetKeyState.USER32(00000010), ref: 0033FA20
                                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0033FA4F
                                                                                                                          • SendMessageW.USER32 ref: 0033FA72
                                                                                                                          • SendMessageW.USER32(?,00001030,?,0033E059), ref: 0033FB6F
                                                                                                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0033FB85
                                                                                                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0033FB96
                                                                                                                          • SetCapture.USER32(?), ref: 0033FB9F
                                                                                                                          • ClientToScreen.USER32(?,?), ref: 0033FC03
                                                                                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0033FC0F
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0033FC29
                                                                                                                          • ReleaseCapture.USER32 ref: 0033FC34
                                                                                                                          • GetCursorPos.USER32(?), ref: 0033FC69
                                                                                                                          • ScreenToClient.USER32(?,?), ref: 0033FC76
                                                                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0033FCD8
                                                                                                                          • SendMessageW.USER32 ref: 0033FD02
                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0033FD41
                                                                                                                          • SendMessageW.USER32 ref: 0033FD6C
                                                                                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0033FD84
                                                                                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0033FD8F
                                                                                                                          • GetCursorPos.USER32(?), ref: 0033FDB0
                                                                                                                          • ScreenToClient.USER32(?,?), ref: 0033FDBD
                                                                                                                          • GetParent.USER32(?), ref: 0033FDD9
                                                                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0033FE3F
                                                                                                                          • SendMessageW.USER32 ref: 0033FE6F
                                                                                                                          • ClientToScreen.USER32(?,?), ref: 0033FEC5
                                                                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0033FEF1
                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0033FF19
                                                                                                                          • SendMessageW.USER32 ref: 0033FF3C
                                                                                                                          • ClientToScreen.USER32(?,?), ref: 0033FF86
                                                                                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0033FFB6
                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0034004B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                          • String ID: @GUI_DRAGID$F
                                                                                                                          • API String ID: 2516578528-4164748364
                                                                                                                          • Opcode ID: a7425ec4b2f8c238404d2ec7614a68340a18ccce3f946e2206363e91fcdb1ff8
                                                                                                                          • Instruction ID: fa16cd1d1908dde6401f4295fb75d4480903c204bbedbc5b3dac6153df4838cf
                                                                                                                          • Opcode Fuzzy Hash: a7425ec4b2f8c238404d2ec7614a68340a18ccce3f946e2206363e91fcdb1ff8
                                                                                                                          • Instruction Fuzzy Hash: FD32CC74A04345AFDB26CF64C884FAABBA8FF49354F440A29FA958B2B0C731DC55CB51
                                                                                                                          Function 0033AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0033B1CD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: %d/%02d/%02d
                                                                                                                          • API String ID: 3850602802-328681919
                                                                                                                          • Opcode ID: cdf47ac5f5c004f6695be35f53543426251c50030b5d54473b2e1761aea566d8
                                                                                                                          • Instruction ID: 7bff41d22f5ae1398060ff5f97a5f49dc141acc1c10e3c1677512fabedeec239
                                                                                                                          • Opcode Fuzzy Hash: cdf47ac5f5c004f6695be35f53543426251c50030b5d54473b2e1761aea566d8
                                                                                                                          • Instruction Fuzzy Hash: 5512BF71900708ABEB269F65CC89FAEBBB8FF45710F104119FA59DB2E1DB748942CB11
                                                                                                                          Function 002EEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetForegroundWindow.USER32(00000000,00000000), ref: 002EEB4A
                                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00343AEA
                                                                                                                          • IsIconic.USER32(000000FF), ref: 00343AF3
                                                                                                                          • ShowWindow.USER32(000000FF,00000009), ref: 00343B00
                                                                                                                          • SetForegroundWindow.USER32(000000FF), ref: 00343B0A
                                                                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00343B20
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00343B27
                                                                                                                          • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00343B33
                                                                                                                          • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00343B44
                                                                                                                          • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00343B4C
                                                                                                                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 00343B54
                                                                                                                          • SetForegroundWindow.USER32(000000FF), ref: 00343B57
                                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00343B6C
                                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 00343B77
                                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00343B81
                                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 00343B86
                                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00343B8F
                                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 00343B94
                                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00343B9E
                                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 00343BA3
                                                                                                                          • SetForegroundWindow.USER32(000000FF), ref: 00343BA6
                                                                                                                          • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00343BCD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                          • String ID: Shell_TrayWnd
                                                                                                                          • API String ID: 4125248594-2988720461
                                                                                                                          • Opcode ID: 4c436202c3909fe81515a36a937df0a58434be010c68e0cc66e44bb9cad706da
                                                                                                                          • Instruction ID: 6e87ced6148bd9a562d334848be1cb0b649318331e3784d32d32a37d4c92f6b8
                                                                                                                          • Opcode Fuzzy Hash: 4c436202c3909fe81515a36a937df0a58434be010c68e0cc66e44bb9cad706da
                                                                                                                          • Instruction Fuzzy Hash: 7131A671A40318BBEF326B658C4AF7F7E6CEB44B51F114015FA05EB1E0D6B0AD01AEA0
                                                                                                                          Function 0030ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0030B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0030B180
                                                                                                                            • Part of subcall function 0030B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0030B1AD
                                                                                                                            • Part of subcall function 0030B134: GetLastError.KERNEL32 ref: 0030B1BA
                                                                                                                          • _memset.LIBCMT ref: 0030AD08
                                                                                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0030AD5A
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0030AD6B
                                                                                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0030AD82
                                                                                                                          • GetProcessWindowStation.USER32 ref: 0030AD9B
                                                                                                                          • SetProcessWindowStation.USER32(00000000), ref: 0030ADA5
                                                                                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0030ADBF
                                                                                                                            • Part of subcall function 0030AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0030ACC0), ref: 0030AB99
                                                                                                                            • Part of subcall function 0030AB84: CloseHandle.KERNEL32(?,?,0030ACC0), ref: 0030ABAB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                          • String ID: $H*8$default$winsta0
                                                                                                                          • API String ID: 2063423040-2350962757
                                                                                                                          • Opcode ID: 74941fe27d9f259ed9c1d9da1f7448e03d69ad054e68afa5b96d621bb6521a55
                                                                                                                          • Instruction ID: ab38260eaa799089bb1c6e2233b3db08bebc29cf361d65a84d9e4000e750bd8d
                                                                                                                          • Opcode Fuzzy Hash: 74941fe27d9f259ed9c1d9da1f7448e03d69ad054e68afa5b96d621bb6521a55
                                                                                                                          • Instruction Fuzzy Hash: DF819D71802309AFDF12DFA4EC69AEEBBBCEF08344F054119F914A61A1D7318E55DB62
                                                                                                                          Function 003160DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00316EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00315FA6,?), ref: 00316ED8
                                                                                                                            • Part of subcall function 00316EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00315FA6,?), ref: 00316EF1
                                                                                                                            • Part of subcall function 0031725E: __wsplitpath.LIBCMT ref: 0031727B
                                                                                                                            • Part of subcall function 0031725E: __wsplitpath.LIBCMT ref: 0031728E
                                                                                                                            • Part of subcall function 003172CB: GetFileAttributesW.KERNEL32(?,00316019), ref: 003172CC
                                                                                                                          • _wcscat.LIBCMT ref: 00316149
                                                                                                                          • _wcscat.LIBCMT ref: 00316167
                                                                                                                          • __wsplitpath.LIBCMT ref: 0031618E
                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 003161A4
                                                                                                                          • _wcscpy.LIBCMT ref: 00316209
                                                                                                                          • _wcscat.LIBCMT ref: 0031621C
                                                                                                                          • _wcscat.LIBCMT ref: 0031622F
                                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0031625D
                                                                                                                          • DeleteFileW.KERNEL32(?), ref: 0031626E
                                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 00316289
                                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 00316298
                                                                                                                          • CopyFileW.KERNEL32(?,?,00000000), ref: 003162AD
                                                                                                                          • DeleteFileW.KERNEL32(?), ref: 003162BE
                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 003162E1
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 003162FD
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0031630B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                                                                          • String ID: \*.*
                                                                                                                          • API String ID: 1917200108-1173974218
                                                                                                                          • Opcode ID: 14ab6a5000d5c6c6a11d62eddcb6db9cc0c285e58833305c033377f3d105e745
                                                                                                                          • Instruction ID: 433740dc1898a3ddf2ca6fbce17ad991a02f0e65cf2cecacb31736bf89da2bd0
                                                                                                                          • Opcode Fuzzy Hash: 14ab6a5000d5c6c6a11d62eddcb6db9cc0c285e58833305c033377f3d105e745
                                                                                                                          • Instruction Fuzzy Hash: 7051037280821C6ACB26EB91DC45DEFB7BCAF09300F0505E6E585E3151DE769789CFA4
                                                                                                                          Function 00326B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • OpenClipboard.USER32(0036DC00), ref: 00326B36
                                                                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 00326B44
                                                                                                                          • GetClipboardData.USER32(0000000D), ref: 00326B4C
                                                                                                                          • CloseClipboard.USER32 ref: 00326B58
                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00326B74
                                                                                                                          • CloseClipboard.USER32 ref: 00326B7E
                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00326B93
                                                                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 00326BA0
                                                                                                                          • GetClipboardData.USER32(00000001), ref: 00326BA8
                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00326BB5
                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00326BE9
                                                                                                                          • CloseClipboard.USER32 ref: 00326CF6
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3222323430-0
                                                                                                                          • Opcode ID: 671b6dc75e20d613305ca7f3ddcb11c093d4ec31cdd081195fe9bdc83d8ffdda
                                                                                                                          • Instruction ID: d0e8a06aec83e9299b38e925f2f15dc6a7975d77fcb8d9226baebd642075e248
                                                                                                                          • Opcode Fuzzy Hash: 671b6dc75e20d613305ca7f3ddcb11c093d4ec31cdd081195fe9bdc83d8ffdda
                                                                                                                          • Instruction Fuzzy Hash: 82518F71204311ABD312BF61ED56F6E77ACAF84B01F51042AF586D62E1DF70D906CB62
                                                                                                                          Function 0031F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0031F62B
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0031F67F
                                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0031F6A4
                                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0031F6BB
                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0031F6E2
                                                                                                                          • __swprintf.LIBCMT ref: 0031F72E
                                                                                                                          • __swprintf.LIBCMT ref: 0031F767
                                                                                                                          • __swprintf.LIBCMT ref: 0031F7BB
                                                                                                                            • Part of subcall function 002F172B: __woutput_l.LIBCMT ref: 002F1784
                                                                                                                          • __swprintf.LIBCMT ref: 0031F809
                                                                                                                          • __swprintf.LIBCMT ref: 0031F858
                                                                                                                          • __swprintf.LIBCMT ref: 0031F8A7
                                                                                                                          • __swprintf.LIBCMT ref: 0031F8F6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                                                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                          • API String ID: 835046349-2428617273
                                                                                                                          • Opcode ID: 1393bc1cf4938cf9d41ab2270768254e52a0bb3e770b650460c58543e55f8749
                                                                                                                          • Instruction ID: f694635af3f5ecf5831435014723d49f540ff014903a7c3725f6aa3d5aa6ed4a
                                                                                                                          • Opcode Fuzzy Hash: 1393bc1cf4938cf9d41ab2270768254e52a0bb3e770b650460c58543e55f8749
                                                                                                                          • Instruction Fuzzy Hash: ECA10DB2418344ABC315EBA5C885DAFB7ECAF98704F440C2AF58582252EB34D959CB62
                                                                                                                          Function 00321B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00321B50
                                                                                                                          • _wcscmp.LIBCMT ref: 00321B65
                                                                                                                          • _wcscmp.LIBCMT ref: 00321B7C
                                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00321B8E
                                                                                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 00321BA8
                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00321BC0
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00321BCB
                                                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00321BE7
                                                                                                                          • _wcscmp.LIBCMT ref: 00321C0E
                                                                                                                          • _wcscmp.LIBCMT ref: 00321C25
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00321C37
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(003839FC), ref: 00321C55
                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00321C5F
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00321C6C
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00321C7C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                          • String ID: *.*
                                                                                                                          • API String ID: 1803514871-438819550
                                                                                                                          • Opcode ID: 64924c52d3e42915f106af09cb19fa026b8e337154eb60e4a8a227fe0ff387e6
                                                                                                                          • Instruction ID: 7e899d2f9bb299ec61bb4b063d078ceed405e30781f87fa0879e460b083a26a0
                                                                                                                          • Opcode Fuzzy Hash: 64924c52d3e42915f106af09cb19fa026b8e337154eb60e4a8a227fe0ff387e6
                                                                                                                          • Instruction Fuzzy Hash: 4631E836500329BBDF22AFB0ED49ADE77BC9F15311F1041A5E901E30A0EB70DB458B64
                                                                                                                          Function 00321C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00321CAB
                                                                                                                          • _wcscmp.LIBCMT ref: 00321CC0
                                                                                                                          • _wcscmp.LIBCMT ref: 00321CD7
                                                                                                                            • Part of subcall function 00316BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00316BEF
                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00321D06
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00321D11
                                                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00321D2D
                                                                                                                          • _wcscmp.LIBCMT ref: 00321D54
                                                                                                                          • _wcscmp.LIBCMT ref: 00321D6B
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00321D7D
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(003839FC), ref: 00321D9B
                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00321DA5
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00321DB2
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00321DC2
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                          • String ID: *.*
                                                                                                                          • API String ID: 1824444939-438819550
                                                                                                                          • Opcode ID: 1e3809ea2d86722a715a870aacd0f37cd65aa5acb3d1bc7e891d8cb5b3318443
                                                                                                                          • Instruction ID: 55c3821aa0a9578da20b375db62873361b4f002b920f024e7e253cc97a8e3bf6
                                                                                                                          • Opcode Fuzzy Hash: 1e3809ea2d86722a715a870aacd0f37cd65aa5acb3d1bc7e891d8cb5b3318443
                                                                                                                          • Instruction Fuzzy Hash: A531E83250062AABCF22ABA0ED49AEE77AC9F55324F114551E801A31A1DB70DB458F64
                                                                                                                          Function 002D7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _memset
                                                                                                                          • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                                                                          • API String ID: 2102423945-2023335898
                                                                                                                          • Opcode ID: dae8f7d6234c5ecafdd076353ac3ef4d6e36ea44d5abf3cb3d986f8c5ae6b891
                                                                                                                          • Instruction ID: fa5bd3879b48a43a50bd8e26c293cf67acb6251833fdaa00fb3e7e889e295323
                                                                                                                          • Opcode Fuzzy Hash: dae8f7d6234c5ecafdd076353ac3ef4d6e36ea44d5abf3cb3d986f8c5ae6b891
                                                                                                                          • Instruction Fuzzy Hash: 2582C171D2421ACFCB25CF94C8807ADB7B1FF44310F2981AAD859AB391E774AD95CB90
                                                                                                                          Function 0032091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLocalTime.KERNEL32(?), ref: 003209DF
                                                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 003209EF
                                                                                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003209FB
                                                                                                                          • __wsplitpath.LIBCMT ref: 00320A59
                                                                                                                          • _wcscat.LIBCMT ref: 00320A71
                                                                                                                          • _wcscat.LIBCMT ref: 00320A83
                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00320A98
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00320AAC
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00320ADE
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00320AFF
                                                                                                                          • _wcscpy.LIBCMT ref: 00320B0B
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00320B4A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                                                          • String ID: *.*
                                                                                                                          • API String ID: 3566783562-438819550
                                                                                                                          • Opcode ID: c07e387f83b85ed35ba3c841ad3f30cbe8014b3ce23ba7decef7895e095d0750
                                                                                                                          • Instruction ID: 3a150460b5694a2547d79f331d624c21d13457f31d4152fa2fc90e89af1217cb
                                                                                                                          • Opcode Fuzzy Hash: c07e387f83b85ed35ba3c841ad3f30cbe8014b3ce23ba7decef7895e095d0750
                                                                                                                          • Instruction Fuzzy Hash: 806188725143159FC715EF60D8849AEB3E8FF89310F04892AF98AC7252DB31E959CF92
                                                                                                                          Function 0030A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0030ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0030ABD7
                                                                                                                            • Part of subcall function 0030ABBB: GetLastError.KERNEL32(?,0030A69F,?,?,?), ref: 0030ABE1
                                                                                                                            • Part of subcall function 0030ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0030A69F,?,?,?), ref: 0030ABF0
                                                                                                                            • Part of subcall function 0030ABBB: HeapAlloc.KERNEL32(00000000,?,0030A69F,?,?,?), ref: 0030ABF7
                                                                                                                            • Part of subcall function 0030ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0030AC0E
                                                                                                                            • Part of subcall function 0030AC56: GetProcessHeap.KERNEL32(00000008,0030A6B5,00000000,00000000,?,0030A6B5,?), ref: 0030AC62
                                                                                                                            • Part of subcall function 0030AC56: HeapAlloc.KERNEL32(00000000,?,0030A6B5,?), ref: 0030AC69
                                                                                                                            • Part of subcall function 0030AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0030A6B5,?), ref: 0030AC7A
                                                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0030A6D0
                                                                                                                          • _memset.LIBCMT ref: 0030A6E5
                                                                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0030A704
                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 0030A715
                                                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 0030A752
                                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0030A76E
                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 0030A78B
                                                                                                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0030A79A
                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 0030A7A1
                                                                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0030A7C2
                                                                                                                          • CopySid.ADVAPI32(00000000), ref: 0030A7C9
                                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0030A7FA
                                                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0030A820
                                                                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0030A834
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3996160137-0
                                                                                                                          • Opcode ID: aa51e83c4237efb3a664be34a5e946b3703bfc18ccfa6f166e228bb9ab7e6300
                                                                                                                          • Instruction ID: 829f1926096f0f23a46d5c650e8883619d9a0f6485a1ec8665357bc7fca6404b
                                                                                                                          • Opcode Fuzzy Hash: aa51e83c4237efb3a664be34a5e946b3703bfc18ccfa6f166e228bb9ab7e6300
                                                                                                                          • Instruction Fuzzy Hash: A4514C71901609AFDF12DFA5EC54AEEBBB9FF04300F048129F911AB2A1DB349A05CB61
                                                                                                                          Function 002D6F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 7$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$777 7
                                                                                                                          • API String ID: 0-3476060724
                                                                                                                          • Opcode ID: 3e12aa50c20897829f95baebb7e2d0ba79bc25648dce68329f5d5a22ddcda1c6
                                                                                                                          • Instruction ID: 687e6bd9a74251bab406ce941ce2f8eab5d687566d7a057cc8089855ecd3106a
                                                                                                                          • Opcode Fuzzy Hash: 3e12aa50c20897829f95baebb7e2d0ba79bc25648dce68329f5d5a22ddcda1c6
                                                                                                                          • Instruction Fuzzy Hash: 6972A071E14219CBDB25CF58C880BAEB7B5BF09310F1581AAE805EB390EB749E45DF90
                                                                                                                          Function 003163F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00316EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00315FA6,?), ref: 00316ED8
                                                                                                                            • Part of subcall function 003172CB: GetFileAttributesW.KERNEL32(?,00316019), ref: 003172CC
                                                                                                                          • _wcscat.LIBCMT ref: 00316441
                                                                                                                          • __wsplitpath.LIBCMT ref: 0031645F
                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00316474
                                                                                                                          • _wcscpy.LIBCMT ref: 003164A3
                                                                                                                          • _wcscat.LIBCMT ref: 003164B8
                                                                                                                          • _wcscat.LIBCMT ref: 003164CA
                                                                                                                          • DeleteFileW.KERNEL32(?), ref: 003164DA
                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 003164EB
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00316506
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                                                                          • String ID: \*.*
                                                                                                                          • API String ID: 2643075503-1173974218
                                                                                                                          • Opcode ID: 45a395032fdb7f6c026949fd1fe11720dd5cd147dd69e99fbeb54f85368db544
                                                                                                                          • Instruction ID: d8724cc9ffc5ba03e0b5b1cbed7ced57c89255dcd1292ac1b0a8835d1086aadd
                                                                                                                          • Opcode Fuzzy Hash: 45a395032fdb7f6c026949fd1fe11720dd5cd147dd69e99fbeb54f85368db544
                                                                                                                          • Instruction Fuzzy Hash: C53186B24083889AC722DBE488859EBB7DCAF59350F44092EF6D8C3142EA35D5598777
                                                                                                                          Function 003331BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00333C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00332BB5,?,?), ref: 00333C1D
                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0033328E
                                                                                                                            • Part of subcall function 002D936C: __swprintf.LIBCMT ref: 002D93AB
                                                                                                                            • Part of subcall function 002D936C: __itow.LIBCMT ref: 002D93DF
                                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0033332D
                                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003333C5
                                                                                                                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00333604
                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00333611
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1240663315-0
                                                                                                                          • Opcode ID: fefafbbf6cf6b24d551235b671550bf7793bf201affd381779100f3b3728d82b
                                                                                                                          • Instruction ID: 10dbc160016b5a42c64ced8969367bc602bb38974a79cf0588978088af0353fd
                                                                                                                          • Opcode Fuzzy Hash: fefafbbf6cf6b24d551235b671550bf7793bf201affd381779100f3b3728d82b
                                                                                                                          • Instruction Fuzzy Hash: 6AE13735604200AFCB15DF29C991E6ABBE8EF89714F04C96DF44ADB2A1DB30ED15CB52
                                                                                                                          Function 00312B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetKeyboardState.USER32(?), ref: 00312B5F
                                                                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00312BE0
                                                                                                                          • GetKeyState.USER32(000000A0), ref: 00312BFB
                                                                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00312C15
                                                                                                                          • GetKeyState.USER32(000000A1), ref: 00312C2A
                                                                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00312C42
                                                                                                                          • GetKeyState.USER32(00000011), ref: 00312C54
                                                                                                                          • GetAsyncKeyState.USER32(00000012), ref: 00312C6C
                                                                                                                          • GetKeyState.USER32(00000012), ref: 00312C7E
                                                                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00312C96
                                                                                                                          • GetKeyState.USER32(0000005B), ref: 00312CA8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: State$Async$Keyboard
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 541375521-0
                                                                                                                          • Opcode ID: 0da5273da06e1e12fc4fe4515ff18f15347995b73605d93365acba6894cf2645
                                                                                                                          • Instruction ID: 3633e0da09040c9acf9e8f2c5c61a8872920c6a8a2614435ee85f1669732ec81
                                                                                                                          • Opcode Fuzzy Hash: 0da5273da06e1e12fc4fe4515ff18f15347995b73605d93365acba6894cf2645
                                                                                                                          • Instruction Fuzzy Hash: 0141D9345087C96DFF3B9B6488043EBBEA0AF19344F058459DAC6572C1EBA499E4C7E2
                                                                                                                          Function 00326D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1737998785-0
                                                                                                                          • Opcode ID: 1e7c3b80e1f3095c40d71f772a25ceab4385ba8703e7296940765119435ec76a
                                                                                                                          • Instruction ID: c59dedabc1a4f84d9c136e7215efd9953f4d712d31144ae5f9a1e634c4eba26e
                                                                                                                          • Opcode Fuzzy Hash: 1e7c3b80e1f3095c40d71f772a25ceab4385ba8703e7296940765119435ec76a
                                                                                                                          • Instruction Fuzzy Hash: 26218D31300214AFDB22AF64EC4AB6D77ACEF44711F05841AF90ADB261CB71E8428F91
                                                                                                                          Function 0032C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00309ABF: CLSIDFromProgID.OLE32 ref: 00309ADC
                                                                                                                            • Part of subcall function 00309ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00309AF7
                                                                                                                            • Part of subcall function 00309ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00309B05
                                                                                                                            • Part of subcall function 00309ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00309B15
                                                                                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0032C235
                                                                                                                          • _memset.LIBCMT ref: 0032C242
                                                                                                                          • _memset.LIBCMT ref: 0032C360
                                                                                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0032C38C
                                                                                                                          • CoTaskMemFree.OLE32(?), ref: 0032C397
                                                                                                                          Strings
                                                                                                                          • NULL Pointer assignment, xrefs: 0032C3E5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                          • String ID: NULL Pointer assignment
                                                                                                                          • API String ID: 1300414916-2785691316
                                                                                                                          • Opcode ID: 57122c34c8ebfabc09004772a3de32802678defc16fbb66b76a7c3d361e1e0cb
                                                                                                                          • Instruction ID: c8ec2b402b6dadcc2cf39a17fef965ebdb343599fa81da1cde99c93f98cc5955
                                                                                                                          • Opcode Fuzzy Hash: 57122c34c8ebfabc09004772a3de32802678defc16fbb66b76a7c3d361e1e0cb
                                                                                                                          • Instruction Fuzzy Hash: 3B916D71D10228EBDB11DF95EC91EEEBBB8EF08710F20815AF515A7291DB709A45CFA0
                                                                                                                          Function 003179D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0030B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0030B180
                                                                                                                            • Part of subcall function 0030B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0030B1AD
                                                                                                                            • Part of subcall function 0030B134: GetLastError.KERNEL32 ref: 0030B1BA
                                                                                                                          • ExitWindowsEx.USER32(?,00000000), ref: 00317A0F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                          • String ID: $@$SeShutdownPrivilege
                                                                                                                          • API String ID: 2234035333-194228
                                                                                                                          • Opcode ID: 985f16193f138f3d18c8122589b29952f54de1dc9e7d59f4d720f8c87b6ea81d
                                                                                                                          • Instruction ID: 26c12f65b69484eaefb1ea992afe281bc4be05a960f12e72883575645e8dafcb
                                                                                                                          • Opcode Fuzzy Hash: 985f16193f138f3d18c8122589b29952f54de1dc9e7d59f4d720f8c87b6ea81d
                                                                                                                          • Instruction Fuzzy Hash: 9C01D4716593116AE72F26649C5ABFE766C9F08741F2D0824FD43A22D2E6609E8081B0
                                                                                                                          Function 00328C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00328CA8
                                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00328CB7
                                                                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 00328CD3
                                                                                                                          • listen.WSOCK32(00000000,00000005), ref: 00328CE2
                                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00328CFC
                                                                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 00328D10
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1279440585-0
                                                                                                                          • Opcode ID: 51fc39f864234094d906b23a84d39069fd722cc92f46a0b75c0d643c21f8754e
                                                                                                                          • Instruction ID: 584d9fcc9cc98eb256fff22e70924de87f311f94b6d8889887941df14fddead6
                                                                                                                          • Opcode Fuzzy Hash: 51fc39f864234094d906b23a84d39069fd722cc92f46a0b75c0d643c21f8754e
                                                                                                                          • Instruction Fuzzy Hash: A121F3316006109FCB22EF28DC45B6EB7EDEF48710F118159F916AB3E2CB70AD418B51
                                                                                                                          Function 00316532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00316554
                                                                                                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00316564
                                                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00316583
                                                                                                                          • __wsplitpath.LIBCMT ref: 003165A7
                                                                                                                          • _wcscat.LIBCMT ref: 003165BA
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 003165F9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1605983538-0
                                                                                                                          • Opcode ID: d81f171995474a9f3031fd9ae541b78b35aedb3475bf9906362b6b2a0d1b6ae5
                                                                                                                          • Instruction ID: a75a806402eaab654c21df59ed4b0796a11db39b99a36fbf9e903a85f6a6c35f
                                                                                                                          • Opcode Fuzzy Hash: d81f171995474a9f3031fd9ae541b78b35aedb3475bf9906362b6b2a0d1b6ae5
                                                                                                                          • Instruction Fuzzy Hash: 69216271900218ABDB26ABA4DC89BEEBBBDAB49300F5004E5E505E7151EB719FC5CF60
                                                                                                                          Function 002D9B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$7
                                                                                                                          • API String ID: 0-661606038
                                                                                                                          • Opcode ID: de760d7544d208c893de244b1012c16018c59588c7f423c42d4653e2b3c05669
                                                                                                                          • Instruction ID: 312f531934e302dacd60933d3ed013652dbce58fc5e8fa316a387234219b2ad9
                                                                                                                          • Opcode Fuzzy Hash: de760d7544d208c893de244b1012c16018c59588c7f423c42d4653e2b3c05669
                                                                                                                          • Instruction Fuzzy Hash: BC929A71A2021ACFDF25CF58C880BADB3B1BB54315F25819AEC1AAB390D7709D95CF91
                                                                                                                          Function 003113CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 003113DC
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen
                                                                                                                          • String ID: ($,28$<28$|
                                                                                                                          • API String ID: 1659193697-153286722
                                                                                                                          • Opcode ID: ebb83976e3584eac5ef1c3d5cf6e16d9e3db3408e4e220f6531cdf6e7d1d055a
                                                                                                                          • Instruction ID: bfd0f8fb7f48e513881c17f3c3908b9c9226f0ca6e9270acbe04395d7ac9b985
                                                                                                                          • Opcode Fuzzy Hash: ebb83976e3584eac5ef1c3d5cf6e16d9e3db3408e4e220f6531cdf6e7d1d055a
                                                                                                                          • Instruction Fuzzy Hash: C8322475A006059FC729CF69C480AAAB7F0FF4C710B12C46EE59ADB7A1E770E981CB44
                                                                                                                          Function 0032923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0032A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0032A84E
                                                                                                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00329296
                                                                                                                          • WSAGetLastError.WSOCK32(00000000,00000000), ref: 003292B9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastinet_addrsocket
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4170576061-0
                                                                                                                          • Opcode ID: d602893e453da097472684b00ac778bd9253ca57462de0efc9a9acbbae04318d
                                                                                                                          • Instruction ID: 52a553cb923b3b722ede288c10089f623d3e5c5a7a90db7e7d83a550b1918bb6
                                                                                                                          • Opcode Fuzzy Hash: d602893e453da097472684b00ac778bd9253ca57462de0efc9a9acbbae04318d
                                                                                                                          • Instruction Fuzzy Hash: 9B41FE30A40610AFDB11BF68C882E7E77EDEF08724F10845EF916AB392CA709D118B91
                                                                                                                          Function 0031EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0031EB8A
                                                                                                                          • _wcscmp.LIBCMT ref: 0031EBBA
                                                                                                                          • _wcscmp.LIBCMT ref: 0031EBCF
                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0031EBE0
                                                                                                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0031EC0E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2387731787-0
                                                                                                                          • Opcode ID: 3525be611b83b354908b5dbdbd025bff3bce5c4bd1fcaec0ac47ce098ef780e5
                                                                                                                          • Instruction ID: c0a6ce2c8beb975043cb4685e6e81359cda21517799b61ddd88214874da2a68f
                                                                                                                          • Opcode Fuzzy Hash: 3525be611b83b354908b5dbdbd025bff3bce5c4bd1fcaec0ac47ce098ef780e5
                                                                                                                          • Instruction Fuzzy Hash: C341B035604702CFC719DF68C891A9AB3E8FF49324F10455EE95A8B3A1DB32A994CF91
                                                                                                                          Function 00338111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 292994002-0
                                                                                                                          • Opcode ID: 5e8c79e0af5088d6f463cffe806525278a12aa1b7f40e822e39a18ed2eb20d54
                                                                                                                          • Instruction ID: c60b5c05a5ef79c70846ba6c2c48f82655eb2abee9f47b65576750a9ebc6d9ce
                                                                                                                          • Opcode Fuzzy Hash: 5e8c79e0af5088d6f463cffe806525278a12aa1b7f40e822e39a18ed2eb20d54
                                                                                                                          • Instruction Fuzzy Hash: AF11B231B00711ABE7231F26DC84A6F779CEF54761F060429F84AD7251CF709D038AA1
                                                                                                                          Function 002EE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,002EE014,74DF0AE0,002EDEF1,0036DC38,?,?), ref: 002EE02C
                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002EE03E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                          • API String ID: 2574300362-192647395
                                                                                                                          • Opcode ID: 8d97e38923cab3e9e647cde0824db1f20f5ff0bf8483a76539267b824e4ef704
                                                                                                                          • Instruction ID: ba48fb94d2228d42cacae34ec69a9aec4ef6be784e816f3ee19e8c77c426b7d7
                                                                                                                          • Opcode Fuzzy Hash: 8d97e38923cab3e9e647cde0824db1f20f5ff0bf8483a76539267b824e4ef704
                                                                                                                          • Instruction Fuzzy Hash: 58D0A730450B139FCB335F71EC0865376E8AF00301F194459F482E2160D7B4D8808750
                                                                                                                          Function 002EB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EB34E: GetWindowLongW.USER32(?,000000EB), ref: 002EB35F
                                                                                                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 002EB22F
                                                                                                                            • Part of subcall function 002EB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 002EB5A5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Proc$LongWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2749884682-0
                                                                                                                          • Opcode ID: 45b5168b4d0c2f56de2582b75e96240f35f42260f97039f60c0ed2ed9e89dbf2
                                                                                                                          • Instruction ID: ddef1439da7a3cd5f6f4072e423ec694648b61f8e1e2dfda42e8c1e34d668a28
                                                                                                                          • Opcode Fuzzy Hash: 45b5168b4d0c2f56de2582b75e96240f35f42260f97039f60c0ed2ed9e89dbf2
                                                                                                                          • Instruction Fuzzy Hash: 3FA16B70574186BADB2B6F2B5C89D7F2A9CFF42350FD1011AFE05DA191CB65AC20D272
                                                                                                                          Function 00324EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003243BF,00000000), ref: 00324FA6
                                                                                                                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00324FD2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 599397726-0
                                                                                                                          • Opcode ID: 2b8cde74423721753ae7630a66613ca0b074077c218117d4869bcc980e9a9b0f
                                                                                                                          • Instruction ID: 4aa8893ebc56d64afe693a59ae0020c3f053937152610f0e25b0dac3448e6849
                                                                                                                          • Opcode Fuzzy Hash: 2b8cde74423721753ae7630a66613ca0b074077c218117d4869bcc980e9a9b0f
                                                                                                                          • Instruction Fuzzy Hash: 5841F871504719BFEB22DF84ED81EBFB7BCEB80754F11406EF205A6180EA719E41DAA0
                                                                                                                          Function 002D77B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _memmove
                                                                                                                          • String ID: \Q8
                                                                                                                          • API String ID: 4104443479-289790541
                                                                                                                          • Opcode ID: 61fc608d64ac2cc0ff460327940119dad1152a2e5778af1fff53c54791e233b6
                                                                                                                          • Instruction ID: ad15aa7c24fc0e555dfc8e8d53f98bd9bc7a34dd846f326e419c21e995b04b6c
                                                                                                                          • Opcode Fuzzy Hash: 61fc608d64ac2cc0ff460327940119dad1152a2e5778af1fff53c54791e233b6
                                                                                                                          • Instruction Fuzzy Hash: 6DA26B75A14219CFCB25CF58C480BADBBB1FF48314F2581AAD859AB390E7749E91DF80
                                                                                                                          Function 0031E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0031E20D
                                                                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0031E267
                                                                                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0031E2B4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1682464887-0
                                                                                                                          • Opcode ID: f9b860e1da324dd005abfc66d5a95432e201dd2654b72b1cbe471a7fc6ad5069
                                                                                                                          • Instruction ID: 76e596ef0c5997cf8405a6bfe9f6962218577c65d29ce15fee7eb1a63acbc1b9
                                                                                                                          • Opcode Fuzzy Hash: f9b860e1da324dd005abfc66d5a95432e201dd2654b72b1cbe471a7fc6ad5069
                                                                                                                          • Instruction Fuzzy Hash: 05219D35A10618EFCB01EFA5D885AEDFBB8FF48310F1584AAE806AB351CB319955CF50
                                                                                                                          Function 0030B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EF4EA: std::exception::exception.LIBCMT ref: 002EF51E
                                                                                                                            • Part of subcall function 002EF4EA: __CxxThrowException@8.LIBCMT ref: 002EF533
                                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0030B180
                                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0030B1AD
                                                                                                                          • GetLastError.KERNEL32 ref: 0030B1BA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1922334811-0
                                                                                                                          • Opcode ID: a7836d64750e448610e710f6fa2ee1778387df0b24b4f9b076717554fc894426
                                                                                                                          • Instruction ID: 6116b7c21b122e955711b378ea8cba9dac287c8d63826652714f9c0dbdd158da
                                                                                                                          • Opcode Fuzzy Hash: a7836d64750e448610e710f6fa2ee1778387df0b24b4f9b076717554fc894426
                                                                                                                          • Instruction Fuzzy Hash: 2F11CAB2410304AFE728AF64DCD6D2BB7FCFB44310B20852EE05697290EB70FC418A60
                                                                                                                          Function 00316606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00316623
                                                                                                                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00316664
                                                                                                                          • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0031666F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 33631002-0
                                                                                                                          • Opcode ID: 2b66e82fc6ceaf15d986a3f9cc5ec662ab7a8c9baec0c61134380914a77af74c
                                                                                                                          • Instruction ID: 42ee3ba706efd31dc9caaeb77a8b070931a761ead723bdd74373474f8bc4e3c9
                                                                                                                          • Opcode Fuzzy Hash: 2b66e82fc6ceaf15d986a3f9cc5ec662ab7a8c9baec0c61134380914a77af74c
                                                                                                                          • Instruction Fuzzy Hash: 15111E71E01228BFDB158FA5DC45BEEBBFCEB49B10F104156F904E6290D7B05A058BA5
                                                                                                                          Function 003171FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00317223
                                                                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0031723A
                                                                                                                          • FreeSid.ADVAPI32(?), ref: 0031724A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3429775523-0
                                                                                                                          • Opcode ID: dddcd1a95bed0196a0a90ef6d95f8a07dde782bd68fe5102c6e7a4abf6a83dd3
                                                                                                                          • Instruction ID: 4f79dca686c544f4390f52ffaba36aff0f05eb0fd41f02c6c1745651752b5e0f
                                                                                                                          • Opcode Fuzzy Hash: dddcd1a95bed0196a0a90ef6d95f8a07dde782bd68fe5102c6e7a4abf6a83dd3
                                                                                                                          • Instruction Fuzzy Hash: 41F0FF75904309BBDB05DBE4DD89AEDBBBCEB08301F104469A502E3191E2705645CB50
                                                                                                                          Function 0031F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0031F599
                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0031F5C9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2295610775-0
                                                                                                                          • Opcode ID: 2f3d6cd5917d3710fd75e84c64d459f6bc253c600cf3c8cfab3921b95e2db8da
                                                                                                                          • Instruction ID: 01144c8eb9140084554753a16cc1e7dc4b60340d66c702d97d6c58fb86167708
                                                                                                                          • Opcode Fuzzy Hash: 2f3d6cd5917d3710fd75e84c64d459f6bc253c600cf3c8cfab3921b95e2db8da
                                                                                                                          • Instruction Fuzzy Hash: A211E5322106008FC711EF28C844A6EB3E9FF88324F00851EF869CB291CB30AD058B81
                                                                                                                          Function 0031CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0032BE6A,?,?,00000000,?), ref: 0031CEA7
                                                                                                                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0032BE6A,?,?,00000000,?), ref: 0031CEB9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFormatLastMessage
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3479602957-0
                                                                                                                          • Opcode ID: 5bd4d0c157f6b31a1dfb53b49121130c14014f974212db6cf3d2a3c4e31ec0b5
                                                                                                                          • Instruction ID: c4b38dd68fb6f9afa7e4fd1afd286a61c5e593705ea61eec698bc4b53b66f8e3
                                                                                                                          • Opcode Fuzzy Hash: 5bd4d0c157f6b31a1dfb53b49121130c14014f974212db6cf3d2a3c4e31ec0b5
                                                                                                                          • Instruction Fuzzy Hash: D6F08275110329BBDB219FA4DC49FEA776DBF08392F004165F915D6191D7309A90CBA1
                                                                                                                          Function 0031411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00314153
                                                                                                                          • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00314166
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InputSendkeybd_event
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3536248340-0
                                                                                                                          • Opcode ID: 17f2c06b078d33a7328921039de3c2e8d5ba5429114acd8e5007ad269ea8a2b6
                                                                                                                          • Instruction ID: 9e559ae9428dd01c8696e559f4a75020b26ea0c9e4c2b706191ca37bb5fb3fed
                                                                                                                          • Opcode Fuzzy Hash: 17f2c06b078d33a7328921039de3c2e8d5ba5429114acd8e5007ad269ea8a2b6
                                                                                                                          • Instruction Fuzzy Hash: FCF06D7080034DAFDB069FA0C805BFE7BB4EF05305F008419F9659A1A1D77986529FA0
                                                                                                                          Function 0030AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0030ACC0), ref: 0030AB99
                                                                                                                          • CloseHandle.KERNEL32(?,?,0030ACC0), ref: 0030ABAB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 81990902-0
                                                                                                                          • Opcode ID: 5c2d210a47d9f73b910927d02ed71553eb3dbf5a23ec155366ef8c1eee74b5f0
                                                                                                                          • Instruction ID: 3d6681fd60aeabcab5f31bf97cf04616761cf1bc41b40f26837e81964b321256
                                                                                                                          • Opcode Fuzzy Hash: 5c2d210a47d9f73b910927d02ed71553eb3dbf5a23ec155366ef8c1eee74b5f0
                                                                                                                          • Instruction Fuzzy Hash: 73E0E675010610AFE7662F55FD05D777BEDEF04321B608469F49981470D7625C90DB50
                                                                                                                          Function 002F81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,002F6DB3,-0000031A,?,?,00000001), ref: 002F81B1
                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 002F81BA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3192549508-0
                                                                                                                          • Opcode ID: eb0fb53d431dd05805e7eafff771c24ad94882c033dc4bf85da43bba8863f034
                                                                                                                          • Instruction ID: 132e428f28e7ddfd33c082fda99deb3f6d854a32e62c8ad9ee506fec199b0000
                                                                                                                          • Opcode Fuzzy Hash: eb0fb53d431dd05805e7eafff771c24ad94882c033dc4bf85da43bba8863f034
                                                                                                                          • Instruction Fuzzy Hash: 77B09235044708ABDB122BA1EC09B587F6CEB08753F004050F60D840718B7255508A92
                                                                                                                          Function 002FD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: d9f270b94ba956c40695879154786d09a81588a81d09b5c84a09015dab01ffe7
                                                                                                                          • Instruction ID: cf7955802d26136cc5946a562b1feb414ce7570fe9e657897f790cbede477d1a
                                                                                                                          • Opcode Fuzzy Hash: d9f270b94ba956c40695879154786d09a81588a81d09b5c84a09015dab01ffe7
                                                                                                                          • Instruction Fuzzy Hash: C2322622D39F064DD7239A34DC22336A28DAFB73D4F15D737E81AB59A6EB69C4834100
                                                                                                                          Function 002D96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __itow__swprintf
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 674341424-0
                                                                                                                          • Opcode ID: 228a43e284661b457c19dc96da983b4cdbb313d58d1f2b3e206f1d7113820655
                                                                                                                          • Instruction ID: 1d14692d8cb65114a14913a6492950b58bbf295f98d2da386c3cea4b8b7fef6f
                                                                                                                          • Opcode Fuzzy Hash: 228a43e284661b457c19dc96da983b4cdbb313d58d1f2b3e206f1d7113820655
                                                                                                                          • Instruction Fuzzy Hash: 752287716283419FD725DF14C890BABB7E4AF84314F11491EF89A8B391DB71ED94CB82
                                                                                                                          Function 0030038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 392e5ed0b2e40bf3eec60f8563083e65f5633e5b77f7a3ccfbbca59b984b7cfa
                                                                                                                          • Instruction ID: 2bbb6b7ad7e5c730810dee396bfeecbdd1f3d4e7423c31dc0a572222c2b3ddf5
                                                                                                                          • Opcode Fuzzy Hash: 392e5ed0b2e40bf3eec60f8563083e65f5633e5b77f7a3ccfbbca59b984b7cfa
                                                                                                                          • Instruction Fuzzy Hash: 8BB1D120D2AF414DD72396398831336B65CAFBB3D5F92D72BFC2A74D62EB6185834180
                                                                                                                          Function 0031B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __time64.LIBCMT ref: 0031B6DF
                                                                                                                            • Part of subcall function 002F344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0031BDC3,00000000,?,?,?,?,0031BF70,00000000,?), ref: 002F3453
                                                                                                                            • Part of subcall function 002F344A: __aulldiv.LIBCMT ref: 002F3473
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2893107130-0
                                                                                                                          • Opcode ID: 27c13c01730cd68ca222bb0580352c868770f74054d4212f0caec1c1acf50b96
                                                                                                                          • Instruction ID: fa587d3b6b45c7266d5c3881aca2859d212a5401e2d589beb57b21aefe7155ba
                                                                                                                          • Opcode Fuzzy Hash: 27c13c01730cd68ca222bb0580352c868770f74054d4212f0caec1c1acf50b96
                                                                                                                          • Instruction Fuzzy Hash: AE2172766345108BC72ACF68C481A92F7E5EB99310B248E7DE4E5CB2C0CB74B945DB54
                                                                                                                          Function 00326AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • BlockInput.USER32(00000001), ref: 00326ACA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BlockInput
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3456056419-0
                                                                                                                          • Opcode ID: 5605ff06eda3eae1feb26977b1775bfea9f77b45fcf068e0d444e8d12e83a3eb
                                                                                                                          • Instruction ID: c2a618f60dda771627bc4ae41c096e253471a5d416c170010503799d6740edcc
                                                                                                                          • Opcode Fuzzy Hash: 5605ff06eda3eae1feb26977b1775bfea9f77b45fcf068e0d444e8d12e83a3eb
                                                                                                                          • Instruction Fuzzy Hash: DFE01276250214AFC700EB59D405956B7ECAF64751F058416E946D7261DAB0E8048B90
                                                                                                                          Function 003174BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 003174DE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: mouse_event
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2434400541-0
                                                                                                                          • Opcode ID: d4328469fef9a2d48185c610feb7a55890ad0f4d6f6910b8b0a57b2a71869fe1
                                                                                                                          • Instruction ID: fcc2acef13ca4462ea621e4f82e29495c8e12f7eeb52b1d8b7f6f99bb7de9437
                                                                                                                          • Opcode Fuzzy Hash: d4328469fef9a2d48185c610feb7a55890ad0f4d6f6910b8b0a57b2a71869fe1
                                                                                                                          • Instruction Fuzzy Hash: 28D017A012C30528E92F0726CC0FEF60928B3187C1F9A8189B082894C1BC8058C19022
                                                                                                                          Function 0030B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0030AD3E), ref: 0030B124
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LogonUser
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1244722697-0
                                                                                                                          • Opcode ID: cfa0dc90ad003db9577f119da89c54bbb01e58e8ec89fceb059a893df0fffc70
                                                                                                                          • Instruction ID: 77c3b651d10e8ac15206ef905037fc7847ff25c25fceb28b861db2db5c7f9421
                                                                                                                          • Opcode Fuzzy Hash: cfa0dc90ad003db9577f119da89c54bbb01e58e8ec89fceb059a893df0fffc70
                                                                                                                          • Instruction Fuzzy Hash: 9AD09E321A464EAEDF125FA4DC06EAF3F6AEB04701F448511FA15D60A1C675D531EB50
                                                                                                                          Function 0034B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: NameUser
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2645101109-0
                                                                                                                          • Opcode ID: 73a0a28468cabfd50491570bb652854ef35e803f701ce36eafda0dd53f368318
                                                                                                                          • Instruction ID: 87541cd2e9cb68dc7584d2dde6e1c0d17077a9e0ea6149f7d53fe28b08fd2134
                                                                                                                          • Opcode Fuzzy Hash: 73a0a28468cabfd50491570bb652854ef35e803f701ce36eafda0dd53f368318
                                                                                                                          • Instruction Fuzzy Hash: 01C04CB1400549DFC752CBC0CD889EEB7BCAB04701F1040919105F2150D7709B459B72
                                                                                                                          Function 002F8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 002F818F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3192549508-0
                                                                                                                          • Opcode ID: e33217a573c254a81f5fd4db609b11f302d908fd37c1ce76aea78fb3527ed4be
                                                                                                                          • Instruction ID: b3d24f712c6b850ef69eb69625a905f740fbdc08d5178a8d816cba01ae6caed8
                                                                                                                          • Opcode Fuzzy Hash: e33217a573c254a81f5fd4db609b11f302d908fd37c1ce76aea78fb3527ed4be
                                                                                                                          • Instruction Fuzzy Hash: 38A0113000020CAB8F022B82EC088883F2CEA002A2B0000A0F80C000308B22A8A08A82
                                                                                                                          Function 002D93F0 Relevance: .5, Instructions: 531COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: fd284c763b8a96b32d0d1df7ab638dd837866927499ef9a461f1c22464aa4d47
                                                                                                                          • Instruction ID: 66ee4bf0bb3ae520539e0ab6b59c939f2dcbae58f50016bfa3f4b6dba883bb2f
                                                                                                                          • Opcode Fuzzy Hash: fd284c763b8a96b32d0d1df7ab638dd837866927499ef9a461f1c22464aa4d47
                                                                                                                          • Instruction Fuzzy Hash: 92129B70A10209DFDF05DFA5D985AAEB7F9FF48300F60456AE406E7291EB36AD60CB50
                                                                                                                          Function 002DE3E3 Relevance: .5, Instructions: 521COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: e7620d1a367812b42c640ce61dda2db3b46823c175ce86dd51cd5c81e1269fbc
                                                                                                                          • Instruction ID: fb357fa2364a573bce12cfd25d9db57ab045083a41d2621eaeae79ce40bc15de
                                                                                                                          • Opcode Fuzzy Hash: e7620d1a367812b42c640ce61dda2db3b46823c175ce86dd51cd5c81e1269fbc
                                                                                                                          • Instruction Fuzzy Hash: F9129E709242068FDF24EF54C480AAEB7F1FF14304F56806AD95A9F351E771ADA1CB91
                                                                                                                          Function 002DAF50 Relevance: .5, Instructions: 514COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Exception@8Throwstd::exception::exception
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3728558374-0
                                                                                                                          • Opcode ID: a6c4d627b11d4180683c62ecfa05a9fed0e4524be90a78888e3366a5ece250d3
                                                                                                                          • Instruction ID: f449adcfb2eac74a542312b965b79440539b8260df3f3c8704e3c524ef50ad5e
                                                                                                                          • Opcode Fuzzy Hash: a6c4d627b11d4180683c62ecfa05a9fed0e4524be90a78888e3366a5ece250d3
                                                                                                                          • Instruction Fuzzy Hash: D7029C70A10205DBCF05DF64D991AAEB7F5EF48300F5580AAF806AB395EB31ED25CB91
                                                                                                                          Function 002F02A4 Relevance: .3, Instructions: 345COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                                                          • Instruction ID: 829900e2c9c2b43c05a9069dbafdda059089e184f2c4f0ffc10fea1b291816b9
                                                                                                                          • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                                                          • Instruction Fuzzy Hash: 5BC19F322251D70ADF6D4A3A85B443EFAA15AA27F135A077DD8B3CB4D2EE20D534D620
                                                                                                                          Function 002F06D9 Relevance: .3, Instructions: 341COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                                                          • Instruction ID: c10555142e1b5fed3d191aebd2f599447627dcdbade21e7ea55e903c4b051441
                                                                                                                          • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                                                          • Instruction Fuzzy Hash: 9CC1AF322251D709DB6D4A3A85B443EFAA15AA2BF131A07BDD4B3CB4D7EE20D534D620
                                                                                                                          Function 002EFA57 Relevance: .3, Instructions: 323COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                          • Instruction ID: 0f985b0cd024e246e01d128c1ac9e0fb24785847f58612326f73b8302adbc71f
                                                                                                                          • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                          • Instruction Fuzzy Hash: B7C1B2322650D309DFAD4A3BC63043EBAA15AA27B539E077DD4B3CB5D6EE20D534D620
                                                                                                                          Function 012597C8 Relevance: .1, Instructions: 92COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1712784061.0000000001256000.00000040.00000020.00020000.00000000.sdmp, Offset: 01256000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_1256000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                          • Instruction ID: 2e27c541cb440e8554f43218ccd510d57619866c02ee777d99403a1397c92691
                                                                                                                          • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                          • Instruction Fuzzy Hash: B441C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB80
                                                                                                                          Function 012596B8 Relevance: .0, Instructions: 35COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1712784061.0000000001256000.00000040.00000020.00020000.00000000.sdmp, Offset: 01256000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_1256000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                          • Instruction ID: c9b21850764a6ca2065ef141763ae8c705f8ab39d2a27fe7aa224154fc96b8db
                                                                                                                          • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                          • Instruction Fuzzy Hash: 56019278A10109EFCB84DF98C5909AEF7B6FB48314F208599DD19A7305D730AE91DB90
                                                                                                                          Function 01259658 Relevance: .0, Instructions: 35COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1712784061.0000000001256000.00000040.00000020.00020000.00000000.sdmp, Offset: 01256000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_1256000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                          • Instruction ID: f6d92466b75d980717d8560e7566a60095e418c298c84831e893bd1f0c00512e
                                                                                                                          • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                          • Instruction Fuzzy Hash: 70019278A10109EFCB88DF98C5909AEF7F5FB48314F208599DD19A7305D730AE81DB90
                                                                                                                          Function 002ECC7F Relevance: .0, Instructions: 29COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: e6cebe91381a73e9357a9b59e97dfbf103e8ec3dd19718f71a0c97adfa94accb
                                                                                                                          • Instruction ID: 2502c6bf75c78b2d817e4582b7f648cfb0604cb897e3f7176acdd685bfabacec
                                                                                                                          • Opcode Fuzzy Hash: e6cebe91381a73e9357a9b59e97dfbf103e8ec3dd19718f71a0c97adfa94accb
                                                                                                                          • Instruction Fuzzy Hash: 4AD0A96B8293907F7F49843100070D38FC3269330CBBB312AC9429B403C90A0C1BFAC8
                                                                                                                          Function 01258048 Relevance: .0, Instructions: 6COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1712784061.0000000001256000.00000040.00000020.00020000.00000000.sdmp, Offset: 01256000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_1256000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                          • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                                                          • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                          • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                                                          Function 0032A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 0032A2FE
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 0032A310
                                                                                                                          • DestroyWindow.USER32 ref: 0032A31E
                                                                                                                          • GetDesktopWindow.USER32 ref: 0032A338
                                                                                                                          • GetWindowRect.USER32(00000000), ref: 0032A33F
                                                                                                                          • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0032A480
                                                                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0032A490
                                                                                                                          • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0032A4D8
                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 0032A4E4
                                                                                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0032A51E
                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0032A540
                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0032A553
                                                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0032A55E
                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0032A567
                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0032A576
                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0032A57F
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0032A586
                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 0032A591
                                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0032A5A3
                                                                                                                          • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0035D9BC,00000000), ref: 0032A5B9
                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 0032A5C9
                                                                                                                          • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0032A5EF
                                                                                                                          • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0032A60E
                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0032A630
                                                                                                                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0032A81D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                          • API String ID: 2211948467-2373415609
                                                                                                                          • Opcode ID: dfabf83f878bc1e2001aec0c7dfbd6bfad92fc53ee0730999dab9872e6c6e11f
                                                                                                                          • Instruction ID: 7759fc0d7b013c1cabfad90ab53299d75b2647d4666af9525d808421715e296b
                                                                                                                          • Opcode Fuzzy Hash: dfabf83f878bc1e2001aec0c7dfbd6bfad92fc53ee0730999dab9872e6c6e11f
                                                                                                                          • Instruction Fuzzy Hash: 64028A75900615EFDB26DFA8DD89EAE7BB9EB48311F008159F905AB2A1C730ED41CF60
                                                                                                                          Function 0033D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 0033D2DB
                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0033D30C
                                                                                                                          • GetSysColor.USER32(0000000F), ref: 0033D318
                                                                                                                          • SetBkColor.GDI32(?,000000FF), ref: 0033D332
                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 0033D341
                                                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0033D36C
                                                                                                                          • GetSysColor.USER32(00000010), ref: 0033D374
                                                                                                                          • CreateSolidBrush.GDI32(00000000), ref: 0033D37B
                                                                                                                          • FrameRect.USER32(?,?,00000000), ref: 0033D38A
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 0033D391
                                                                                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 0033D3DC
                                                                                                                          • FillRect.USER32(?,?,00000000), ref: 0033D40E
                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0033D439
                                                                                                                            • Part of subcall function 0033D575: GetSysColor.USER32(00000012), ref: 0033D5AE
                                                                                                                            • Part of subcall function 0033D575: SetTextColor.GDI32(?,?), ref: 0033D5B2
                                                                                                                            • Part of subcall function 0033D575: GetSysColorBrush.USER32(0000000F), ref: 0033D5C8
                                                                                                                            • Part of subcall function 0033D575: GetSysColor.USER32(0000000F), ref: 0033D5D3
                                                                                                                            • Part of subcall function 0033D575: GetSysColor.USER32(00000011), ref: 0033D5F0
                                                                                                                            • Part of subcall function 0033D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0033D5FE
                                                                                                                            • Part of subcall function 0033D575: SelectObject.GDI32(?,00000000), ref: 0033D60F
                                                                                                                            • Part of subcall function 0033D575: SetBkColor.GDI32(?,00000000), ref: 0033D618
                                                                                                                            • Part of subcall function 0033D575: SelectObject.GDI32(?,?), ref: 0033D625
                                                                                                                            • Part of subcall function 0033D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0033D644
                                                                                                                            • Part of subcall function 0033D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0033D65B
                                                                                                                            • Part of subcall function 0033D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0033D670
                                                                                                                            • Part of subcall function 0033D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0033D698
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3521893082-0
                                                                                                                          • Opcode ID: 957fb981df9532b3886806962f64aad1f237e1fe67d4a477502e0c7307d1e363
                                                                                                                          • Instruction ID: d30d7142cfc01cfde6dff775674b0a5a8acb5e653d801046de848e45ea0d6b1b
                                                                                                                          • Opcode Fuzzy Hash: 957fb981df9532b3886806962f64aad1f237e1fe67d4a477502e0c7307d1e363
                                                                                                                          • Instruction Fuzzy Hash: 24915F71408301BFD7229F64EC48A6BBBADFF89326F100A19F562961F0D771D944CB52
                                                                                                                          Function 002EB8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DestroyWindow.USER32 ref: 002EB98B
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 002EB9CD
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 002EB9D8
                                                                                                                          • DestroyIcon.USER32(00000000), ref: 002EB9E3
                                                                                                                          • DestroyWindow.USER32(00000000), ref: 002EB9EE
                                                                                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 0034D2AA
                                                                                                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0034D2E3
                                                                                                                          • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0034D711
                                                                                                                            • Part of subcall function 002EB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002EB759,?,00000000,?,?,?,?,002EB72B,00000000,?), ref: 002EBA58
                                                                                                                          • SendMessageW.USER32 ref: 0034D758
                                                                                                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0034D76F
                                                                                                                          • ImageList_Destroy.COMCTL32(00000000), ref: 0034D785
                                                                                                                          • ImageList_Destroy.COMCTL32(00000000), ref: 0034D790
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                                          • String ID: 0
                                                                                                                          • API String ID: 464785882-4108050209
                                                                                                                          • Opcode ID: ea17cd112e8d944ff5edbc8ebf911860ae5bf97e28c5f5d2ab08fc3e2f29fc55
                                                                                                                          • Instruction ID: e0e87ef13a30ae32ce401d026772500152aa92f08ae6b153623913775c2f825a
                                                                                                                          • Opcode Fuzzy Hash: ea17cd112e8d944ff5edbc8ebf911860ae5bf97e28c5f5d2ab08fc3e2f29fc55
                                                                                                                          • Instruction Fuzzy Hash: 3D127B342142419FDB22CF25C888BAABBE5FF09305F554569E989CF662CB31F852CF91
                                                                                                                          Function 0031DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0031DBD6
                                                                                                                          • GetDriveTypeW.KERNEL32(?,0036DC54,?,\\.\,0036DC00), ref: 0031DCC3
                                                                                                                          • SetErrorMode.KERNEL32(00000000,0036DC54,?,\\.\,0036DC00), ref: 0031DE29
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorMode$DriveType
                                                                                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                          • API String ID: 2907320926-4222207086
                                                                                                                          • Opcode ID: 6e2ad397fd91c13ecb09e3a0b7e9333ef80b353e1ab9e6225a87060cedf809db
                                                                                                                          • Instruction ID: 86fe42be2fa436b4129172d114ea625518dc4e8675275b5bf5e44c9084c99fd2
                                                                                                                          • Opcode Fuzzy Hash: 6e2ad397fd91c13ecb09e3a0b7e9333ef80b353e1ab9e6225a87060cedf809db
                                                                                                                          • Instruction Fuzzy Hash: 2A51C730248302DBC61BEF14D8518EAB7A5FF5EB01B20485AF4079B791DB60DDD6DB42
                                                                                                                          Function 002DCC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __wcsnicmp
                                                                                                                          • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                          • API String ID: 1038674560-86951937
                                                                                                                          • Opcode ID: 924b81c383a6ac1e2c07c25323b1ed5617c9124493649fc19c54d6f0296f4026
                                                                                                                          • Instruction ID: 44d66f5833841e4bbfee88f493989714419e605cacb4e6b9f2f01a3b28e23d69
                                                                                                                          • Opcode Fuzzy Hash: 924b81c383a6ac1e2c07c25323b1ed5617c9124493649fc19c54d6f0296f4026
                                                                                                                          • Instruction Fuzzy Hash: 25812B3066020AABDB16BE64CD42FFF77A9AF14340F544036F905BA2C6EB60DD75CA91
                                                                                                                          Function 0033638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CharUpperBuffW.USER32(?,?,0036DC00), ref: 00336449
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharUpper
                                                                                                                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                          • API String ID: 3964851224-45149045
                                                                                                                          • Opcode ID: af097cae88b02a3e85d86a7e20c3bac7ff600a8193395caa36f423a2768fb01a
                                                                                                                          • Instruction ID: aab7cc0af48fd0dca06ef5a823cda73e652bf6316fe89788f8d8ff83fb378639
                                                                                                                          • Opcode Fuzzy Hash: af097cae88b02a3e85d86a7e20c3bac7ff600a8193395caa36f423a2768fb01a
                                                                                                                          • Instruction Fuzzy Hash: 7BC1F6342147429FCB06FF10C492A6EB7A5AF89744F518859F8865B7E3DB30ED4ACB41
                                                                                                                          Function 0033D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSysColor.USER32(00000012), ref: 0033D5AE
                                                                                                                          • SetTextColor.GDI32(?,?), ref: 0033D5B2
                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0033D5C8
                                                                                                                          • GetSysColor.USER32(0000000F), ref: 0033D5D3
                                                                                                                          • CreateSolidBrush.GDI32(?), ref: 0033D5D8
                                                                                                                          • GetSysColor.USER32(00000011), ref: 0033D5F0
                                                                                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0033D5FE
                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 0033D60F
                                                                                                                          • SetBkColor.GDI32(?,00000000), ref: 0033D618
                                                                                                                          • SelectObject.GDI32(?,?), ref: 0033D625
                                                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0033D644
                                                                                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0033D65B
                                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0033D670
                                                                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0033D698
                                                                                                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0033D6BF
                                                                                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 0033D6DD
                                                                                                                          • DrawFocusRect.USER32(?,?), ref: 0033D6E8
                                                                                                                          • GetSysColor.USER32(00000011), ref: 0033D6F6
                                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 0033D6FE
                                                                                                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0033D712
                                                                                                                          • SelectObject.GDI32(?,0033D2A5), ref: 0033D729
                                                                                                                          • DeleteObject.GDI32(?), ref: 0033D734
                                                                                                                          • SelectObject.GDI32(?,?), ref: 0033D73A
                                                                                                                          • DeleteObject.GDI32(?), ref: 0033D73F
                                                                                                                          • SetTextColor.GDI32(?,?), ref: 0033D745
                                                                                                                          • SetBkColor.GDI32(?,?), ref: 0033D74F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1996641542-0
                                                                                                                          • Opcode ID: 73afa12ff1068ff7e3bc803503771e0138e1a2aeab86fe1ad402e638211adf44
                                                                                                                          • Instruction ID: c712d8c1a04e2c6a3ea46379e60207d3d8c4ed899fc9e70afe15dbbd5c7aaf4f
                                                                                                                          • Opcode Fuzzy Hash: 73afa12ff1068ff7e3bc803503771e0138e1a2aeab86fe1ad402e638211adf44
                                                                                                                          • Instruction Fuzzy Hash: 1E514C71900208BFDF229FA4DC88EAE7BB9FF09321F114515F915AB2A1D7719A40CF50
                                                                                                                          Function 0033B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0033B7B0
                                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0033B7C1
                                                                                                                          • CharNextW.USER32(0000014E), ref: 0033B7F0
                                                                                                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0033B831
                                                                                                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0033B847
                                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0033B858
                                                                                                                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0033B875
                                                                                                                          • SetWindowTextW.USER32(?,0000014E), ref: 0033B8C7
                                                                                                                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0033B8DD
                                                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 0033B90E
                                                                                                                          • _memset.LIBCMT ref: 0033B933
                                                                                                                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0033B97C
                                                                                                                          • _memset.LIBCMT ref: 0033B9DB
                                                                                                                          • SendMessageW.USER32 ref: 0033BA05
                                                                                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 0033BA5D
                                                                                                                          • SendMessageW.USER32(?,0000133D,?,?), ref: 0033BB0A
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0033BB2C
                                                                                                                          • GetMenuItemInfoW.USER32(?), ref: 0033BB76
                                                                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0033BBA3
                                                                                                                          • DrawMenuBar.USER32(?), ref: 0033BBB2
                                                                                                                          • SetWindowTextW.USER32(?,0000014E), ref: 0033BBDA
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                          • String ID: 0
                                                                                                                          • API String ID: 1073566785-4108050209
                                                                                                                          • Opcode ID: 922f7ea7d1598fc86caebd2290566bc840e102e735efdbe6fbcdcdab83ada0a3
                                                                                                                          • Instruction ID: d4c59c39007fddc75a72f60772243613ae80281ccd7ab39911493aabe82f86ea
                                                                                                                          • Opcode Fuzzy Hash: 922f7ea7d1598fc86caebd2290566bc840e102e735efdbe6fbcdcdab83ada0a3
                                                                                                                          • Instruction Fuzzy Hash: 8FE18175900218ABDF229F61CCC5EEEBB7CFF05754F108156FA19AA191DB748A81CF60
                                                                                                                          Function 002D2EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Foreground
                                                                                                                          • String ID: ACTIVE$ALL$CLASS$H+8$HANDLE$INSTANCE$L+8$LAST$P+8$REGEXPCLASS$REGEXPTITLE$T+8$TITLE
                                                                                                                          • API String ID: 62970417-37218546
                                                                                                                          • Opcode ID: 291f2b0024bc2bc958ddd1379a38685605d31515c4c8852fe0fddb258f993b47
                                                                                                                          • Instruction ID: 1a2bcec56c584dd759a40ad0cbb722ec1468cae65c902c85c8686838f0eef296
                                                                                                                          • Opcode Fuzzy Hash: 291f2b0024bc2bc958ddd1379a38685605d31515c4c8852fe0fddb258f993b47
                                                                                                                          • Instruction Fuzzy Hash: 06D1C530118742DBCB06EF11C4419ABBBF4BF58340F90491AF455AB6A1DB70F9AACF91
                                                                                                                          Function 0033764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCursorPos.USER32(?), ref: 0033778A
                                                                                                                          • GetDesktopWindow.USER32 ref: 0033779F
                                                                                                                          • GetWindowRect.USER32(00000000), ref: 003377A6
                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00337808
                                                                                                                          • DestroyWindow.USER32(?), ref: 00337834
                                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0033785D
                                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0033787B
                                                                                                                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 003378A1
                                                                                                                          • SendMessageW.USER32(?,00000421,?,?), ref: 003378B6
                                                                                                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 003378C9
                                                                                                                          • IsWindowVisible.USER32(?), ref: 003378E9
                                                                                                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00337904
                                                                                                                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00337918
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00337930
                                                                                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00337956
                                                                                                                          • GetMonitorInfoW.USER32 ref: 00337970
                                                                                                                          • CopyRect.USER32(?,?), ref: 00337987
                                                                                                                          • SendMessageW.USER32(?,00000412,00000000), ref: 003379F2
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                          • String ID: ($0$tooltips_class32
                                                                                                                          • API String ID: 698492251-4156429822
                                                                                                                          • Opcode ID: 0b1232c0f0b7dba79bb0bc8dd83472333cf1dd84f605870219e1170f625dfb3d
                                                                                                                          • Instruction ID: 0a62be406b239e0780b5e2bec5ac821211ccbdc629ab2861003a67702facc414
                                                                                                                          • Opcode Fuzzy Hash: 0b1232c0f0b7dba79bb0bc8dd83472333cf1dd84f605870219e1170f625dfb3d
                                                                                                                          • Instruction Fuzzy Hash: 8AB18FB1618301AFD715DF64C989B6ABBE5FF88310F008A1DF5999B2A1D770EC05CB92
                                                                                                                          Function 002EA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002EA939
                                                                                                                          • GetSystemMetrics.USER32(00000007), ref: 002EA941
                                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002EA96C
                                                                                                                          • GetSystemMetrics.USER32(00000008), ref: 002EA974
                                                                                                                          • GetSystemMetrics.USER32(00000004), ref: 002EA999
                                                                                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002EA9B6
                                                                                                                          • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 002EA9C6
                                                                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002EA9F9
                                                                                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002EAA0D
                                                                                                                          • GetClientRect.USER32(00000000,000000FF), ref: 002EAA2B
                                                                                                                          • GetStockObject.GDI32(00000011), ref: 002EAA47
                                                                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 002EAA52
                                                                                                                            • Part of subcall function 002EB63C: GetCursorPos.USER32(000000FF), ref: 002EB64F
                                                                                                                            • Part of subcall function 002EB63C: ScreenToClient.USER32(00000000,000000FF), ref: 002EB66C
                                                                                                                            • Part of subcall function 002EB63C: GetAsyncKeyState.USER32(00000001), ref: 002EB691
                                                                                                                            • Part of subcall function 002EB63C: GetAsyncKeyState.USER32(00000002), ref: 002EB69F
                                                                                                                          • SetTimer.USER32(00000000,00000000,00000028,002EAB87), ref: 002EAA79
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                          • String ID: AutoIt v3 GUI
                                                                                                                          • API String ID: 1458621304-248962490
                                                                                                                          • Opcode ID: 109b9520a73e7a9db2e670db2364af8d5de939e1ba67e75e0cb982414a18c052
                                                                                                                          • Instruction ID: 851c409beccdc90649c9000cdc56fde7133b92ff5ff0fcd301d5ae87e692470a
                                                                                                                          • Opcode Fuzzy Hash: 109b9520a73e7a9db2e670db2364af8d5de939e1ba67e75e0cb982414a18c052
                                                                                                                          • Instruction Fuzzy Hash: 5DB1AC71A5020A9FDB15DFA8DC45BAE7BB8FB08315F114229FA15EB2A0DB70E850CB51
                                                                                                                          Function 00333639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00333735
                                                                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,0036DC00,00000000,?,00000000,?,?), ref: 003337A3
                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 003337EB
                                                                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00333874
                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00333B94
                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00333BA1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$ConnectCreateRegistryValue
                                                                                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                          • API String ID: 536824911-966354055
                                                                                                                          • Opcode ID: 1f4840d81e90af4c1e0823a9bd2d712c9dd483954de8762a11c46c0aeb3580cd
                                                                                                                          • Instruction ID: d77866122a09b5b8ba1e5bda90199bf1b0cc775d282aeaec26776a9c46718b16
                                                                                                                          • Opcode Fuzzy Hash: 1f4840d81e90af4c1e0823a9bd2d712c9dd483954de8762a11c46c0aeb3580cd
                                                                                                                          • Instruction Fuzzy Hash: FC026B752146419FCB15EF18C891A2AB7E9FF88720F05855DF98A9B3A1CB30ED51CF81
                                                                                                                          Function 00336BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 00336C56
                                                                                                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00336D16
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharMessageSendUpper
                                                                                                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                          • API String ID: 3974292440-719923060
                                                                                                                          • Opcode ID: f84ac1f0e69a2f14815c009bdb7446b1ed2ab366a9fe5bc20b07086be47c1de0
                                                                                                                          • Instruction ID: 3f12fb358c730e8f3af92dc42ceba48a58c5419eaf9b25ccd8b8e1f0dd8620df
                                                                                                                          • Opcode Fuzzy Hash: f84ac1f0e69a2f14815c009bdb7446b1ed2ab366a9fe5bc20b07086be47c1de0
                                                                                                                          • Instruction Fuzzy Hash: 6DA1B230214741AFCB15FF20C992A6AB3A5BF48314F51896EF85A5B7D2DB30EC19CB41
                                                                                                                          Function 0030CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 0030CF91
                                                                                                                          • __swprintf.LIBCMT ref: 0030D032
                                                                                                                          • _wcscmp.LIBCMT ref: 0030D045
                                                                                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0030D09A
                                                                                                                          • _wcscmp.LIBCMT ref: 0030D0D6
                                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 0030D10D
                                                                                                                          • GetDlgCtrlID.USER32(?), ref: 0030D15F
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0030D195
                                                                                                                          • GetParent.USER32(?), ref: 0030D1B3
                                                                                                                          • ScreenToClient.USER32(00000000), ref: 0030D1BA
                                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 0030D234
                                                                                                                          • _wcscmp.LIBCMT ref: 0030D248
                                                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0030D26E
                                                                                                                          • _wcscmp.LIBCMT ref: 0030D282
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                                                                          • String ID: %s%u
                                                                                                                          • API String ID: 3119225716-679674701
                                                                                                                          • Opcode ID: 39b648c71264d511c7f180af27e6e12eca7f56c94cde5e67f8c4b9ad10e5c66f
                                                                                                                          • Instruction ID: 9c385e10236f7a8fdc04bb251302bf20050c54bf5b10167f7af8d8c2f82c835d
                                                                                                                          • Opcode Fuzzy Hash: 39b648c71264d511c7f180af27e6e12eca7f56c94cde5e67f8c4b9ad10e5c66f
                                                                                                                          • Instruction Fuzzy Hash: 90A1D271205306AFC71ADFA4C8A4BAAB7ECFF44350F008929F959D2190DB30E956CB91
                                                                                                                          Function 0030D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetClassNameW.USER32(00000008,?,00000400), ref: 0030D8EB
                                                                                                                          • _wcscmp.LIBCMT ref: 0030D8FC
                                                                                                                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 0030D924
                                                                                                                          • CharUpperBuffW.USER32(?,00000000), ref: 0030D941
                                                                                                                          • _wcscmp.LIBCMT ref: 0030D95F
                                                                                                                          • _wcsstr.LIBCMT ref: 0030D970
                                                                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0030D9A8
                                                                                                                          • _wcscmp.LIBCMT ref: 0030D9B8
                                                                                                                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 0030D9DF
                                                                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0030DA28
                                                                                                                          • _wcscmp.LIBCMT ref: 0030DA38
                                                                                                                          • GetClassNameW.USER32(00000010,?,00000400), ref: 0030DA60
                                                                                                                          • GetWindowRect.USER32(00000004,?), ref: 0030DAC9
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                          • String ID: @$ThumbnailClass
                                                                                                                          • API String ID: 1788623398-1539354611
                                                                                                                          • Opcode ID: 2d83754c61e22027cd6a9fe82535a0cd6cf38a79bb335e6fefceee05653501c7
                                                                                                                          • Instruction ID: e673576dd4904deddf22c303906d9d09bcf99298fe2c79af1073c5ffecf97a88
                                                                                                                          • Opcode Fuzzy Hash: 2d83754c61e22027cd6a9fe82535a0cd6cf38a79bb335e6fefceee05653501c7
                                                                                                                          • Instruction Fuzzy Hash: 9D81E4311093059FDB02DF94C891FAA7BE8EF84314F04846AFD8A9A0D6DB30DD56CBA1
                                                                                                                          Function 0030D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __wcsnicmp
                                                                                                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                          • API String ID: 1038674560-1810252412
                                                                                                                          • Opcode ID: f5153a8664047263e44e9af2d6e9a8f15d49b4497d0b3a9176621b5cf088ef07
                                                                                                                          • Instruction ID: b8258557c297ca901a348fe19f3a6040106750195d9e29671a0037c2c6a9564f
                                                                                                                          • Opcode Fuzzy Hash: f5153a8664047263e44e9af2d6e9a8f15d49b4497d0b3a9176621b5cf088ef07
                                                                                                                          • Instruction Fuzzy Hash: E131B031655309AADB17FEA0DE63FEEB3B89F20750F20016AF441711D2EB51AE24CB11
                                                                                                                          Function 0030EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadIconW.USER32(00000063), ref: 0030EAB0
                                                                                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0030EAC2
                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 0030EAD9
                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 0030EAEE
                                                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 0030EAF4
                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0030EB04
                                                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 0030EB0A
                                                                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0030EB2B
                                                                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0030EB45
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0030EB4E
                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 0030EBB9
                                                                                                                          • GetDesktopWindow.USER32 ref: 0030EBBF
                                                                                                                          • GetWindowRect.USER32(00000000), ref: 0030EBC6
                                                                                                                          • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0030EC12
                                                                                                                          • GetClientRect.USER32(?,?), ref: 0030EC1F
                                                                                                                          • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0030EC44
                                                                                                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0030EC6F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3869813825-0
                                                                                                                          • Opcode ID: d32b220e16b5e4797bdbd0dea1d274cdd5483eb638df488db448c68d7a32150b
                                                                                                                          • Instruction ID: 47afb5d57923206fcaa0b497249e50a2fd9c20827b999c26139f32adb70f58c8
                                                                                                                          • Opcode Fuzzy Hash: d32b220e16b5e4797bdbd0dea1d274cdd5483eb638df488db448c68d7a32150b
                                                                                                                          • Instruction Fuzzy Hash: F6517D71A00709AFDB22DFA8CD99F6EBBF9FF08705F004918E586A25A0C774A945CB10
                                                                                                                          Function 003279B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 003279C6
                                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 003279D1
                                                                                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 003279DC
                                                                                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 003279E7
                                                                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 003279F2
                                                                                                                          • LoadCursorW.USER32(00000000,00007F81), ref: 003279FD
                                                                                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 00327A08
                                                                                                                          • LoadCursorW.USER32(00000000,00007F80), ref: 00327A13
                                                                                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 00327A1E
                                                                                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 00327A29
                                                                                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00327A34
                                                                                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 00327A3F
                                                                                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00327A4A
                                                                                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 00327A55
                                                                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00327A60
                                                                                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 00327A6B
                                                                                                                          • GetCursorInfo.USER32(?), ref: 00327A7B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Cursor$Load$Info
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2577412497-0
                                                                                                                          • Opcode ID: c999ce05e97f456b65e0304dadf9a9ec93fe4883b378343ceb7498db53c9b983
                                                                                                                          • Instruction ID: 54667d6afb043cd38625cdb0b568f88c4fdf7544e6211aeb2848d41be559309c
                                                                                                                          • Opcode Fuzzy Hash: c999ce05e97f456b65e0304dadf9a9ec93fe4883b378343ceb7498db53c9b983
                                                                                                                          • Instruction Fuzzy Hash: 8D3105B1D4831AAADB119FB69C8995FBFECFF04750F50452AA50DE7280DA78A5008FA1
                                                                                                                          Function 002DC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,002DC8B7,?,00002000,?,?,00000000,?,002D419E,?,?,?,0036DC00), ref: 002EE984
                                                                                                                            • Part of subcall function 002D660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D53B1,?,?,002D61FF,?,00000000,00000001,00000000), ref: 002D662F
                                                                                                                          • __wsplitpath.LIBCMT ref: 002DC93E
                                                                                                                            • Part of subcall function 002F1DFC: __wsplitpath_helper.LIBCMT ref: 002F1E3C
                                                                                                                          • _wcscpy.LIBCMT ref: 002DC953
                                                                                                                          • _wcscat.LIBCMT ref: 002DC968
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 002DC978
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 002DCABE
                                                                                                                            • Part of subcall function 002DB337: _wcscpy.LIBCMT ref: 002DB36F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                          • API String ID: 2258743419-1018226102
                                                                                                                          • Opcode ID: bfe8d109b5633e742e4e978ae29861ff02faddfd6fdd4fc0b88b4520625a1f90
                                                                                                                          • Instruction ID: fe4633d8addb60b5293f6f2c5d4f7d75e9f91e4bce50a74a20bcf269c34cc554
                                                                                                                          • Opcode Fuzzy Hash: bfe8d109b5633e742e4e978ae29861ff02faddfd6fdd4fc0b88b4520625a1f90
                                                                                                                          • Instruction Fuzzy Hash: 3512BB711183419FC725EF24C881AAFBBE9AF89304F50491EF58997361DB30EA59CF52
                                                                                                                          Function 0033CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 0033CEFB
                                                                                                                          • DestroyWindow.USER32(?,?), ref: 0033CF73
                                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0033CFF4
                                                                                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0033D016
                                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0033D025
                                                                                                                          • DestroyWindow.USER32(?), ref: 0033D042
                                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002D0000,00000000), ref: 0033D075
                                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0033D094
                                                                                                                          • GetDesktopWindow.USER32 ref: 0033D0A9
                                                                                                                          • GetWindowRect.USER32(00000000), ref: 0033D0B0
                                                                                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0033D0C2
                                                                                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0033D0DA
                                                                                                                            • Part of subcall function 002EB526: GetWindowLongW.USER32(?,000000EB), ref: 002EB537
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                                                                          • String ID: 0$tooltips_class32
                                                                                                                          • API String ID: 3877571568-3619404913
                                                                                                                          • Opcode ID: cc009de2acc51bcb85cf767dbab7a1b78cabfe0d91cbe087a2605ff1d0ba2e4f
                                                                                                                          • Instruction ID: 8ffb3139f31684c8055800fb8b8231d8c9cdcde735690e73f56bbf358b8842b0
                                                                                                                          • Opcode Fuzzy Hash: cc009de2acc51bcb85cf767dbab7a1b78cabfe0d91cbe087a2605ff1d0ba2e4f
                                                                                                                          • Instruction Fuzzy Hash: A471DD70540305AFD726CF28DC84FA6BBE9EB88B04F44451EF985972A1D735E946CB22
                                                                                                                          Function 0033F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EB34E: GetWindowLongW.USER32(?,000000EB), ref: 002EB35F
                                                                                                                          • DragQueryPoint.SHELL32(?,?), ref: 0033F37A
                                                                                                                            • Part of subcall function 0033D7DE: ClientToScreen.USER32(?,?), ref: 0033D807
                                                                                                                            • Part of subcall function 0033D7DE: GetWindowRect.USER32(?,?), ref: 0033D87D
                                                                                                                            • Part of subcall function 0033D7DE: PtInRect.USER32(?,?,0033ED5A), ref: 0033D88D
                                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0033F3E3
                                                                                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0033F3EE
                                                                                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0033F411
                                                                                                                          • _wcscat.LIBCMT ref: 0033F441
                                                                                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0033F458
                                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0033F471
                                                                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0033F488
                                                                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0033F4AA
                                                                                                                          • DragFinish.SHELL32(?), ref: 0033F4B1
                                                                                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0033F59C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                          • API String ID: 169749273-3440237614
                                                                                                                          • Opcode ID: add619596316cc245cd240e7d59021a253bb7610e80ee0829f06bfbe4c270f74
                                                                                                                          • Instruction ID: 3c4da53bafacf5c01fd4a60123b42b3098c320ff69a1257eec7c32b3740b34a8
                                                                                                                          • Opcode Fuzzy Hash: add619596316cc245cd240e7d59021a253bb7610e80ee0829f06bfbe4c270f74
                                                                                                                          • Instruction Fuzzy Hash: 9B614771508301AFC712EF64DC85D9FBBF8EB89710F500A1EF595922A1DB709A19CB52
                                                                                                                          Function 0031AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VariantInit.OLEAUT32(00000000), ref: 0031AB3D
                                                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 0031AB46
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 0031AB52
                                                                                                                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0031AC40
                                                                                                                          • __swprintf.LIBCMT ref: 0031AC70
                                                                                                                          • VarR8FromDec.OLEAUT32(?,?), ref: 0031AC9C
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 0031AD4D
                                                                                                                          • SysFreeString.OLEAUT32(00000016), ref: 0031ADDF
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 0031AE35
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 0031AE44
                                                                                                                          • VariantInit.OLEAUT32(00000000), ref: 0031AE80
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                          • API String ID: 3730832054-3931177956
                                                                                                                          • Opcode ID: cdd1ed71f00f28f71be009557a99cb4e94e30ad4c5d5a8bc63b5e50a10620a87
                                                                                                                          • Instruction ID: 2958af97b0690e5290e909fc1295b3cb0a099be208c091e4f12e3aa95224eea8
                                                                                                                          • Opcode Fuzzy Hash: cdd1ed71f00f28f71be009557a99cb4e94e30ad4c5d5a8bc63b5e50a10620a87
                                                                                                                          • Instruction Fuzzy Hash: 19D10371605A05DBCF2A9F65D884BEAB7B9FF0C702F15C056E4099B680DB70DC90DBA2
                                                                                                                          Function 0033716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 003371FC
                                                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00337247
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharMessageSendUpper
                                                                                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                          • API String ID: 3974292440-4258414348
                                                                                                                          • Opcode ID: e302789e4b6651c46f6a5a3bd9e541dbff4af94773775fd77ccce2aebec9b015
                                                                                                                          • Instruction ID: 7ba8f3356a7058362b8546f02fc6ca3581026f1cd565c8988dff76597be53363
                                                                                                                          • Opcode Fuzzy Hash: e302789e4b6651c46f6a5a3bd9e541dbff4af94773775fd77ccce2aebec9b015
                                                                                                                          • Instruction Fuzzy Hash: 1391A1742187419BCB16FF10C491A6EB7A5BF88310F114899F89A5B7A3DB30ED5ACF81
                                                                                                                          Function 0030CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EnumChildWindows.USER32(?,0030CF50), ref: 0030CE90
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ChildEnumWindows
                                                                                                                          • String ID: 4+8$CLASS$CLASSNN$H+8$INSTANCE$L+8$NAME$P+8$REGEXPCLASS$T+8$TEXT
                                                                                                                          • API String ID: 3555792229-2791430727
                                                                                                                          • Opcode ID: 534f0af8378a955d744e2b0911290c3b3e29457c8cdca30195ec875d00fec5b6
                                                                                                                          • Instruction ID: 5722e3af14587151ce551f9473fc3fcfe698f03a05ad0a187317f5256f2e1220
                                                                                                                          • Opcode Fuzzy Hash: 534f0af8378a955d744e2b0911290c3b3e29457c8cdca30195ec875d00fec5b6
                                                                                                                          • Instruction Fuzzy Hash: E191B4306216469BCB1AEF60C491BEAFB75BF04300F519616D849E72D1DF3069AACFD0
                                                                                                                          Function 0033E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0033E5AB
                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00339808,?), ref: 0033E607
                                                                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0033E647
                                                                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0033E68C
                                                                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0033E6C3
                                                                                                                          • FreeLibrary.KERNEL32(?,00000004,?,?,?,00339808,?), ref: 0033E6CF
                                                                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0033E6DF
                                                                                                                          • DestroyIcon.USER32(?), ref: 0033E6EE
                                                                                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0033E70B
                                                                                                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0033E717
                                                                                                                            • Part of subcall function 002F0FA7: __wcsicmp_l.LIBCMT ref: 002F1030
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                                                          • String ID: .dll$.exe$.icl
                                                                                                                          • API String ID: 1212759294-1154884017
                                                                                                                          • Opcode ID: 7f5f7757104d017482d9f7967b472293a07d43fa63965cfa8a590ec4a1d49f1c
                                                                                                                          • Instruction ID: eb99b759b69aee44b550bfd23d85e89b73973c6e4e5c43f8ee087ebd57c56db6
                                                                                                                          • Opcode Fuzzy Hash: 7f5f7757104d017482d9f7967b472293a07d43fa63965cfa8a590ec4a1d49f1c
                                                                                                                          • Instruction Fuzzy Hash: 9661DF71540619FAEB26DF64CC86FBE77ACBB08751F104216F911E61E1EB70E990CBA0
                                                                                                                          Function 0031D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002D936C: __swprintf.LIBCMT ref: 002D93AB
                                                                                                                            • Part of subcall function 002D936C: __itow.LIBCMT ref: 002D93DF
                                                                                                                          • CharLowerBuffW.USER32(?,?), ref: 0031D292
                                                                                                                          • GetDriveTypeW.KERNEL32 ref: 0031D2DF
                                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0031D327
                                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0031D35E
                                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0031D38C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                          • API String ID: 1148790751-4113822522
                                                                                                                          • Opcode ID: 28ff1445c3f014a4c419a1d6805377ffd87828a992f6f444e4b1ffd1305b88dc
                                                                                                                          • Instruction ID: 7a7eee1c4e164b17064eaa22b95c3766e76af86687adf422f63aa5c634836fe3
                                                                                                                          • Opcode Fuzzy Hash: 28ff1445c3f014a4c419a1d6805377ffd87828a992f6f444e4b1ffd1305b88dc
                                                                                                                          • Instruction Fuzzy Hash: 11516B711147459FC705EF10C8819AAB7E8EF88B18F10485EF89AA7361DB31EE1ACF42
                                                                                                                          Function 003126BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00343973,00000016,0000138C,00000016,?,00000016,0036DDB4,00000000,?), ref: 003126F1
                                                                                                                          • LoadStringW.USER32(00000000,?,00343973,00000016), ref: 003126FA
                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00343973,00000016,0000138C,00000016,?,00000016,0036DDB4,00000000,?,00000016), ref: 0031271C
                                                                                                                          • LoadStringW.USER32(00000000,?,00343973,00000016), ref: 0031271F
                                                                                                                          • __swprintf.LIBCMT ref: 0031276F
                                                                                                                          • __swprintf.LIBCMT ref: 00312780
                                                                                                                          • _wprintf.LIBCMT ref: 00312829
                                                                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00312840
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                          • API String ID: 618562835-2268648507
                                                                                                                          • Opcode ID: 9e57dddf02e2142f738f80ec29e6b680b60e9ca4421eb6f9a4ad8ac47d766a0d
                                                                                                                          • Instruction ID: c6f67208570d8adcf30e29ed5c61bd46ef4262a563c4cfae87d1d188ab00cc97
                                                                                                                          • Opcode Fuzzy Hash: 9e57dddf02e2142f738f80ec29e6b680b60e9ca4421eb6f9a4ad8ac47d766a0d
                                                                                                                          • Instruction Fuzzy Hash: 8C413F72800219BACB15FBE0DD86DEFB778AF18344F500066F50576292EA75AF69CF60
                                                                                                                          Function 0031D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0031D0D8
                                                                                                                          • __swprintf.LIBCMT ref: 0031D0FA
                                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0031D137
                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0031D15C
                                                                                                                          • _memset.LIBCMT ref: 0031D17B
                                                                                                                          • _wcsncpy.LIBCMT ref: 0031D1B7
                                                                                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0031D1EC
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0031D1F7
                                                                                                                          • RemoveDirectoryW.KERNEL32(?), ref: 0031D200
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0031D20A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                          • String ID: :$\$\??\%s
                                                                                                                          • API String ID: 2733774712-3457252023
                                                                                                                          • Opcode ID: 01a11698df4d7567876e4639813ca613ee374a1ba77a25f1217e4cdaed918ea0
                                                                                                                          • Instruction ID: 1fd3c26681e17dd92bf947fccf5b39912072209b4ea4526285c5fa9b85ecfa10
                                                                                                                          • Opcode Fuzzy Hash: 01a11698df4d7567876e4639813ca613ee374a1ba77a25f1217e4cdaed918ea0
                                                                                                                          • Instruction Fuzzy Hash: D031B0B651020AABDB22DFA0DC49FEB77BCEF89741F1040B6F619D2161E770D6858B24
                                                                                                                          Function 003087CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 884005220-0
                                                                                                                          • Opcode ID: 9b7a6b34e8f0599e87d017a715dfc665f0753cdba14a596a002e27f1a8efbb1f
                                                                                                                          • Instruction ID: b62ab4f1c2b5c70c2a074a62fed12f79261fd5004a4040df1aa2f123df0bada8
                                                                                                                          • Opcode Fuzzy Hash: 9b7a6b34e8f0599e87d017a715dfc665f0753cdba14a596a002e27f1a8efbb1f
                                                                                                                          • Instruction Fuzzy Hash: 5C610432902319EFDB276F28DC51B7A77A8EF00760F614126E881EB1C5DF35D9508B95
                                                                                                                          Function 0033E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0033E754
                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0033E76B
                                                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0033E776
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0033E783
                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0033E78C
                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0033E79B
                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0033E7A4
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0033E7AB
                                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0033E7BC
                                                                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,0035D9BC,?), ref: 0033E7D5
                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 0033E7E5
                                                                                                                          • GetObjectW.GDI32(?,00000018,000000FF), ref: 0033E809
                                                                                                                          • CopyImage.USER32(?,00000000,?,?,00002000), ref: 0033E834
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 0033E85C
                                                                                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0033E872
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3840717409-0
                                                                                                                          • Opcode ID: 511e01baab61ad42ff675a3139f507d49e1bdfcd12f3ad48016d564a8a93eda0
                                                                                                                          • Instruction ID: 65dbc583280b24f7887b16dc42818b44fa8ae21f83f3dbe0f727d1e990b69472
                                                                                                                          • Opcode Fuzzy Hash: 511e01baab61ad42ff675a3139f507d49e1bdfcd12f3ad48016d564a8a93eda0
                                                                                                                          • Instruction Fuzzy Hash: 3D412975600304EFDB229F65DC88EAA7BBCEB89B12F114458F909DB2A0D7319941DB60
                                                                                                                          Function 003205F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __wsplitpath.LIBCMT ref: 0032076F
                                                                                                                          • _wcscat.LIBCMT ref: 00320787
                                                                                                                          • _wcscat.LIBCMT ref: 00320799
                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003207AE
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 003207C2
                                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 003207DA
                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 003207F4
                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00320806
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                                          • String ID: *.*
                                                                                                                          • API String ID: 34673085-438819550
                                                                                                                          • Opcode ID: 68694f76c5a4cdf3c74333bfa6feac3f84937b7b8ab2c8529bb000cad61f2ff3
                                                                                                                          • Instruction ID: ee10bdfea294d2ce89dad772bc8398fcbedc424491a8c0f7a170f7ebde8da55b
                                                                                                                          • Opcode Fuzzy Hash: 68694f76c5a4cdf3c74333bfa6feac3f84937b7b8ab2c8529bb000cad61f2ff3
                                                                                                                          • Instruction Fuzzy Hash: C381AF715043559FCB29EF64D88496EB7E8FB88300F15882EF88AD7252E730D9588F92
                                                                                                                          Function 0033EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EB34E: GetWindowLongW.USER32(?,000000EB), ref: 002EB35F
                                                                                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0033EF3B
                                                                                                                          • GetFocus.USER32 ref: 0033EF4B
                                                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 0033EF56
                                                                                                                          • _memset.LIBCMT ref: 0033F081
                                                                                                                          • GetMenuItemInfoW.USER32 ref: 0033F0AC
                                                                                                                          • GetMenuItemCount.USER32(00000000), ref: 0033F0CC
                                                                                                                          • GetMenuItemID.USER32(?,00000000), ref: 0033F0DF
                                                                                                                          • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0033F113
                                                                                                                          • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0033F15B
                                                                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0033F193
                                                                                                                          • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0033F1C8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                          • String ID: 0
                                                                                                                          • API String ID: 1296962147-4108050209
                                                                                                                          • Opcode ID: b2f90ecc2b302fb8d6d8ea4e4908b10922adbf34c3c14d3a3b6f92f7969f71b4
                                                                                                                          • Instruction ID: 9889dae751ff78549420c3d505eb90905cd1e239d10cad3679f171df295371fd
                                                                                                                          • Opcode Fuzzy Hash: b2f90ecc2b302fb8d6d8ea4e4908b10922adbf34c3c14d3a3b6f92f7969f71b4
                                                                                                                          • Instruction Fuzzy Hash: 51819C71908305EFDB22CF14D8C4A6BBBE8FB88314F41492EF99997291D770D905CB92
                                                                                                                          Function 0030A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0030ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0030ABD7
                                                                                                                            • Part of subcall function 0030ABBB: GetLastError.KERNEL32(?,0030A69F,?,?,?), ref: 0030ABE1
                                                                                                                            • Part of subcall function 0030ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0030A69F,?,?,?), ref: 0030ABF0
                                                                                                                            • Part of subcall function 0030ABBB: HeapAlloc.KERNEL32(00000000,?,0030A69F,?,?,?), ref: 0030ABF7
                                                                                                                            • Part of subcall function 0030ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0030AC0E
                                                                                                                            • Part of subcall function 0030AC56: GetProcessHeap.KERNEL32(00000008,0030A6B5,00000000,00000000,?,0030A6B5,?), ref: 0030AC62
                                                                                                                            • Part of subcall function 0030AC56: HeapAlloc.KERNEL32(00000000,?,0030A6B5,?), ref: 0030AC69
                                                                                                                            • Part of subcall function 0030AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0030A6B5,?), ref: 0030AC7A
                                                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0030A8CB
                                                                                                                          • _memset.LIBCMT ref: 0030A8E0
                                                                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0030A8FF
                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 0030A910
                                                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 0030A94D
                                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0030A969
                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 0030A986
                                                                                                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0030A995
                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 0030A99C
                                                                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0030A9BD
                                                                                                                          • CopySid.ADVAPI32(00000000), ref: 0030A9C4
                                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0030A9F5
                                                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0030AA1B
                                                                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0030AA2F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3996160137-0
                                                                                                                          • Opcode ID: 4f4eeacc7a30fd7f18716bd9b745b3c1ea7a9235c6a762d90d4d73e533cb9151
                                                                                                                          • Instruction ID: 28092134d8672b673c3ed0b7eafa9ab4f0a1aa15cc60ac2a9ff925b48d2cadb7
                                                                                                                          • Opcode Fuzzy Hash: 4f4eeacc7a30fd7f18716bd9b745b3c1ea7a9235c6a762d90d4d73e533cb9151
                                                                                                                          • Instruction Fuzzy Hash: 69513C71A01609AFDF12DF94ED55AEEBBB9FF04300F048119F915AB2D0DB359A05CB61
                                                                                                                          Function 0031CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LoadString__swprintf_wprintf
                                                                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                          • API String ID: 2889450990-2391861430
                                                                                                                          • Opcode ID: bebac991e28c5fabb12e6ab17214c8a9053b0f5dec0348fabcf0104645d83e06
                                                                                                                          • Instruction ID: bf6ef99219e4ee5dd3c0b380c35d744c0bf6ece083cd807e3c09281263291c7b
                                                                                                                          • Opcode Fuzzy Hash: bebac991e28c5fabb12e6ab17214c8a9053b0f5dec0348fabcf0104645d83e06
                                                                                                                          • Instruction Fuzzy Hash: 7651727185021ABACB16EBE0DD46EEEB778EF08344F100166F50572261EB715FA5DF60
                                                                                                                          Function 0031CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LoadString__swprintf_wprintf
                                                                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                          • API String ID: 2889450990-3420473620
                                                                                                                          • Opcode ID: e32397090c44a15ba24d709d9a8e55652208d1910f7ec2b75edc0d2cec2a8e1e
                                                                                                                          • Instruction ID: aea7b3102fbe180db46f4fe76b5dad98317954144dab676a49ce3eb5ccdbbacb
                                                                                                                          • Opcode Fuzzy Hash: e32397090c44a15ba24d709d9a8e55652208d1910f7ec2b75edc0d2cec2a8e1e
                                                                                                                          • Instruction Fuzzy Hash: 4C51947195021ABACF1AEBE0CD42EEEB778AF08344F104066F50572252EB756FA9DF50
                                                                                                                          Function 00333C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00332BB5,?,?), ref: 00333C1D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharUpper
                                                                                                                          • String ID: $E8$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                          • API String ID: 3964851224-1800031024
                                                                                                                          • Opcode ID: 881ea118fc31f906f62bd6f4844afe0847650c9c4da35a87066728477f603438
                                                                                                                          • Instruction ID: 80476f297f3acb4a15de9d6fca910adf07ea9f2fdfc812d46fee88134bacd4b3
                                                                                                                          • Opcode Fuzzy Hash: 881ea118fc31f906f62bd6f4844afe0847650c9c4da35a87066728477f603438
                                                                                                                          • Instruction Fuzzy Hash: 1041603415038A8BDF02EF10D891AEF3365AF17700F619455EC551B692EB70DE5ACF10
                                                                                                                          Function 003155BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 003155D7
                                                                                                                          • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00315664
                                                                                                                          • GetMenuItemCount.USER32(00391708), ref: 003156ED
                                                                                                                          • DeleteMenu.USER32(00391708,00000005,00000000,000000F5,?,?), ref: 0031577D
                                                                                                                          • DeleteMenu.USER32(00391708,00000004,00000000), ref: 00315785
                                                                                                                          • DeleteMenu.USER32(00391708,00000006,00000000), ref: 0031578D
                                                                                                                          • DeleteMenu.USER32(00391708,00000003,00000000), ref: 00315795
                                                                                                                          • GetMenuItemCount.USER32(00391708), ref: 0031579D
                                                                                                                          • SetMenuItemInfoW.USER32(00391708,00000004,00000000,00000030), ref: 003157D3
                                                                                                                          • GetCursorPos.USER32(?), ref: 003157DD
                                                                                                                          • SetForegroundWindow.USER32(00000000), ref: 003157E6
                                                                                                                          • TrackPopupMenuEx.USER32(00391708,00000000,?,00000000,00000000,00000000), ref: 003157F9
                                                                                                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00315805
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3993528054-0
                                                                                                                          • Opcode ID: b766d83f675650fa5812e6b1a5157fb908021b8317fe86ecd83793cafffd6272
                                                                                                                          • Instruction ID: 0934cc7e5d0633f5f9a3b0977a4cf0bfc89f2a548f31d8ecbe56fa6265831bef
                                                                                                                          • Opcode Fuzzy Hash: b766d83f675650fa5812e6b1a5157fb908021b8317fe86ecd83793cafffd6272
                                                                                                                          • Instruction Fuzzy Hash: EF71F170740605FEEB2A9B14DC89FEABF69FF88364F244205F5196A1E0C7B16C90DB90
                                                                                                                          Function 0030A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 0030A1DC
                                                                                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0030A211
                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0030A22D
                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0030A249
                                                                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0030A273
                                                                                                                          • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0030A29B
                                                                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0030A2A6
                                                                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0030A2AB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                          • API String ID: 1687751970-22481851
                                                                                                                          • Opcode ID: 97fc3979b3b0a1755475462ae4cedae6533cfd45111b36b48a71b45a047b0e36
                                                                                                                          • Instruction ID: 18209b91087a341900ae88ab05aadd63ec8872d7bc880713b573b2f241fc4860
                                                                                                                          • Opcode Fuzzy Hash: 97fc3979b3b0a1755475462ae4cedae6533cfd45111b36b48a71b45a047b0e36
                                                                                                                          • Instruction Fuzzy Hash: 46410A76C10629ABDF22EBA4DC95DEEB778FF14300F01446AE801A32A1DB709D15CF50
                                                                                                                          Function 003167E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __swprintf.LIBCMT ref: 003167FD
                                                                                                                          • __swprintf.LIBCMT ref: 0031680A
                                                                                                                            • Part of subcall function 002F172B: __woutput_l.LIBCMT ref: 002F1784
                                                                                                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 00316834
                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 00316840
                                                                                                                          • LockResource.KERNEL32(00000000), ref: 0031684D
                                                                                                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 0031686D
                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 0031687F
                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 0031688E
                                                                                                                          • LockResource.KERNEL32(?), ref: 0031689A
                                                                                                                          • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 003168F9
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                                                          • String ID: 58
                                                                                                                          • API String ID: 1433390588-1845685940
                                                                                                                          • Opcode ID: 916dea2ef8c1169bbbb620a3031aed3cba07be92a977ad42538f67e469c6ac98
                                                                                                                          • Instruction ID: f052be3035e6f9600388bbdebf9b32bde4d7738cde8947acbf8e4d7e8e095f3b
                                                                                                                          • Opcode Fuzzy Hash: 916dea2ef8c1169bbbb620a3031aed3cba07be92a977ad42538f67e469c6ac98
                                                                                                                          • Instruction Fuzzy Hash: 0731707190025AABDB169FA1DD46AFFBBACEF0C341F104825F906E2150E734D9A1DBB0
                                                                                                                          Function 003125B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003436F4,00000010,?,Bad directive syntax error,0036DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 003125D6
                                                                                                                          • LoadStringW.USER32(00000000,?,003436F4,00000010), ref: 003125DD
                                                                                                                          • _wprintf.LIBCMT ref: 00312610
                                                                                                                          • __swprintf.LIBCMT ref: 00312632
                                                                                                                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003126A1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                                                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                          • API String ID: 1080873982-4153970271
                                                                                                                          • Opcode ID: b1c66a2753162161b5f41b0ad16cb81214603aa9c9314019d078588fc5870187
                                                                                                                          • Instruction ID: 57cebc9daccdb6bfde081f5424172df53531c5fff88e7ba07084d08a2f05268e
                                                                                                                          • Opcode Fuzzy Hash: b1c66a2753162161b5f41b0ad16cb81214603aa9c9314019d078588fc5870187
                                                                                                                          • Instruction Fuzzy Hash: BA213E3191031ABFCF16BF90CC46EEE7B39BF18744F004456F505662A2DAB19A65DF50
                                                                                                                          Function 00317AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00317B42
                                                                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00317B58
                                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00317B69
                                                                                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00317B7B
                                                                                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00317B8C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: SendString
                                                                                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                          • API String ID: 890592661-1007645807
                                                                                                                          • Opcode ID: a87504806b299bfe344fa91ada8a996c6d571744e096ab83ca4df69de256a5db
                                                                                                                          • Instruction ID: dfbb4b137d1db7a09370b132753e2f0854ff08dadafaa2a7ba8145b036c115b7
                                                                                                                          • Opcode Fuzzy Hash: a87504806b299bfe344fa91ada8a996c6d571744e096ab83ca4df69de256a5db
                                                                                                                          • Instruction Fuzzy Hash: D711A7A165036979E725B7A1CC4ADFFBA7CEBD5F10F00045AB411A32D1EFA09E45CAB0
                                                                                                                          Function 0031778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • timeGetTime.WINMM ref: 00317794
                                                                                                                            • Part of subcall function 002EDC38: timeGetTime.WINMM(?,75C0B400,003458AB), ref: 002EDC3C
                                                                                                                          • Sleep.KERNEL32(0000000A), ref: 003177C0
                                                                                                                          • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 003177E4
                                                                                                                          • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00317806
                                                                                                                          • SetActiveWindow.USER32 ref: 00317825
                                                                                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00317833
                                                                                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00317852
                                                                                                                          • Sleep.KERNEL32(000000FA), ref: 0031785D
                                                                                                                          • IsWindow.USER32 ref: 00317869
                                                                                                                          • EndDialog.USER32(00000000), ref: 0031787A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                          • String ID: BUTTON
                                                                                                                          • API String ID: 1194449130-3405671355
                                                                                                                          • Opcode ID: 8701c606eb2838b6dae4e1a8b5d4f593b988fb0f86167865415bdbdb4e5f5eb9
                                                                                                                          • Instruction ID: 8f8e450567ea8d9727c11f55f34061f1f4e7f743ededb67bbca1f399e9a4ac03
                                                                                                                          • Opcode Fuzzy Hash: 8701c606eb2838b6dae4e1a8b5d4f593b988fb0f86167865415bdbdb4e5f5eb9
                                                                                                                          • Instruction Fuzzy Hash: 4A213EB4244305BFE71B5B20EC8DAAA3F7DFB49349F080415F546861B2DB725D81DA21
                                                                                                                          Function 003202EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002D936C: __swprintf.LIBCMT ref: 002D93AB
                                                                                                                            • Part of subcall function 002D936C: __itow.LIBCMT ref: 002D93DF
                                                                                                                          • CoInitialize.OLE32(00000000), ref: 0032034B
                                                                                                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003203DE
                                                                                                                          • SHGetDesktopFolder.SHELL32(?), ref: 003203F2
                                                                                                                          • CoCreateInstance.OLE32(0035DA8C,00000000,00000001,00383CF8,?), ref: 0032043E
                                                                                                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003204AD
                                                                                                                          • CoTaskMemFree.OLE32(?,?), ref: 00320505
                                                                                                                          • _memset.LIBCMT ref: 00320542
                                                                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 0032057E
                                                                                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003205A1
                                                                                                                          • CoTaskMemFree.OLE32(00000000), ref: 003205A8
                                                                                                                          • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 003205DF
                                                                                                                          • CoUninitialize.OLE32(00000001,00000000), ref: 003205E1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1246142700-0
                                                                                                                          • Opcode ID: 8d854eea579c042fe2f1da95a41245706910451fc9466eafa9ca372b1b4449a2
                                                                                                                          • Instruction ID: c6065ff0d82c9f8e66911797c708c53f68461292d9930684c052cebfc6da0619
                                                                                                                          • Opcode Fuzzy Hash: 8d854eea579c042fe2f1da95a41245706910451fc9466eafa9ca372b1b4449a2
                                                                                                                          • Instruction Fuzzy Hash: 95B1E874A00219AFDB15DFA4D888DAEBBB9FF48304B148499F905EB261DB30ED45CF50
                                                                                                                          Function 00312E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetKeyboardState.USER32(?), ref: 00312ED6
                                                                                                                          • SetKeyboardState.USER32(?), ref: 00312F41
                                                                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00312F61
                                                                                                                          • GetKeyState.USER32(000000A0), ref: 00312F78
                                                                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00312FA7
                                                                                                                          • GetKeyState.USER32(000000A1), ref: 00312FB8
                                                                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00312FE4
                                                                                                                          • GetKeyState.USER32(00000011), ref: 00312FF2
                                                                                                                          • GetAsyncKeyState.USER32(00000012), ref: 0031301B
                                                                                                                          • GetKeyState.USER32(00000012), ref: 00313029
                                                                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00313052
                                                                                                                          • GetKeyState.USER32(0000005B), ref: 00313060
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: State$Async$Keyboard
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 541375521-0
                                                                                                                          • Opcode ID: 4756c3d49d5425d8bbe3af2184257fa95f1bc461e7b4c317f455539a187c8b0d
                                                                                                                          • Instruction ID: fbc724bf821c438ded127a71fd377291d3f4256dec9018291db2c28460b9fcc4
                                                                                                                          • Opcode Fuzzy Hash: 4756c3d49d5425d8bbe3af2184257fa95f1bc461e7b4c317f455539a187c8b0d
                                                                                                                          • Instruction Fuzzy Hash: 0951E760A0478429FB3FDBA488107EBBFF49F19340F09459DD5C25A1C2DA54ABCCC7A2
                                                                                                                          Function 0030ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 0030ED1E
                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0030ED30
                                                                                                                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0030ED8E
                                                                                                                          • GetDlgItem.USER32(?,00000002), ref: 0030ED99
                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0030EDAB
                                                                                                                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0030EE01
                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0030EE0F
                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0030EE20
                                                                                                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0030EE63
                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 0030EE71
                                                                                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0030EE8E
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0030EE9B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3096461208-0
                                                                                                                          • Opcode ID: 59a95a062f52e49bd49e8d16763e91a7d005a9c99bdde1dd949a5d13e95065b6
                                                                                                                          • Instruction ID: 37f136b42781a04e1bcd4546c03d3c468a868e186c57e5d4d44dc6e23def651b
                                                                                                                          • Opcode Fuzzy Hash: 59a95a062f52e49bd49e8d16763e91a7d005a9c99bdde1dd949a5d13e95065b6
                                                                                                                          • Instruction Fuzzy Hash: 41515FB1B00309AFDB19CF68DD95AAEBBBAEB88301F548529F519D72D0D7709D41CB10
                                                                                                                          Function 002EB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002EB759,?,00000000,?,?,?,?,002EB72B,00000000,?), ref: 002EBA58
                                                                                                                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,002EB72B), ref: 002EB7F6
                                                                                                                          • KillTimer.USER32(00000000,?,00000000,?,?,?,?,002EB72B,00000000,?,?,002EB2EF,?,?), ref: 002EB88D
                                                                                                                          • DestroyAcceleratorTable.USER32(00000000), ref: 0034D8A6
                                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002EB72B,00000000,?,?,002EB2EF,?,?), ref: 0034D8D7
                                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002EB72B,00000000,?,?,002EB2EF,?,?), ref: 0034D8EE
                                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002EB72B,00000000,?,?,002EB2EF,?,?), ref: 0034D90A
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 0034D91C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 641708696-0
                                                                                                                          • Opcode ID: dcd44f9dd19766fd0eb10b503314329d58d994fd89ea57f9f7eea37786a9c464
                                                                                                                          • Instruction ID: ab237b1c9c4ea36b5858f1c79ddc650f0b6953d8fe021b18c96fa4575357e4c1
                                                                                                                          • Opcode Fuzzy Hash: dcd44f9dd19766fd0eb10b503314329d58d994fd89ea57f9f7eea37786a9c464
                                                                                                                          • Instruction Fuzzy Hash: D6618A31960742CFDB379F16D988B26B7F9FB94312F55051EE4869AAB0C771A8A0CF40
                                                                                                                          Function 002EB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EB526: GetWindowLongW.USER32(?,000000EB), ref: 002EB537
                                                                                                                          • GetSysColor.USER32(0000000F), ref: 002EB438
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ColorLongWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 259745315-0
                                                                                                                          • Opcode ID: ff056fb03291e82356733ed8e2ecef949dcf7eb13bf201b2baa7b881793dd05c
                                                                                                                          • Instruction ID: cc411513cb7897b3a5fb741366349c7dcaddd0329d30881fa147eadb719fa7b0
                                                                                                                          • Opcode Fuzzy Hash: ff056fb03291e82356733ed8e2ecef949dcf7eb13bf201b2baa7b881793dd05c
                                                                                                                          • Instruction Fuzzy Hash: BF41D3300506809FDF235F29EC99BBA3BA9EB06731F544261FD658E1E6D7708D51CB21
                                                                                                                          Function 0031690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 136442275-0
                                                                                                                          • Opcode ID: 6f21cc3f258a3f6e7a306e554fc3602fccc7e0053cdb4f81d37c2cdb4e130817
                                                                                                                          • Instruction ID: 63c9e632032b91fb56f5b1c51632bd945b18da747eba88f3f17baf6b097d9eac
                                                                                                                          • Opcode Fuzzy Hash: 6f21cc3f258a3f6e7a306e554fc3602fccc7e0053cdb4f81d37c2cdb4e130817
                                                                                                                          • Instruction Fuzzy Hash: DE410FB685511CAFCF66DB94CC86DDAB3BCEF48340F0041E6F659A2051EA31ABE58F50
                                                                                                                          Function 0031D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CharLowerBuffW.USER32(0036DC00,0036DC00,0036DC00), ref: 0031D7CE
                                                                                                                          • GetDriveTypeW.KERNEL32(?,00383A70,00000061), ref: 0031D898
                                                                                                                          • _wcscpy.LIBCMT ref: 0031D8C2
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                          • API String ID: 2820617543-1000479233
                                                                                                                          • Opcode ID: ea2515589ef8ce1cd216b9d82cd123727537405153e772d490f020d2a992a93a
                                                                                                                          • Instruction ID: 6a49389348903d6baad267a1b586c5f10f9e1e1fdd01bec28d5b56284e99a2de
                                                                                                                          • Opcode Fuzzy Hash: ea2515589ef8ce1cd216b9d82cd123727537405153e772d490f020d2a992a93a
                                                                                                                          • Instruction Fuzzy Hash: 30511635114340AFC709EF14D881AEEB7A5EF8A714F60882EF49A572A2DB31DD55CF42
                                                                                                                          Function 002D936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __swprintf.LIBCMT ref: 002D93AB
                                                                                                                          • __itow.LIBCMT ref: 002D93DF
                                                                                                                            • Part of subcall function 002F1557: _xtow@16.LIBCMT ref: 002F1578
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __itow__swprintf_xtow@16
                                                                                                                          • String ID: %.15g$0x%p$False$True
                                                                                                                          • API String ID: 1502193981-2263619337
                                                                                                                          • Opcode ID: 4d115492b49c25824f7f9768352fbb9cd2f31236db9f4b32745c5b9cf344d6fe
                                                                                                                          • Instruction ID: aa563a350a7744b5fa57ae2b662227263483141d07574bc202651415bfe4d891
                                                                                                                          • Opcode Fuzzy Hash: 4d115492b49c25824f7f9768352fbb9cd2f31236db9f4b32745c5b9cf344d6fe
                                                                                                                          • Instruction Fuzzy Hash: 2941B271520205ABDB29AF64D981F6AB3E8EB48340F2444BBF149DB281EA71AD61CF50
                                                                                                                          Function 0033A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0033A259
                                                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 0033A260
                                                                                                                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0033A273
                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0033A27B
                                                                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0033A286
                                                                                                                          • DeleteDC.GDI32(00000000), ref: 0033A28F
                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0033A299
                                                                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0033A2AD
                                                                                                                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0033A2B9
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                          • String ID: static
                                                                                                                          • API String ID: 2559357485-2160076837
                                                                                                                          • Opcode ID: 39801383d2c33ca2b5c27512c3c904afe47fd9a59184e539a3631cc5b89214ee
                                                                                                                          • Instruction ID: dbf0188c27790e83d38787de0311a16b0539ade9929b6fa8ea0ed3d9dc49c481
                                                                                                                          • Opcode Fuzzy Hash: 39801383d2c33ca2b5c27512c3c904afe47fd9a59184e539a3631cc5b89214ee
                                                                                                                          • Instruction Fuzzy Hash: 8D316B31100615ABDF239FA4DC89FEB3B6DFF0A361F110614FA59A61A0C736D811DBA5
                                                                                                                          Function 00316F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                          • String ID: 0.0.0.0
                                                                                                                          • API String ID: 2620052-3771769585
                                                                                                                          • Opcode ID: be32efb87ec8e98d1e16482ce53f04c7be42fd1d85dba24f081c1450d06a5ee8
                                                                                                                          • Instruction ID: c35867a6a7e08d30d4468fc6cc2feb3ef03f2da6546827ee6adde89befce9bd9
                                                                                                                          • Opcode Fuzzy Hash: be32efb87ec8e98d1e16482ce53f04c7be42fd1d85dba24f081c1450d06a5ee8
                                                                                                                          • Instruction Fuzzy Hash: F1110A72504219ABCB2A6BB0EC4AEEA77BCDF48711F0500A5F115A6091EF70DAC58B51
                                                                                                                          Function 002F500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 002F5047
                                                                                                                            • Part of subcall function 002F7C0E: __getptd_noexit.LIBCMT ref: 002F7C0E
                                                                                                                          • __gmtime64_s.LIBCMT ref: 002F50E0
                                                                                                                          • __gmtime64_s.LIBCMT ref: 002F5116
                                                                                                                          • __gmtime64_s.LIBCMT ref: 002F5133
                                                                                                                          • __allrem.LIBCMT ref: 002F5189
                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F51A5
                                                                                                                          • __allrem.LIBCMT ref: 002F51BC
                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F51DA
                                                                                                                          • __allrem.LIBCMT ref: 002F51F1
                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F520F
                                                                                                                          • __invoke_watson.LIBCMT ref: 002F5280
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 384356119-0
                                                                                                                          • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                                                          • Instruction ID: 1541d16575c138bc13531250a31bef0f26471798c820154e0669bc6130a283a3
                                                                                                                          • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                                                          • Instruction Fuzzy Hash: BB71CA71A11F2BABE7159E68CC51B7AF3A8AF04794F144239FB14DA2C1EB70D9508BD0
                                                                                                                          Function 00314DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00314DF8
                                                                                                                          • GetMenuItemInfoW.USER32(00391708,000000FF,00000000,00000030), ref: 00314E59
                                                                                                                          • SetMenuItemInfoW.USER32(00391708,00000004,00000000,00000030), ref: 00314E8F
                                                                                                                          • Sleep.KERNEL32(000001F4), ref: 00314EA1
                                                                                                                          • GetMenuItemCount.USER32(?), ref: 00314EE5
                                                                                                                          • GetMenuItemID.USER32(?,00000000), ref: 00314F01
                                                                                                                          • GetMenuItemID.USER32(?,-00000001), ref: 00314F2B
                                                                                                                          • GetMenuItemID.USER32(?,?), ref: 00314F70
                                                                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00314FB6
                                                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00314FCA
                                                                                                                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00314FEB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4176008265-0
                                                                                                                          • Opcode ID: 3e229fe3eb08bb8a7b9007d2e9229dba2e0e2ac45c938b891d197040d692c18a
                                                                                                                          • Instruction ID: c736c0942fb4d83a8abfca1e046c201c9994c839aac52d72bca93e2e1bd0e846
                                                                                                                          • Opcode Fuzzy Hash: 3e229fe3eb08bb8a7b9007d2e9229dba2e0e2ac45c938b891d197040d692c18a
                                                                                                                          • Instruction Fuzzy Hash: E461AF71900349AFDB2ACFA4DC84AEE7BB8FB49709F150459F442A7361D731AD86CB20
                                                                                                                          Function 00339C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00339C98
                                                                                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00339C9B
                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00339CBF
                                                                                                                          • _memset.LIBCMT ref: 00339CD0
                                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00339CE2
                                                                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00339D5A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$LongWindow_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 830647256-0
                                                                                                                          • Opcode ID: 8c25dea8b56e5fcd779eaed64cc14cfb1f252da2d05b62e96aaabc21a9808498
                                                                                                                          • Instruction ID: 8131056294c0cf82120ff6120b075f3fd70550fbc7f863242f997b8c412e7864
                                                                                                                          • Opcode Fuzzy Hash: 8c25dea8b56e5fcd779eaed64cc14cfb1f252da2d05b62e96aaabc21a9808498
                                                                                                                          • Instruction Fuzzy Hash: 1F613875900208EFDB12DFA8CCC1EEEB7B8AB09714F14415AFA15A72A1D7B4AD42DB50
                                                                                                                          Function 003094E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 003094FE
                                                                                                                          • SafeArrayAllocData.OLEAUT32(?), ref: 00309549
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 0030955B
                                                                                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 0030957B
                                                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 003095BE
                                                                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 003095D2
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 003095E7
                                                                                                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 003095F4
                                                                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003095FD
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 0030960F
                                                                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0030961A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2706829360-0
                                                                                                                          • Opcode ID: 976b6abfca03b451516525c86ea15784d481a029f4ee1003125259b9f8303fe2
                                                                                                                          • Instruction ID: c43967963cc76cc5a87fa2401dcf285ca7f72bd8b46b70193ce190d1a2e1acb2
                                                                                                                          • Opcode Fuzzy Hash: 976b6abfca03b451516525c86ea15784d481a029f4ee1003125259b9f8303fe2
                                                                                                                          • Instruction Fuzzy Hash: 72416D71900219AFCB12EFA6DC54ADEBB7DFF08351F008066E502A7261DB31AA45CBA0
                                                                                                                          Function 0032BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Variant$ClearInit$_memset
                                                                                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?8$|?8
                                                                                                                          • API String ID: 2862541840-4161921993
                                                                                                                          • Opcode ID: 885341bd496a88a1b3416353d5049ea7f0ae9dbb3ec2ca474ddc9b4327b3fe88
                                                                                                                          • Instruction ID: e989fb9d796c03d9b2650a3f01091e723fc999c4a2c72f339d3c3d9951189ef4
                                                                                                                          • Opcode Fuzzy Hash: 885341bd496a88a1b3416353d5049ea7f0ae9dbb3ec2ca474ddc9b4327b3fe88
                                                                                                                          • Instruction Fuzzy Hash: 2E91A171A00229EBDF26DFA5E844FEEB7B8EF45710F10855AF505AB281DB709944CFA0
                                                                                                                          Function 0032ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002D936C: __swprintf.LIBCMT ref: 002D93AB
                                                                                                                            • Part of subcall function 002D936C: __itow.LIBCMT ref: 002D93DF
                                                                                                                          • CoInitialize.OLE32 ref: 0032ADF6
                                                                                                                          • CoUninitialize.OLE32 ref: 0032AE01
                                                                                                                          • CoCreateInstance.OLE32(?,00000000,00000017,0035D8FC,?), ref: 0032AE61
                                                                                                                          • IIDFromString.OLE32(?,?), ref: 0032AED4
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 0032AF6E
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 0032AFCF
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                          • API String ID: 834269672-1287834457
                                                                                                                          • Opcode ID: 013c41dcc2ea78a6764abe673c1924ae7561ab5d9eb3be71819ef56b831f799f
                                                                                                                          • Instruction ID: b1f56b2a451063dfdaee6abbf592de186d2597283cc6806c46c8bbd7d5c8adcc
                                                                                                                          • Opcode Fuzzy Hash: 013c41dcc2ea78a6764abe673c1924ae7561ab5d9eb3be71819ef56b831f799f
                                                                                                                          • Instruction Fuzzy Hash: 0961CE71208B21EFC712EF54E944B6BB7E8AF48714F014849F9859B2A1C774ED45CB93
                                                                                                                          Function 00328107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WSAStartup.WSOCK32(00000101,?), ref: 00328168
                                                                                                                          • inet_addr.WSOCK32(?,?,?), ref: 003281AD
                                                                                                                          • gethostbyname.WSOCK32(?), ref: 003281B9
                                                                                                                          • IcmpCreateFile.IPHLPAPI ref: 003281C7
                                                                                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00328237
                                                                                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0032824D
                                                                                                                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 003282C2
                                                                                                                          • WSACleanup.WSOCK32 ref: 003282C8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                          • String ID: Ping
                                                                                                                          • API String ID: 1028309954-2246546115
                                                                                                                          • Opcode ID: d183168a7ab81df41d999d2cc2d6a33d916270ca056b3d4f4d88490c43b0877a
                                                                                                                          • Instruction ID: 145117374ebab9382355df453604b07d6d33d93dfb87ce989de7a2a919962e55
                                                                                                                          • Opcode Fuzzy Hash: d183168a7ab81df41d999d2cc2d6a33d916270ca056b3d4f4d88490c43b0877a
                                                                                                                          • Instruction Fuzzy Hash: 14519D316057109FD722AF24DC45B6AB7E8AF48710F15882AFA56DB2A1DB70E901CF41
                                                                                                                          Function 0031E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0031E396
                                                                                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0031E40C
                                                                                                                          • GetLastError.KERNEL32 ref: 0031E416
                                                                                                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 0031E483
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                          • API String ID: 4194297153-14809454
                                                                                                                          • Opcode ID: e1ea85f426f1678d20609ecdf6a43f76e37430d8837f7c03ad992a77189a8fff
                                                                                                                          • Instruction ID: 2952b9499af05df7e127560ab5d79a8f24b3e18d3afb70faa8aa101e32c99220
                                                                                                                          • Opcode Fuzzy Hash: e1ea85f426f1678d20609ecdf6a43f76e37430d8837f7c03ad992a77189a8fff
                                                                                                                          • Instruction Fuzzy Hash: 60319435A002069FD716EFA5D845AED77B8EF0C700F158056E905EB391DB719E82CB51
                                                                                                                          Function 0030B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0030B98C
                                                                                                                          • GetDlgCtrlID.USER32 ref: 0030B997
                                                                                                                          • GetParent.USER32 ref: 0030B9B3
                                                                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 0030B9B6
                                                                                                                          • GetDlgCtrlID.USER32(?), ref: 0030B9BF
                                                                                                                          • GetParent.USER32(?), ref: 0030B9DB
                                                                                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 0030B9DE
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$CtrlParent
                                                                                                                          • String ID: ComboBox$ListBox
                                                                                                                          • API String ID: 1383977212-1403004172
                                                                                                                          • Opcode ID: 948fab972b68cf7b5cb40bd2b1e7ee26c1805565ab208542fce64663fe12f0ec
                                                                                                                          • Instruction ID: 8e6e49ef90fe6b75a92e864fa3043fe6c3c70cc7389efb82d0c00686aae7c19a
                                                                                                                          • Opcode Fuzzy Hash: 948fab972b68cf7b5cb40bd2b1e7ee26c1805565ab208542fce64663fe12f0ec
                                                                                                                          • Instruction Fuzzy Hash: 3321C874900204BFDB06ABA4CC95EFEB7B9EF45310F500116F561972E1DB745816DF60
                                                                                                                          Function 0030B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0030BA73
                                                                                                                          • GetDlgCtrlID.USER32 ref: 0030BA7E
                                                                                                                          • GetParent.USER32 ref: 0030BA9A
                                                                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 0030BA9D
                                                                                                                          • GetDlgCtrlID.USER32(?), ref: 0030BAA6
                                                                                                                          • GetParent.USER32(?), ref: 0030BAC2
                                                                                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 0030BAC5
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$CtrlParent
                                                                                                                          • String ID: ComboBox$ListBox
                                                                                                                          • API String ID: 1383977212-1403004172
                                                                                                                          • Opcode ID: e0054e30f587e0ed30a0f693246dcc0dc31c0c71c0acb3ed7300e2f984c6e83c
                                                                                                                          • Instruction ID: c98b12f4c20c684f9a8c50392cf8ed2f320478234036337c28769d54fd387d9d
                                                                                                                          • Opcode Fuzzy Hash: e0054e30f587e0ed30a0f693246dcc0dc31c0c71c0acb3ed7300e2f984c6e83c
                                                                                                                          • Instruction Fuzzy Hash: 9E21B3B4A00204BFDB06ABA4CC95EFEB7B9EF45300F500016F951A72E1DB759926DF60
                                                                                                                          Function 0030BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetParent.USER32 ref: 0030BAE3
                                                                                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 0030BAF8
                                                                                                                          • _wcscmp.LIBCMT ref: 0030BB0A
                                                                                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0030BB85
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                          • API String ID: 1704125052-3381328864
                                                                                                                          • Opcode ID: b327a9c0d4cdaa512f0f15350a00357fd17d36ec5a07acd157b21d09771c6d67
                                                                                                                          • Instruction ID: a98763cc697eddcb0cccceba76530658ccb0f771bdccc4290c9ed5c06af1a821
                                                                                                                          • Opcode Fuzzy Hash: b327a9c0d4cdaa512f0f15350a00357fd17d36ec5a07acd157b21d09771c6d67
                                                                                                                          • Instruction Fuzzy Hash: 2A113A36248307FBFA367A21DC16CB7B79C8F10760F200021FA04E04E6EFA558214614
                                                                                                                          Function 0032B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 0032B2D5
                                                                                                                          • CoInitialize.OLE32(00000000), ref: 0032B302
                                                                                                                          • CoUninitialize.OLE32 ref: 0032B30C
                                                                                                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 0032B40C
                                                                                                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 0032B539
                                                                                                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0032B56D
                                                                                                                          • CoGetObject.OLE32(?,00000000,0035D91C,?), ref: 0032B590
                                                                                                                          • SetErrorMode.KERNEL32(00000000), ref: 0032B5A3
                                                                                                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0032B623
                                                                                                                          • VariantClear.OLEAUT32(0035D91C), ref: 0032B633
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2395222682-0
                                                                                                                          • Opcode ID: 40def56ca634d1aa353dd91d08af7da656421bbeb32644259726ac98876d2df9
                                                                                                                          • Instruction ID: 0d0ee7853ff2718eae1530092d5c4173a187eab65551e3c3d8cc53fe84f66632
                                                                                                                          • Opcode Fuzzy Hash: 40def56ca634d1aa353dd91d08af7da656421bbeb32644259726ac98876d2df9
                                                                                                                          • Instruction Fuzzy Hash: 88C12271608311AFC701EF69D88496BB7E9BF89308F10491DF98ADB261DB71ED05CB92
                                                                                                                          Function 002FACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __lock.LIBCMT ref: 002FACC1
                                                                                                                            • Part of subcall function 002F7CF4: __mtinitlocknum.LIBCMT ref: 002F7D06
                                                                                                                            • Part of subcall function 002F7CF4: EnterCriticalSection.KERNEL32(00000000,?,002F7ADD,0000000D), ref: 002F7D1F
                                                                                                                          • __calloc_crt.LIBCMT ref: 002FACD2
                                                                                                                            • Part of subcall function 002F6986: __calloc_impl.LIBCMT ref: 002F6995
                                                                                                                            • Part of subcall function 002F6986: Sleep.KERNEL32(00000000,000003BC,002EF507,?,0000000E), ref: 002F69AC
                                                                                                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 002FACED
                                                                                                                          • GetStartupInfoW.KERNEL32(?,00386E28,00000064,002F5E91,00386C70,00000014), ref: 002FAD46
                                                                                                                          • __calloc_crt.LIBCMT ref: 002FAD91
                                                                                                                          • GetFileType.KERNEL32(00000001), ref: 002FADD8
                                                                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 002FAE11
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1426640281-0
                                                                                                                          • Opcode ID: 9996f3ba39d5cb99e11c2fa8387d6b166b4c6b30b715002242803b8b209dfde9
                                                                                                                          • Instruction ID: 75170866894cae9a434478462501a0842f4749da70bcf070d144d0448a96eda8
                                                                                                                          • Opcode Fuzzy Hash: 9996f3ba39d5cb99e11c2fa8387d6b166b4c6b30b715002242803b8b209dfde9
                                                                                                                          • Instruction Fuzzy Hash: 6381E3B092535A8FDB25CF68C8405B9FBF4AF05360F24427ED5AAAB3E1C7359812CB51
                                                                                                                          Function 00314025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00314047
                                                                                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,003130A5,?,00000001), ref: 0031405B
                                                                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00314062
                                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003130A5,?,00000001), ref: 00314071
                                                                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00314083
                                                                                                                          • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,003130A5,?,00000001), ref: 0031409C
                                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003130A5,?,00000001), ref: 003140AE
                                                                                                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003130A5,?,00000001), ref: 003140F3
                                                                                                                          • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,003130A5,?,00000001), ref: 00314108
                                                                                                                          • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,003130A5,?,00000001), ref: 00314113
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2156557900-0
                                                                                                                          • Opcode ID: f693e0c159ecced36edc7cf4a4a598b1a73620e8db2cef0e8bbbbf183c63c069
                                                                                                                          • Instruction ID: 48619d0a6a59d29fbe587eb5690d3da74bde0e9d3d34837be8c8631a6103ba6d
                                                                                                                          • Opcode Fuzzy Hash: f693e0c159ecced36edc7cf4a4a598b1a73620e8db2cef0e8bbbbf183c63c069
                                                                                                                          • Instruction Fuzzy Hash: 2031E1B5500700BFDB27CF65DC85BA977ADBB58712F118026F904E62A0CBB59EC08F60
                                                                                                                          Function 002D3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002D30DC
                                                                                                                          • CoUninitialize.OLE32(?,00000000), ref: 002D3181
                                                                                                                          • UnregisterHotKey.USER32(?), ref: 002D32A9
                                                                                                                          • DestroyWindow.USER32(?), ref: 00345079
                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 003450F8
                                                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00345125
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                          • String ID: close all
                                                                                                                          • API String ID: 469580280-3243417748
                                                                                                                          • Opcode ID: 6484bca5b743be076f6569c02a23709b4643cc6ea3d31b021ba9a1034bf6b06b
                                                                                                                          • Instruction ID: cc4ca4099ee11551e8d1f56d199348c53c6f1a0fa9d09dcd057521ca8878e685
                                                                                                                          • Opcode Fuzzy Hash: 6484bca5b743be076f6569c02a23709b4643cc6ea3d31b021ba9a1034bf6b06b
                                                                                                                          • Instruction Fuzzy Hash: 59912D34620642CFC716EF14C895B68F3A8FF14305F5581AAE50AAB362DF30AE66CF51
                                                                                                                          Function 002ECB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetWindowLongW.USER32(?,000000EB), ref: 002ECC15
                                                                                                                            • Part of subcall function 002ECCCD: GetClientRect.USER32(?,?), ref: 002ECCF6
                                                                                                                            • Part of subcall function 002ECCCD: GetWindowRect.USER32(?,?), ref: 002ECD37
                                                                                                                            • Part of subcall function 002ECCCD: ScreenToClient.USER32(?,?), ref: 002ECD5F
                                                                                                                          • GetDC.USER32 ref: 0034D137
                                                                                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0034D14A
                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0034D158
                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0034D16D
                                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 0034D175
                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0034D200
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                          • String ID: U
                                                                                                                          • API String ID: 4009187628-3372436214
                                                                                                                          • Opcode ID: b52a34dd384e8d8a661032942375d59a1f7a038386cdb631a234b4316f7e2d7e
                                                                                                                          • Instruction ID: b9e7a0ea852ea887c7df8e421794b1f239591a4585b06428ee48c6e19fec5bc1
                                                                                                                          • Opcode Fuzzy Hash: b52a34dd384e8d8a661032942375d59a1f7a038386cdb631a234b4316f7e2d7e
                                                                                                                          • Instruction Fuzzy Hash: A671D030400245DFCF229F64CC85AAA7BB9FF49314F24466AED555F2A6C731A852DF60
                                                                                                                          Function 003245C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003245FF
                                                                                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0032462B
                                                                                                                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0032466D
                                                                                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00324682
                                                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0032468F
                                                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 003246BF
                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 00324706
                                                                                                                            • Part of subcall function 00325052: GetLastError.KERNEL32(?,?,003243CC,00000000,00000000,00000001), ref: 00325067
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1241431887-3916222277
                                                                                                                          • Opcode ID: cb19d12b8c40f60d8120d2fd22293ffb2fcb3740eef4c8aa8571d1a9d5cbb78e
                                                                                                                          • Instruction ID: 8124b89ef105461b84e7058d8a9c5ae953f53b1ce4290329b2905995d4ec2259
                                                                                                                          • Opcode Fuzzy Hash: cb19d12b8c40f60d8120d2fd22293ffb2fcb3740eef4c8aa8571d1a9d5cbb78e
                                                                                                                          • Instruction Fuzzy Hash: 70419DB1501228BFEB139F50EC85FBB7BACFF09304F114016FA169A151D7B0DA448BA4
                                                                                                                          Function 0032B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0036DC00), ref: 0032B715
                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0036DC00), ref: 0032B749
                                                                                                                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0032B8C1
                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0032B8EB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 560350794-0
                                                                                                                          • Opcode ID: 9c4496f65844f4c32fdb71f5f4f440b064967ffe1253dc6b9e71bc78b05be194
                                                                                                                          • Instruction ID: 87e130315aa888c147acfa6e4e5910b903fef8f621307fc841a1473e431fdb29
                                                                                                                          • Opcode Fuzzy Hash: 9c4496f65844f4c32fdb71f5f4f440b064967ffe1253dc6b9e71bc78b05be194
                                                                                                                          • Instruction Fuzzy Hash: FBF15D71A00219EFCF15DF94D884EAEB7BAFF49311F118459F915AB250DB31AE81CB90
                                                                                                                          Function 003324D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 003324F5
                                                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00332688
                                                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003326AC
                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003326EC
                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0033270E
                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0033286F
                                                                                                                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 003328A1
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 003328D0
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00332947
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4090791747-0
                                                                                                                          • Opcode ID: cc29ba0f3d1d235969083c842ebe7a4124a662e03cb0fb000f04f415e5519710
                                                                                                                          • Instruction ID: 09cce8c6a8a05e7872e0c7c1d226023bcae67ddfc18e041cf842263217c52e0d
                                                                                                                          • Opcode Fuzzy Hash: cc29ba0f3d1d235969083c842ebe7a4124a662e03cb0fb000f04f415e5519710
                                                                                                                          • Instruction Fuzzy Hash: A3D1AE31604340DFCB16EF25C891A6ABBE5BF89310F15845EF8899B2A2DB31DD45CF52
                                                                                                                          Function 0033B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0033B3F4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InvalidateRect
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 634782764-0
                                                                                                                          • Opcode ID: f21048fc0e88e145331b0027097afc20a3a0c939a7a27ec7c1fe321f49c5e69d
                                                                                                                          • Instruction ID: 5871a9554ea5e57cdd270150a773aa5698e0ba8ce792da8a6fe7efc3a1966d9e
                                                                                                                          • Opcode Fuzzy Hash: f21048fc0e88e145331b0027097afc20a3a0c939a7a27ec7c1fe321f49c5e69d
                                                                                                                          • Instruction Fuzzy Hash: 7B51CF34600214BBEF339F29CCC5BADBB68AB05324F644112FB54EB6E2C771E9948B50
                                                                                                                          Function 002EA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0034DB1B
                                                                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0034DB3C
                                                                                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0034DB51
                                                                                                                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0034DB6E
                                                                                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0034DB95
                                                                                                                          • DestroyIcon.USER32(00000000,?,?,?,?,?,?,002EA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0034DBA0
                                                                                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0034DBBD
                                                                                                                          • DestroyIcon.USER32(00000000,?,?,?,?,?,?,002EA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0034DBC8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1268354404-0
                                                                                                                          • Opcode ID: 0c602a39ac628ba76776cf659fa08791736314f6a1547a7adde80286fb2a400f
                                                                                                                          • Instruction ID: 8cdef7887b94cb8ac54afcb0e63c42e9306b2bd2257106de195d6bf70e172b38
                                                                                                                          • Opcode Fuzzy Hash: 0c602a39ac628ba76776cf659fa08791736314f6a1547a7adde80286fb2a400f
                                                                                                                          • Instruction Fuzzy Hash: CE517870660309EFDB22CF69CC81FAA77F9EB08750F510519F946AA2A0D7B0BD90CB50
                                                                                                                          Function 00317555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00316EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00315FA6,?), ref: 00316ED8
                                                                                                                            • Part of subcall function 00316EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00315FA6,?), ref: 00316EF1
                                                                                                                            • Part of subcall function 003172CB: GetFileAttributesW.KERNEL32(?,00316019), ref: 003172CC
                                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 003175CA
                                                                                                                          • _wcscmp.LIBCMT ref: 003175E2
                                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 003175FB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 793581249-0
                                                                                                                          • Opcode ID: 1942938c9ac7d51c6ca7fdc8dc11a2b231050e47510c0d56b9105edb715b562d
                                                                                                                          • Instruction ID: af8fb1d4b8f3d4f974f6689c6ecb6f951449ed888f253a3b6b9389e1a932b9ba
                                                                                                                          • Opcode Fuzzy Hash: 1942938c9ac7d51c6ca7fdc8dc11a2b231050e47510c0d56b9105edb715b562d
                                                                                                                          • Instruction Fuzzy Hash: 13513EB2A0921D9ADF65EB94D8819DEB3BC9F0C350F0444AAF605E3541EA7497C9CF70
                                                                                                                          Function 002EEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0034DAD1,00000004,00000000,00000000), ref: 002EEAEB
                                                                                                                          • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0034DAD1,00000004,00000000,00000000), ref: 002EEB32
                                                                                                                          • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0034DAD1,00000004,00000000,00000000), ref: 0034DC86
                                                                                                                          • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0034DAD1,00000004,00000000,00000000), ref: 0034DCF2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ShowWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1268545403-0
                                                                                                                          • Opcode ID: e3ff58a9850588921565db8090fd5c16712ee7759f71204c0e9942cddc95c0ef
                                                                                                                          • Instruction ID: 62ddf25ae99a565e7e6c410f78b9eeec0dbc26c75ea8ff178d274b5fe8c432c5
                                                                                                                          • Opcode Fuzzy Hash: e3ff58a9850588921565db8090fd5c16712ee7759f71204c0e9942cddc95c0ef
                                                                                                                          • Instruction Fuzzy Hash: 994126706747C1DACF364F2A8DCDA2B7ADABB41309F9B081DE04786A61C6B0BC50C710
                                                                                                                          Function 0030B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0030AEF1,00000B00,?,?), ref: 0030B26C
                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,0030AEF1,00000B00,?,?), ref: 0030B273
                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0030AEF1,00000B00,?,?), ref: 0030B288
                                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,0030AEF1,00000B00,?,?), ref: 0030B290
                                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,0030AEF1,00000B00,?,?), ref: 0030B293
                                                                                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0030AEF1,00000B00,?,?), ref: 0030B2A3
                                                                                                                          • GetCurrentProcess.KERNEL32(0030AEF1,00000000,?,0030AEF1,00000B00,?,?), ref: 0030B2AB
                                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,0030AEF1,00000B00,?,?), ref: 0030B2AE
                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,0030B2D4,00000000,00000000,00000000), ref: 0030B2C8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1957940570-0
                                                                                                                          • Opcode ID: afe9855189f73a4d01c3a32fd3cd0c661be154a5c81d46db0f6bcc3221f1c97d
                                                                                                                          • Instruction ID: 7caf3fde5cfb1581c38909c496bca329ca3cda2102fb767edbc4ff6473514b74
                                                                                                                          • Opcode Fuzzy Hash: afe9855189f73a4d01c3a32fd3cd0c661be154a5c81d46db0f6bcc3221f1c97d
                                                                                                                          • Instruction Fuzzy Hash: A601C9B5240308BFE721AFA5DC4DF6B7BACEB88712F058411FA05DB6B1CA749800CB61
                                                                                                                          Function 0032C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                          • API String ID: 0-572801152
                                                                                                                          • Opcode ID: f1cf3b17680c25c9325265d6c535aa7a8cb4b0267ca2f38a6231379d4e9a8720
                                                                                                                          • Instruction ID: c0d33d436f300c653ddb47d000a70a3b4263cf7871aa1e73f683d5b14222e5cb
                                                                                                                          • Opcode Fuzzy Hash: f1cf3b17680c25c9325265d6c535aa7a8cb4b0267ca2f38a6231379d4e9a8720
                                                                                                                          • Instruction Fuzzy Hash: EAE1D771A102299FCF16DFA8E881BEE77B9EF48354F159029F905AB281D770ED41CB90
                                                                                                                          Function 003216DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002D936C: __swprintf.LIBCMT ref: 002D93AB
                                                                                                                            • Part of subcall function 002D936C: __itow.LIBCMT ref: 002D93DF
                                                                                                                            • Part of subcall function 002EC6F4: _wcscpy.LIBCMT ref: 002EC717
                                                                                                                          • _wcstok.LIBCMT ref: 0032184E
                                                                                                                          • _wcscpy.LIBCMT ref: 003218DD
                                                                                                                          • _memset.LIBCMT ref: 00321910
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                          • String ID: X$p28l28
                                                                                                                          • API String ID: 774024439-3119563351
                                                                                                                          • Opcode ID: d265c6977b593bdd35d54d0308f6ef99b1c7b1e57e8cee768c4099d123048f62
                                                                                                                          • Instruction ID: 20b21d4f0f1bd406d56494de39f91f5646e89763467a48af0d3ae8730fd86f63
                                                                                                                          • Opcode Fuzzy Hash: d265c6977b593bdd35d54d0308f6ef99b1c7b1e57e8cee768c4099d123048f62
                                                                                                                          • Instruction Fuzzy Hash: 5FC18D305143519FC725EF24D981AAAB7E4BF95350F00496EF8899B3A2DB30EC55CF82
                                                                                                                          Function 00339A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00339B19
                                                                                                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 00339B2D
                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00339B47
                                                                                                                          • _wcscat.LIBCMT ref: 00339BA2
                                                                                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00339BB9
                                                                                                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00339BE7
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$Window_wcscat
                                                                                                                          • String ID: SysListView32
                                                                                                                          • API String ID: 307300125-78025650
                                                                                                                          • Opcode ID: d556fb5f56ac1bd3ec1311fb5667904a1f71dcda5330418da0779c30389ed32e
                                                                                                                          • Instruction ID: 1db8a1512cb3b3920a1d278a32bba0309d17e215b4c02ee80e929d8ff9327101
                                                                                                                          • Opcode Fuzzy Hash: d556fb5f56ac1bd3ec1311fb5667904a1f71dcda5330418da0779c30389ed32e
                                                                                                                          • Instruction Fuzzy Hash: DC41B171940308EBDB229FA4DC85BEEB7B8EF08350F11452AF549E7291C7B59D85CB60
                                                                                                                          Function 0033172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00316532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00316554
                                                                                                                            • Part of subcall function 00316532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00316564
                                                                                                                            • Part of subcall function 00316532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 003165F9
                                                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0033179A
                                                                                                                          • GetLastError.KERNEL32 ref: 003317AD
                                                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003317D9
                                                                                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00331855
                                                                                                                          • GetLastError.KERNEL32(00000000), ref: 00331860
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00331895
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                          • String ID: SeDebugPrivilege
                                                                                                                          • API String ID: 2533919879-2896544425
                                                                                                                          • Opcode ID: 803c9287d55982cd5044bf5df5190b6c76d1edfc641de3279043e0bc65a247b8
                                                                                                                          • Instruction ID: b6846ce9a80e33599730337df080bda35aff61048502c9557333b40a3247fef7
                                                                                                                          • Opcode Fuzzy Hash: 803c9287d55982cd5044bf5df5190b6c76d1edfc641de3279043e0bc65a247b8
                                                                                                                          • Instruction Fuzzy Hash: 2541D172640200AFDB16EF54C8E5FADB7A9AF48700F058099F9069F3D2DBB49944CF95
                                                                                                                          Function 00315819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadIconW.USER32(00000000,00007F03), ref: 003158B8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: IconLoad
                                                                                                                          • String ID: blank$info$question$stop$warning
                                                                                                                          • API String ID: 2457776203-404129466
                                                                                                                          • Opcode ID: f137db7a5d3bfbb1f2e3dfd88c2793f4844ed32a97be6b24c9037d7b0d1e87b5
                                                                                                                          • Instruction ID: 7d37884a9358e7e92064b919934370b4b72c42629550cc82df185922f66f2896
                                                                                                                          • Opcode Fuzzy Hash: f137db7a5d3bfbb1f2e3dfd88c2793f4844ed32a97be6b24c9037d7b0d1e87b5
                                                                                                                          • Instruction Fuzzy Hash: E511EB32309746FAE71B6F559CC2DEA779C9F59750B20003AF610A5682EB60AA804664
                                                                                                                          Function 0031A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0031A806
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ArraySafeVartype
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1725837607-0
                                                                                                                          • Opcode ID: 6e9aca3ab669bb7ed765ea2e0cb1e48d0b781646af2bf5ac5156d38022864b8f
                                                                                                                          • Instruction ID: b9bb8741f0da028c60dd7544053c326698a1e108e6b94dfc5381eee271129846
                                                                                                                          • Opcode Fuzzy Hash: 6e9aca3ab669bb7ed765ea2e0cb1e48d0b781646af2bf5ac5156d38022864b8f
                                                                                                                          • Instruction Fuzzy Hash: F1C18E71A06609DFDB1ACF94D481BEEB7F4EF0C312F204069E605EB281D734AA81CB91
                                                                                                                          Function 00316B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00316B63
                                                                                                                          • LoadStringW.USER32(00000000), ref: 00316B6A
                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00316B80
                                                                                                                          • LoadStringW.USER32(00000000), ref: 00316B87
                                                                                                                          • _wprintf.LIBCMT ref: 00316BAD
                                                                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00316BCB
                                                                                                                          Strings
                                                                                                                          • %s (%d) : ==> %s: %s %s, xrefs: 00316BA8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                          • API String ID: 3648134473-3128320259
                                                                                                                          • Opcode ID: 660d25b340531840613b9c6af98050cd9210c97d0e1e0166069e091cb8d023ab
                                                                                                                          • Instruction ID: 78c3a4207d9fca88155faef3a287ef05c864d56aae231286a96e501fd54857d3
                                                                                                                          • Opcode Fuzzy Hash: 660d25b340531840613b9c6af98050cd9210c97d0e1e0166069e091cb8d023ab
                                                                                                                          • Instruction Fuzzy Hash: E30181F6900308BFEB22ABE09D89EF7736CD708305F0044A1B746E2051EA749E848F75
                                                                                                                          Function 00332B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00333C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00332BB5,?,?), ref: 00333C1D
                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00332BF6
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharConnectRegistryUpper
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2595220575-0
                                                                                                                          • Opcode ID: 2ab16695e83492cdfaa5e70c39f4adde91d4b2f92db72c0bc542248ecfba8b7a
                                                                                                                          • Instruction ID: c7304cb14d279f8fe6c5d128d42c9588531e4bc2347d9dd9895a8e01d510ca5c
                                                                                                                          • Opcode Fuzzy Hash: 2ab16695e83492cdfaa5e70c39f4adde91d4b2f92db72c0bc542248ecfba8b7a
                                                                                                                          • Instruction Fuzzy Hash: 2C9157712042019FCB16EF14C891B6EB7E9FF88310F14885EF9969B2A1DB34E955CF42
                                                                                                                          Function 0032961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • select.WSOCK32 ref: 00329691
                                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0032969E
                                                                                                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 003296C8
                                                                                                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003296E9
                                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003296F8
                                                                                                                          • inet_ntoa.WSOCK32(?), ref: 00329765
                                                                                                                          • htons.WSOCK32(?,?,?,00000000,?), ref: 003297AA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$htonsinet_ntoaselect
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 500251541-0
                                                                                                                          • Opcode ID: 515ea3a0d33a776110d9dc5e51d36cb7853274265d27b757091cf6040c9f3819
                                                                                                                          • Instruction ID: 4e8512f4f9b73a1f719d5c50bd61e7a4c650e9fc112d8bf3c49c8ba25e9271dc
                                                                                                                          • Opcode Fuzzy Hash: 515ea3a0d33a776110d9dc5e51d36cb7853274265d27b757091cf6040c9f3819
                                                                                                                          • Instruction Fuzzy Hash: E171CA31504250ABC326EF64DC85F6BB7E8EF88714F144A2EF5569B2A1EB30DD14CB92
                                                                                                                          Function 002FA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __mtinitlocknum.LIBCMT ref: 002FA991
                                                                                                                            • Part of subcall function 002F7D7C: __FF_MSGBANNER.LIBCMT ref: 002F7D91
                                                                                                                            • Part of subcall function 002F7D7C: __NMSG_WRITE.LIBCMT ref: 002F7D98
                                                                                                                            • Part of subcall function 002F7D7C: __malloc_crt.LIBCMT ref: 002F7DB8
                                                                                                                          • __lock.LIBCMT ref: 002FA9A4
                                                                                                                          • __lock.LIBCMT ref: 002FA9F0
                                                                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00386DE0,00000018,00305E7B,?,00000000,00000109), ref: 002FAA0C
                                                                                                                          • EnterCriticalSection.KERNEL32(8000000C,00386DE0,00000018,00305E7B,?,00000000,00000109), ref: 002FAA29
                                                                                                                          • LeaveCriticalSection.KERNEL32(8000000C), ref: 002FAA39
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1422805418-0
                                                                                                                          • Opcode ID: 7425cb2a3ca4089ff5eeb926eefd3e9dadf960fd7ee4cb4159687c8c43e3a82d
                                                                                                                          • Instruction ID: bdde232d5057fcc8142066315363ef497d1ccf24b8a60285387b9b47a23e3d4c
                                                                                                                          • Opcode Fuzzy Hash: 7425cb2a3ca4089ff5eeb926eefd3e9dadf960fd7ee4cb4159687c8c43e3a82d
                                                                                                                          • Instruction Fuzzy Hash: 52414CB192031A9FEB149F68C94477CF7B4AF003A5F104239D62DAB1E1D7B59864CF91
                                                                                                                          Function 00338ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00338EE4
                                                                                                                          • GetDC.USER32(00000000), ref: 00338EEC
                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00338EF7
                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00338F03
                                                                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00338F3F
                                                                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00338F50
                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0033BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00338F8A
                                                                                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00338FAA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3864802216-0
                                                                                                                          • Opcode ID: b0925a63e20e9e267d4a0989d388cff4687013b671924614463c132ae5b5c4ec
                                                                                                                          • Instruction ID: 968758562f34c701b41931d477f89c7174d2ddfec34b1f8081acfcd0e0c18fff
                                                                                                                          • Opcode Fuzzy Hash: b0925a63e20e9e267d4a0989d388cff4687013b671924614463c132ae5b5c4ec
                                                                                                                          • Instruction Fuzzy Hash: 82318072100214BFEB228F54DC89FEB3BADEF49716F054065FE08DA1A1D6759842CB70
                                                                                                                          Function 00340133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EB34E: GetWindowLongW.USER32(?,000000EB), ref: 002EB35F
                                                                                                                          • GetSystemMetrics.USER32(0000000F), ref: 0034016D
                                                                                                                          • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0034038D
                                                                                                                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 003403AB
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?), ref: 003403D6
                                                                                                                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 003403FF
                                                                                                                          • ShowWindow.USER32(00000003,00000000), ref: 00340421
                                                                                                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 00340440
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3356174886-0
                                                                                                                          • Opcode ID: e2fd2913c7407d2257951c1fa59a4bd623250d2082279765d57f620e87a335d7
                                                                                                                          • Instruction ID: b6d04d65a3d8e8ffd486a3733b5c4ba5226d3f942a3d710138238822f2db7271
                                                                                                                          • Opcode Fuzzy Hash: e2fd2913c7407d2257951c1fa59a4bd623250d2082279765d57f620e87a335d7
                                                                                                                          • Instruction Fuzzy Hash: 41A1BB35700616EBDB1ACF68C9897AEBBF5BF08701F058119EE54AB290D774BD60CB90
                                                                                                                          Function 002EAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 9b872c5932d0886be4f4dc2305e7ec93a4b15639c1b7961261bedcdc3d26e84a
                                                                                                                          • Instruction ID: ef4ca0d4042fbefbaf95d705e3c862cd12648d355b85bbb5428d94dda720702f
                                                                                                                          • Opcode Fuzzy Hash: 9b872c5932d0886be4f4dc2305e7ec93a4b15639c1b7961261bedcdc3d26e84a
                                                                                                                          • Instruction Fuzzy Hash: FF719CB0910149EFCF15CF99CC89AAEBB79FF85310F248149F915AB250C771AA61CFA1
                                                                                                                          Function 00332230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 0033225A
                                                                                                                          • _memset.LIBCMT ref: 00332323
                                                                                                                          • ShellExecuteExW.SHELL32(?), ref: 00332368
                                                                                                                            • Part of subcall function 002D936C: __swprintf.LIBCMT ref: 002D93AB
                                                                                                                            • Part of subcall function 002D936C: __itow.LIBCMT ref: 002D93DF
                                                                                                                            • Part of subcall function 002EC6F4: _wcscpy.LIBCMT ref: 002EC717
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0033242F
                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 0033243E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                                                                          • String ID: @
                                                                                                                          • API String ID: 4082843840-2766056989
                                                                                                                          • Opcode ID: d852b3d6cc0e879c6eaa259e893d81f990ec60a62c4689a040a448048b52306e
                                                                                                                          • Instruction ID: 637c5a8e2458cde49d754a1303b352665facd25e191e72fea333f4203ffd11a7
                                                                                                                          • Opcode Fuzzy Hash: d852b3d6cc0e879c6eaa259e893d81f990ec60a62c4689a040a448048b52306e
                                                                                                                          • Instruction Fuzzy Hash: EC718B74A106199FCF05EFA9D8819AEBBF5FF48310F11845AE84AAB351CB34AD50CF90
                                                                                                                          Function 00313BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetParent.USER32(00000000), ref: 00313C02
                                                                                                                          • GetKeyboardState.USER32(?), ref: 00313C17
                                                                                                                          • SetKeyboardState.USER32(?), ref: 00313C78
                                                                                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00313CA4
                                                                                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00313CC1
                                                                                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00313D05
                                                                                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00313D26
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 87235514-0
                                                                                                                          • Opcode ID: f006e91ec14de6bdac6e2ed14a26ed9ce3bbe5f348810c9af695ae7d0e4e65bb
                                                                                                                          • Instruction ID: 625bbcd30d89c3087b11b6209b42d4e4e8c4c447af80c402e11c2734ec43f46a
                                                                                                                          • Opcode Fuzzy Hash: f006e91ec14de6bdac6e2ed14a26ed9ce3bbe5f348810c9af695ae7d0e4e65bb
                                                                                                                          • Instruction Fuzzy Hash: F05106A05087D53DFB3B83748C45BF6BFA9AB0E700F088488E0D55A8C2D694EED4E761
                                                                                                                          Function 00338FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00338FE7
                                                                                                                          • GetWindowLongW.USER32(0103ED78,000000F0), ref: 0033901A
                                                                                                                          • GetWindowLongW.USER32(0103ED78,000000F0), ref: 0033904F
                                                                                                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00339081
                                                                                                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003390AB
                                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 003390BC
                                                                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003390D6
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LongWindow$MessageSend
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2178440468-0
                                                                                                                          • Opcode ID: 5f2ba5d11e6600a333fa0e73cc7438506a0650f08dda3279bcb7a6670d653a21
                                                                                                                          • Instruction ID: 00eeb5d81510ed270634b87437f51816b730ba47445f982c5b44416bb1739ca8
                                                                                                                          • Opcode Fuzzy Hash: 5f2ba5d11e6600a333fa0e73cc7438506a0650f08dda3279bcb7a6670d653a21
                                                                                                                          • Instruction Fuzzy Hash: 06313235600215EFDB268F58DCC4F6477A9FB4A714F1502A6F9298F2B1CBB2AC41CB40
                                                                                                                          Function 003108AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003108F2
                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00310918
                                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 0031091B
                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 00310939
                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00310942
                                                                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00310967
                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 00310975
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3761583154-0
                                                                                                                          • Opcode ID: 34f974729e53aa05b8cd7e37d4d1ca81e20176d3d9ab8e97a42b7bc51a2d4419
                                                                                                                          • Instruction ID: 7dad52e98526f64014e3a74c1c6182acced84649152c2a4d8de2e68815706d00
                                                                                                                          • Opcode Fuzzy Hash: 34f974729e53aa05b8cd7e37d4d1ca81e20176d3d9ab8e97a42b7bc51a2d4419
                                                                                                                          • Instruction Fuzzy Hash: B221B572600208AFAB159FA9CC88DEB73ECEB0C360B408125F915DB161DBB0EC818B60
                                                                                                                          Function 00312472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __wcsnicmp
                                                                                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                          • API String ID: 1038674560-2734436370
                                                                                                                          • Opcode ID: 8b5bd0daa0a024e7c5bd6fdd2e1cb6470c340e497189fe7ab7633d9069a84009
                                                                                                                          • Instruction ID: e31be7eff60df054459a7d8f7b966a0b71ef791efc2dcfbc0faede6718c73e52
                                                                                                                          • Opcode Fuzzy Hash: 8b5bd0daa0a024e7c5bd6fdd2e1cb6470c340e497189fe7ab7633d9069a84009
                                                                                                                          • Instruction Fuzzy Hash: F721AC31244251A7D72AAA369C02EF7F39DEF6D350FA04026F54697182EA5099F2C3A0
                                                                                                                          Function 00310986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003109CB
                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003109F1
                                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 003109F4
                                                                                                                          • SysAllocString.OLEAUT32 ref: 00310A15
                                                                                                                          • SysFreeString.OLEAUT32 ref: 00310A1E
                                                                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00310A38
                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 00310A46
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3761583154-0
                                                                                                                          • Opcode ID: 3ff0918f8589eb80f094344d058883aff05346c0cfb1263c8657e1245d013abb
                                                                                                                          • Instruction ID: 884d8cac39147ee504e20b5202ff3feb9703d562c5c3f59f124652f34b8b3bb7
                                                                                                                          • Opcode Fuzzy Hash: 3ff0918f8589eb80f094344d058883aff05346c0cfb1263c8657e1245d013abb
                                                                                                                          • Instruction Fuzzy Hash: AE217775204204AFDB199FA9DC88DAA77ECEF0C360B458125F909CB261DAB0ECC18B54
                                                                                                                          Function 0033A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002ED17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002ED1BA
                                                                                                                            • Part of subcall function 002ED17C: GetStockObject.GDI32(00000011), ref: 002ED1CE
                                                                                                                            • Part of subcall function 002ED17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 002ED1D8
                                                                                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0033A32D
                                                                                                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0033A33A
                                                                                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0033A345
                                                                                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0033A354
                                                                                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0033A360
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                          • String ID: Msctls_Progress32
                                                                                                                          • API String ID: 1025951953-3636473452
                                                                                                                          • Opcode ID: 18d0b34b673f36028f4a5fa62a2960c81c8c136c48be2dfa21826df17eb50f6c
                                                                                                                          • Instruction ID: f868fe5121ee2fd9fc5f74a6f0975449a51467286b337acb04adc2c611164267
                                                                                                                          • Opcode Fuzzy Hash: 18d0b34b673f36028f4a5fa62a2960c81c8c136c48be2dfa21826df17eb50f6c
                                                                                                                          • Instruction Fuzzy Hash: C611B2B1150219BEEF165F60CC85EEB7F6DFF097A8F014115FA48A60A0C7729C22DBA4
                                                                                                                          Function 002ECCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetClientRect.USER32(?,?), ref: 002ECCF6
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 002ECD37
                                                                                                                          • ScreenToClient.USER32(?,?), ref: 002ECD5F
                                                                                                                          • GetClientRect.USER32(?,?), ref: 002ECE8C
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 002ECEA5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Rect$Client$Window$Screen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1296646539-0
                                                                                                                          • Opcode ID: ae87ca71205dadd932c7388284ed16f0d2a247f55a067baa2d18555e40ea6115
                                                                                                                          • Instruction ID: 3dc42332015368b0607cf95ab86e79468ceeca00cb726bda3c8d001ab29f0354
                                                                                                                          • Opcode Fuzzy Hash: ae87ca71205dadd932c7388284ed16f0d2a247f55a067baa2d18555e40ea6115
                                                                                                                          • Instruction Fuzzy Hash: 67B14C7991028ADBDF14CFA9C4807EDB7B1FF08300F689529EC69EB250DB70A951CB64
                                                                                                                          Function 00331BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00331C18
                                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00331C26
                                                                                                                          • __wsplitpath.LIBCMT ref: 00331C54
                                                                                                                            • Part of subcall function 002F1DFC: __wsplitpath_helper.LIBCMT ref: 002F1E3C
                                                                                                                          • _wcscat.LIBCMT ref: 00331C69
                                                                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00331CDF
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00331CF1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1380811348-0
                                                                                                                          • Opcode ID: ee398fcf9f6e52305671e93eac31f22275b0ded8ed13d78763ef0fa431c28af4
                                                                                                                          • Instruction ID: cca1c1120b09cc73d96cce96ef3e9a5dd058f93c75f79e82a16961a3642e1ae3
                                                                                                                          • Opcode Fuzzy Hash: ee398fcf9f6e52305671e93eac31f22275b0ded8ed13d78763ef0fa431c28af4
                                                                                                                          • Instruction Fuzzy Hash: 58518D715043409FD721EF24D885EABB7ECEF88754F10492EF58A97291EB70EA14CB92
                                                                                                                          Function 00332FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00333C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00332BB5,?,?), ref: 00333C1D
                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003330AF
                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003330EF
                                                                                                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00333112
                                                                                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0033313B
                                                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0033317E
                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0033318B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3451389628-0
                                                                                                                          • Opcode ID: 5bfb02aa47ee09c8a3bf19fd94506fc1eac2a69acd877743c82e724f1f522ff1
                                                                                                                          • Instruction ID: 85b4c9f45156e27c48f84e851446df36d0f42911e95b945d260becb1528007da
                                                                                                                          • Opcode Fuzzy Hash: 5bfb02aa47ee09c8a3bf19fd94506fc1eac2a69acd877743c82e724f1f522ff1
                                                                                                                          • Instruction Fuzzy Hash: 8D514831518300AFC715EF64C885EAABBE9FF88304F04895EF5958B2A1DB31EA15CF52
                                                                                                                          Function 003384DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetMenu.USER32(?), ref: 00338540
                                                                                                                          • GetMenuItemCount.USER32(00000000), ref: 00338577
                                                                                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0033859F
                                                                                                                          • GetMenuItemID.USER32(?,?), ref: 0033860E
                                                                                                                          • GetSubMenu.USER32(?,?), ref: 0033861C
                                                                                                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 0033866D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Menu$Item$CountMessagePostString
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 650687236-0
                                                                                                                          • Opcode ID: fe2d524e4693f26d8a60d90c562f9a4b12a969c532873033d49646ed61949466
                                                                                                                          • Instruction ID: 1272e54af9bf744f1c7a90b6c9cbfb2ce471d9c74c6f39d3c7f2a4b981601278
                                                                                                                          • Opcode Fuzzy Hash: fe2d524e4693f26d8a60d90c562f9a4b12a969c532873033d49646ed61949466
                                                                                                                          • Instruction Fuzzy Hash: 30517C71A00615EFDB12EF64C885AAEB7F8EF48310F114469F916BB351DB70AE418F90
                                                                                                                          Function 00314AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00314B10
                                                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00314B5B
                                                                                                                          • IsMenu.USER32(00000000), ref: 00314B7B
                                                                                                                          • CreatePopupMenu.USER32 ref: 00314BAF
                                                                                                                          • GetMenuItemCount.USER32(000000FF), ref: 00314C0D
                                                                                                                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00314C3E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3311875123-0
                                                                                                                          • Opcode ID: 56f1571dc20ac51d4fb7756ad73b79d3204e27078d90d35f5ab7f46922af3b75
                                                                                                                          • Instruction ID: 7e37aac6cec9e7808c8ca1f0de3cb815b59ae3d6b8b2f3ccacf4bd5d6cf65a36
                                                                                                                          • Opcode Fuzzy Hash: 56f1571dc20ac51d4fb7756ad73b79d3204e27078d90d35f5ab7f46922af3b75
                                                                                                                          • Instruction Fuzzy Hash: AC51D270601309EFDF2ACF68D888BEDBBF8AF49318F148159E4559B291E3709984CB91
                                                                                                                          Function 00328DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0036DC00), ref: 00328E7C
                                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00328E89
                                                                                                                          • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00328EAD
                                                                                                                          • #16.WSOCK32(?,?,00000000,00000000), ref: 00328EC5
                                                                                                                          • _strlen.LIBCMT ref: 00328EF7
                                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00328F6A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$_strlenselect
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2217125717-0
                                                                                                                          • Opcode ID: 171c4333ca7a44f43b48d49ae60c61dd116044b0aaa58c6f3dadf31880794b72
                                                                                                                          • Instruction ID: fd3de04d6bb42a962cf78f88f98f506a27342905de5187effe5b9ceadfef2994
                                                                                                                          • Opcode Fuzzy Hash: 171c4333ca7a44f43b48d49ae60c61dd116044b0aaa58c6f3dadf31880794b72
                                                                                                                          • Instruction Fuzzy Hash: D341A071501214ABCB15EFA4ED85EAEB7BDEF48314F10466AF51A9B291DF30AE40CB60
                                                                                                                          Function 002EABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EB34E: GetWindowLongW.USER32(?,000000EB), ref: 002EB35F
                                                                                                                          • BeginPaint.USER32(?,?,?), ref: 002EAC2A
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 002EAC8E
                                                                                                                          • ScreenToClient.USER32(?,?), ref: 002EACAB
                                                                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002EACBC
                                                                                                                          • EndPaint.USER32(?,?,?,?,?), ref: 002EAD06
                                                                                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0034E673
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2592858361-0
                                                                                                                          • Opcode ID: eee30bc61193d897ac0bfabe1f1e38671d4f25978b4723983fbc814ee029676b
                                                                                                                          • Instruction ID: f51d215685d7a0ff7b30d945ee5dd2e5c117d66599f358728fe3aee54a92a194
                                                                                                                          • Opcode Fuzzy Hash: eee30bc61193d897ac0bfabe1f1e38671d4f25978b4723983fbc814ee029676b
                                                                                                                          • Instruction Fuzzy Hash: 1A41EE71500341AFC722DF25DC84FB67BECFB59320F14026AF9A48B2A1C331A855CB62
                                                                                                                          Function 0033E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ShowWindow.USER32(00391628,00000000,00391628,00000000,00000000,00391628,?,0034DC5D,00000000,?,00000000,00000000,00000000,?,0034DAD1,00000004), ref: 0033E40B
                                                                                                                          • EnableWindow.USER32(00000000,00000000), ref: 0033E42F
                                                                                                                          • ShowWindow.USER32(00391628,00000000), ref: 0033E48F
                                                                                                                          • ShowWindow.USER32(00000000,00000004), ref: 0033E4A1
                                                                                                                          • EnableWindow.USER32(00000000,00000001), ref: 0033E4C5
                                                                                                                          • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0033E4E8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Show$Enable$MessageSend
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 642888154-0
                                                                                                                          • Opcode ID: 6a36228de0f4918b9b3ea17b1a95e3a8b5b8d1fa40382c54471ee1ee7be101f9
                                                                                                                          • Instruction ID: a08de77ef2702433b3de2d852ae9763e4ad8a959af0625de70e02ca4b0f4b180
                                                                                                                          • Opcode Fuzzy Hash: 6a36228de0f4918b9b3ea17b1a95e3a8b5b8d1fa40382c54471ee1ee7be101f9
                                                                                                                          • Instruction Fuzzy Hash: D6414734601250EFDB23CF29C5D9B947BE1BB09305F5A81A9EA588F2E2C731E852CB51
                                                                                                                          Function 003198BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 003198D1
                                                                                                                            • Part of subcall function 002EF4EA: std::exception::exception.LIBCMT ref: 002EF51E
                                                                                                                            • Part of subcall function 002EF4EA: __CxxThrowException@8.LIBCMT ref: 002EF533
                                                                                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00319908
                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 00319924
                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0031999E
                                                                                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003199B3
                                                                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 003199D2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2537439066-0
                                                                                                                          • Opcode ID: 8d4b6a7bedc311e73f8673d7336eebb058513ba3ac91f81c6c67dac60ddadd2b
                                                                                                                          • Instruction ID: 6860257c263e5171f5563a6e9182cdbc789bba40ce02a10b7aebe3f61a3ad654
                                                                                                                          • Opcode Fuzzy Hash: 8d4b6a7bedc311e73f8673d7336eebb058513ba3ac91f81c6c67dac60ddadd2b
                                                                                                                          • Instruction Fuzzy Hash: 54318F31900205EBDB11AFA5DD85EAFBBB8FF45310F1480A9F904EB296D730DA50CBA0
                                                                                                                          Function 00329B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetForegroundWindow.USER32(?,?,?,?,?,?,003277F4,?,?,00000000,00000001), ref: 00329B53
                                                                                                                            • Part of subcall function 00326544: GetWindowRect.USER32(?,?), ref: 00326557
                                                                                                                          • GetDesktopWindow.USER32 ref: 00329B7D
                                                                                                                          • GetWindowRect.USER32(00000000), ref: 00329B84
                                                                                                                          • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00329BB6
                                                                                                                            • Part of subcall function 00317A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00317AD0
                                                                                                                          • GetCursorPos.USER32(?), ref: 00329BE2
                                                                                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00329C44
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4137160315-0
                                                                                                                          • Opcode ID: 7d37d525006ee01b5ca96531ae2165aa9d70b58057ff4daf5da07516268d4c94
                                                                                                                          • Instruction ID: d005ed5d7b1f0a50e18dbdcad1e33b1e52b52f05bd5a242640ac12c435a8772b
                                                                                                                          • Opcode Fuzzy Hash: 7d37d525006ee01b5ca96531ae2165aa9d70b58057ff4daf5da07516268d4c94
                                                                                                                          • Instruction Fuzzy Hash: 8731CF72104319AFC721DF54E849F9AB7EDFF89314F00091AF585D7191DA31EA44CB92
                                                                                                                          Function 0030AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0030AFAE
                                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 0030AFB5
                                                                                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0030AFC4
                                                                                                                          • CloseHandle.KERNEL32(00000004), ref: 0030AFCF
                                                                                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0030AFFE
                                                                                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 0030B012
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1413079979-0
                                                                                                                          • Opcode ID: 61713563f06a9298a69aff19a81a7ea2a38e489c47ac442ec62f5d363306b79a
                                                                                                                          • Instruction ID: 65d4dcc03a91b9a33f914e57034da3afc4fa500f64d1ab5111f4f0197958b285
                                                                                                                          • Opcode Fuzzy Hash: 61713563f06a9298a69aff19a81a7ea2a38e489c47ac442ec62f5d363306b79a
                                                                                                                          • Instruction Fuzzy Hash: 48217C7210570AABDB138F94ED09BAE7BADAF44305F054015FA01A21A1C3769D60EB61
                                                                                                                          Function 0033EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 002EAFE3
                                                                                                                            • Part of subcall function 002EAF83: SelectObject.GDI32(?,00000000), ref: 002EAFF2
                                                                                                                            • Part of subcall function 002EAF83: BeginPath.GDI32(?), ref: 002EB009
                                                                                                                            • Part of subcall function 002EAF83: SelectObject.GDI32(?,00000000), ref: 002EB033
                                                                                                                          • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0033EC20
                                                                                                                          • LineTo.GDI32(00000000,00000003,?), ref: 0033EC34
                                                                                                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0033EC42
                                                                                                                          • LineTo.GDI32(00000000,00000000,?), ref: 0033EC52
                                                                                                                          • EndPath.GDI32(00000000), ref: 0033EC62
                                                                                                                          • StrokePath.GDI32(00000000), ref: 0033EC72
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 43455801-0
                                                                                                                          • Opcode ID: 4d0194eee5fdb4a79fcd2aa98a942cdab874f21f6d24942cc3940e18434e9c00
                                                                                                                          • Instruction ID: c85f3cd32264e1d8908d5df6b0e819513d971a962dc14f770d7c0b322c7b0902
                                                                                                                          • Opcode Fuzzy Hash: 4d0194eee5fdb4a79fcd2aa98a942cdab874f21f6d24942cc3940e18434e9c00
                                                                                                                          • Instruction Fuzzy Hash: 4411C972400249BFEB129F90DD88EEA7F6DEB08355F048112FE199A1B0D7719D55DBA0
                                                                                                                          Function 0030E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetDC.USER32(00000000), ref: 0030E1C0
                                                                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0030E1D1
                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0030E1D8
                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0030E1E0
                                                                                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0030E1F7
                                                                                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0030E209
                                                                                                                            • Part of subcall function 00309AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00309A05,00000000,00000000,?,00309DDB), ref: 0030A53A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CapsDevice$ExceptionRaiseRelease
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 603618608-0
                                                                                                                          • Opcode ID: 0617343e03489b92ad447fb24d16de7d72335e8089f219e38ceaa6b7670c1fcc
                                                                                                                          • Instruction ID: 90565c201cd1cb7683cc14024611e9c96076c274b8e8300eccfd5e3affe8d72d
                                                                                                                          • Opcode Fuzzy Hash: 0617343e03489b92ad447fb24d16de7d72335e8089f219e38ceaa6b7670c1fcc
                                                                                                                          • Instruction Fuzzy Hash: 80018FB5A00714BFEB119BA6DC45B5EBFB8EB48351F004066EA04EB2D0D6709C01CBA0
                                                                                                                          Function 002F7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __init_pointers.LIBCMT ref: 002F7B47
                                                                                                                            • Part of subcall function 002F123A: __initp_misc_winsig.LIBCMT ref: 002F125E
                                                                                                                            • Part of subcall function 002F123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 002F7F51
                                                                                                                            • Part of subcall function 002F123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 002F7F65
                                                                                                                            • Part of subcall function 002F123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 002F7F78
                                                                                                                            • Part of subcall function 002F123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 002F7F8B
                                                                                                                            • Part of subcall function 002F123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 002F7F9E
                                                                                                                            • Part of subcall function 002F123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 002F7FB1
                                                                                                                            • Part of subcall function 002F123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 002F7FC4
                                                                                                                            • Part of subcall function 002F123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 002F7FD7
                                                                                                                            • Part of subcall function 002F123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 002F7FEA
                                                                                                                            • Part of subcall function 002F123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 002F7FFD
                                                                                                                            • Part of subcall function 002F123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 002F8010
                                                                                                                            • Part of subcall function 002F123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 002F8023
                                                                                                                            • Part of subcall function 002F123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 002F8036
                                                                                                                            • Part of subcall function 002F123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 002F8049
                                                                                                                            • Part of subcall function 002F123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 002F805C
                                                                                                                            • Part of subcall function 002F123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 002F806F
                                                                                                                          • __mtinitlocks.LIBCMT ref: 002F7B4C
                                                                                                                            • Part of subcall function 002F7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0038AC68,00000FA0,?,?,002F7B51,002F5E77,00386C70,00000014), ref: 002F7E41
                                                                                                                          • __mtterm.LIBCMT ref: 002F7B55
                                                                                                                            • Part of subcall function 002F7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,002F7B5A,002F5E77,00386C70,00000014), ref: 002F7D3F
                                                                                                                            • Part of subcall function 002F7BBD: _free.LIBCMT ref: 002F7D46
                                                                                                                            • Part of subcall function 002F7BBD: DeleteCriticalSection.KERNEL32(0038AC68,?,?,002F7B5A,002F5E77,00386C70,00000014), ref: 002F7D68
                                                                                                                          • __calloc_crt.LIBCMT ref: 002F7B7A
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 002F7BA3
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2942034483-0
                                                                                                                          • Opcode ID: a5f12651b8cf5913912213d6696d9fdc6f87ca34ee4b8b5062488ea607426879
                                                                                                                          • Instruction ID: 769cf8d1b0da1f97a0119b254950e5378874b3ffaf97c91f7c533471a387cdcb
                                                                                                                          • Opcode Fuzzy Hash: a5f12651b8cf5913912213d6696d9fdc6f87ca34ee4b8b5062488ea607426879
                                                                                                                          • Instruction Fuzzy Hash: 1CF0FC3113C71A19E6257B38BC06676A6C49F033F4F1006BAFB60D51D1FF2048318960
                                                                                                                          Function 002D27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 002D281D
                                                                                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 002D2825
                                                                                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 002D2830
                                                                                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 002D283B
                                                                                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 002D2843
                                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 002D284B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Virtual
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4278518827-0
                                                                                                                          • Opcode ID: 2696db7155268af1a7c06b35062d8c329c53a5114af7951f77447c04fdef66fb
                                                                                                                          • Instruction ID: 9f699d244dbbdab56b9d76f8d7c7a77e645a04cfa20f73f65e79119c864ab6d6
                                                                                                                          • Opcode Fuzzy Hash: 2696db7155268af1a7c06b35062d8c329c53a5114af7951f77447c04fdef66fb
                                                                                                                          • Instruction Fuzzy Hash: BD0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5
                                                                                                                          Function 00319AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1423608774-0
                                                                                                                          • Opcode ID: ace23bc1aac3facbdd398a47bb00e9f8dfa837f9e64936a0de1a151945800c63
                                                                                                                          • Instruction ID: 7f3749718ddacff066394b1aa0e1fecb604247865053cdd047dc7228f0f44fb8
                                                                                                                          • Opcode Fuzzy Hash: ace23bc1aac3facbdd398a47bb00e9f8dfa837f9e64936a0de1a151945800c63
                                                                                                                          • Instruction Fuzzy Hash: 2C018136142311ABD72B1B54EC58EEB776EFF8C702F45082AF507DA0A0DB65A854DB50
                                                                                                                          Function 00317BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00317C07
                                                                                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00317C1D
                                                                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00317C2C
                                                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00317C3B
                                                                                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00317C45
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00317C4C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 839392675-0
                                                                                                                          • Opcode ID: 9f5a8350a2a65205718601d800713e25189e530291b3285a64cc623d70618bb8
                                                                                                                          • Instruction ID: ff243eec030f032fc33d35a87eed36c877a6430d7b99c9989d208d8a36f64068
                                                                                                                          • Opcode Fuzzy Hash: 9f5a8350a2a65205718601d800713e25189e530291b3285a64cc623d70618bb8
                                                                                                                          • Instruction Fuzzy Hash: C4F03076241658BBE73257529C0DEEF7B7CDFC6B12F400018F601D1061D7A05A42C6B6
                                                                                                                          Function 00319A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InterlockedExchange.KERNEL32(?,?), ref: 00319A33
                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,00345DEE,?,?,?,?,?,002DED63), ref: 00319A44
                                                                                                                          • TerminateThread.KERNEL32(?,000001F6,?,?,?,00345DEE,?,?,?,?,?,002DED63), ref: 00319A51
                                                                                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00345DEE,?,?,?,?,?,002DED63), ref: 00319A5E
                                                                                                                            • Part of subcall function 003193D1: CloseHandle.KERNEL32(?,?,00319A6B,?,?,?,00345DEE,?,?,?,?,?,002DED63), ref: 003193DB
                                                                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00319A71
                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,00345DEE,?,?,?,?,?,002DED63), ref: 00319A78
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3495660284-0
                                                                                                                          • Opcode ID: 4d4195d3f00bee08a1d304e34db4f8d822310181025e9c06ed156aba931a4b65
                                                                                                                          • Instruction ID: 8ba89c54b0ca84eb94211f00d9f2e71412657ffbf8f20a71bd8bd006ac6d1ea7
                                                                                                                          • Opcode Fuzzy Hash: 4d4195d3f00bee08a1d304e34db4f8d822310181025e9c06ed156aba931a4b65
                                                                                                                          • Instruction Fuzzy Hash: 3DF05E36142311ABD7271BA4EC8DEEA776DFF88302F150826F603950B0DB759841DB51
                                                                                                                          Function 002D1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EF4EA: std::exception::exception.LIBCMT ref: 002EF51E
                                                                                                                            • Part of subcall function 002EF4EA: __CxxThrowException@8.LIBCMT ref: 002EF533
                                                                                                                          • __swprintf.LIBCMT ref: 002D1EA6
                                                                                                                          Strings
                                                                                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 002D1D49
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                          • API String ID: 2125237772-557222456
                                                                                                                          • Opcode ID: 835928bfa9f77667f7615edf56ed8872dafad5ceb7a532ac763490ce1a50ce3e
                                                                                                                          • Instruction ID: b5719e4d695bc474e37862915b78c7377e41c30f028e0e2e9434cfde811afef2
                                                                                                                          • Opcode Fuzzy Hash: 835928bfa9f77667f7615edf56ed8872dafad5ceb7a532ac763490ce1a50ce3e
                                                                                                                          • Instruction Fuzzy Hash: F4917B71528201AFC725EF25C895C6EB7E8AF95700F00496EF9859B3A1DB70ED24CF92
                                                                                                                          Function 0032AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 0032B006
                                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 0032B115
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 0032B298
                                                                                                                            • Part of subcall function 00319DC5: VariantInit.OLEAUT32(00000000), ref: 00319E05
                                                                                                                            • Part of subcall function 00319DC5: VariantCopy.OLEAUT32(?,?), ref: 00319E0E
                                                                                                                            • Part of subcall function 00319DC5: VariantClear.OLEAUT32(?), ref: 00319E1A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                          • API String ID: 4237274167-1221869570
                                                                                                                          • Opcode ID: 75e32e720f3686d0415326c291d84ac113e1602a84b0575e0eaa0feed570542e
                                                                                                                          • Instruction ID: af3a1237308f2a94b3f36d84afa6e27bf21332fa52cad61a088fba839b7cd096
                                                                                                                          • Opcode Fuzzy Hash: 75e32e720f3686d0415326c291d84ac113e1602a84b0575e0eaa0feed570542e
                                                                                                                          • Instruction Fuzzy Hash: 9A917B70608341DFCB11EF24D49195AB7E8EF89704F14886EF89A9B3A2DB31ED45CB52
                                                                                                                          Function 00315347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EC6F4: _wcscpy.LIBCMT ref: 002EC717
                                                                                                                          • _memset.LIBCMT ref: 00315438
                                                                                                                          • GetMenuItemInfoW.USER32(?), ref: 00315467
                                                                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00315513
                                                                                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0031553D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                          • String ID: 0
                                                                                                                          • API String ID: 4152858687-4108050209
                                                                                                                          • Opcode ID: abe482d041450c1523f0bae31522ac268ddb4681a5188c0091efa0e290928599
                                                                                                                          • Instruction ID: afff7407173743ce3c3c7ccb286064ae1082db1c2bbd82ee46ab8d1ea0dab3ef
                                                                                                                          • Opcode Fuzzy Hash: abe482d041450c1523f0bae31522ac268ddb4681a5188c0091efa0e290928599
                                                                                                                          • Instruction Fuzzy Hash: 7B51E271114702DBD71A9F29C8456EBB7E9EBCA350F05092AF8A6D3191EB70CD848B52
                                                                                                                          Function 00310213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0031027B
                                                                                                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003102B1
                                                                                                                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003102C2
                                                                                                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00310344
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                          • String ID: DllGetClassObject
                                                                                                                          • API String ID: 753597075-1075368562
                                                                                                                          • Opcode ID: e797531e26262b83d781676dbb47cb7a15f6e6b800bf7182eee8106d3f903e4f
                                                                                                                          • Instruction ID: 9a3593cc4674ac934b28f8513f810c9aa3da97391122ff1aa89be9d1e7250b13
                                                                                                                          • Opcode Fuzzy Hash: e797531e26262b83d781676dbb47cb7a15f6e6b800bf7182eee8106d3f903e4f
                                                                                                                          • Instruction Fuzzy Hash: 25413975600204AFDB1ECF64C884ADA7BB9EF48311F1584A9A919DF216D7F1DAC4CBA0
                                                                                                                          Function 00315007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00315075
                                                                                                                          • GetMenuItemInfoW.USER32 ref: 00315091
                                                                                                                          • DeleteMenu.USER32(00000004,00000007,00000000), ref: 003150D7
                                                                                                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00391708,00000000), ref: 00315120
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Menu$Delete$InfoItem_memset
                                                                                                                          • String ID: 0
                                                                                                                          • API String ID: 1173514356-4108050209
                                                                                                                          • Opcode ID: 4113c08cebba8f95e27f34abc8bcda9311639ed7029d0a4a48c6d3a45fc2fc08
                                                                                                                          • Instruction ID: df57d15f8a54028ffe32a711180e6b2ae651b79bc44d939dc3f6f2e5c4f3fed0
                                                                                                                          • Opcode Fuzzy Hash: 4113c08cebba8f95e27f34abc8bcda9311639ed7029d0a4a48c6d3a45fc2fc08
                                                                                                                          • Instruction Fuzzy Hash: 4C41C335204701EFDB26DF24D880BAAB7E8AFC9314F05462EF85597291D730E840CB62
                                                                                                                          Function 00330567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CharLowerBuffW.USER32(?,?,?,?), ref: 00330587
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharLower
                                                                                                                          • String ID: cdecl$none$stdcall$winapi
                                                                                                                          • API String ID: 2358735015-567219261
                                                                                                                          • Opcode ID: 627dde453a0b5244a77ee2476484c3738b06d4a8f0badf75179959ca65be015b
                                                                                                                          • Instruction ID: 9b1234cc1cc98255d4c7cdb65df3bdb095851cde655a6f66e1082b5158a30e01
                                                                                                                          • Opcode Fuzzy Hash: 627dde453a0b5244a77ee2476484c3738b06d4a8f0badf75179959ca65be015b
                                                                                                                          • Instruction Fuzzy Hash: 5231F230510216AFCF05EF68C8919EEB3B8FF49314F10466AE826A76D1DB31E921CF80
                                                                                                                          Function 0030B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0030B88E
                                                                                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0030B8A1
                                                                                                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 0030B8D1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: ComboBox$ListBox
                                                                                                                          • API String ID: 3850602802-1403004172
                                                                                                                          • Opcode ID: f22328799679507c73cd49c17e895b0c5d54c9c9878a91c1384c4d822d560213
                                                                                                                          • Instruction ID: 33fce6c51ec740a72ee55e5875663f8c16ffb33dad1eb581328f76453d570275
                                                                                                                          • Opcode Fuzzy Hash: f22328799679507c73cd49c17e895b0c5d54c9c9878a91c1384c4d822d560213
                                                                                                                          • Instruction Fuzzy Hash: D021E171901248AFDB1AABA4D8969FEB7BCDF05350B20812AF461A62F0DB744D169B60
                                                                                                                          Function 003243E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00324401
                                                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00324427
                                                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00324457
                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 0032449E
                                                                                                                            • Part of subcall function 00325052: GetLastError.KERNEL32(?,?,003243CC,00000000,00000000,00000001), ref: 00325067
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1951874230-3916222277
                                                                                                                          • Opcode ID: 12296933e0221ce4cd85fbe389b8461de259508cdb3b4520deb18316b433c8b4
                                                                                                                          • Instruction ID: aa1c1909f00bc5ae50509a90741959d453ff209bd56a8b10eb2397d8eaed717b
                                                                                                                          • Opcode Fuzzy Hash: 12296933e0221ce4cd85fbe389b8461de259508cdb3b4520deb18316b433c8b4
                                                                                                                          • Instruction Fuzzy Hash: A8219FB2500218BFE722AF55EC85EBFBAFCEB48748F10841AF509D6150EA749D059771
                                                                                                                          Function 003390E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002ED17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002ED1BA
                                                                                                                            • Part of subcall function 002ED17C: GetStockObject.GDI32(00000011), ref: 002ED1CE
                                                                                                                            • Part of subcall function 002ED17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 002ED1D8
                                                                                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0033915C
                                                                                                                          • LoadLibraryW.KERNEL32(?), ref: 00339163
                                                                                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00339178
                                                                                                                          • DestroyWindow.USER32(?), ref: 00339180
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                          • String ID: SysAnimate32
                                                                                                                          • API String ID: 4146253029-1011021900
                                                                                                                          • Opcode ID: 936bf9c05170b574e9e126611e0bd50ace642915fffa7c5392d3d7ab5163195b
                                                                                                                          • Instruction ID: 1db6a856d5edd28613134a75bef962c8967f25b9bbcf95aa842cfa9375961f4c
                                                                                                                          • Opcode Fuzzy Hash: 936bf9c05170b574e9e126611e0bd50ace642915fffa7c5392d3d7ab5163195b
                                                                                                                          • Instruction Fuzzy Hash: A121C271A00206FBEF224E64DCC4FBA37ADEF55365F11021AF954A6190C3B5CC52A760
                                                                                                                          Function 00319568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 00319588
                                                                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003195B9
                                                                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 003195CB
                                                                                                                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00319605
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateHandle$FilePipe
                                                                                                                          • String ID: nul
                                                                                                                          • API String ID: 4209266947-2873401336
                                                                                                                          • Opcode ID: f6cfc4e71fee0910475dd196c69cf8576d07a00f3849b4dca00f9140e9dd8305
                                                                                                                          • Instruction ID: 2a56fb3a3bcfbdea0e42091b0f7d7a30f0c54670fae3209649259075c98be956
                                                                                                                          • Opcode Fuzzy Hash: f6cfc4e71fee0910475dd196c69cf8576d07a00f3849b4dca00f9140e9dd8305
                                                                                                                          • Instruction Fuzzy Hash: CE2153705003059BDB269F25DC15BDA77E9AF49720F204A1AF9A1E72E0D770D994CB10
                                                                                                                          Function 00319634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00319653
                                                                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00319683
                                                                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00319694
                                                                                                                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003196CE
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateHandle$FilePipe
                                                                                                                          • String ID: nul
                                                                                                                          • API String ID: 4209266947-2873401336
                                                                                                                          • Opcode ID: 982c1d3ab430b71b7c0e4afe50da70472f5999867f365b325d5a4a0fa1a3ef6f
                                                                                                                          • Instruction ID: 2390d26e5c2334e95c0e8393c28d3d4afb138a4fdce75c33187a56f7ad0c6b2f
                                                                                                                          • Opcode Fuzzy Hash: 982c1d3ab430b71b7c0e4afe50da70472f5999867f365b325d5a4a0fa1a3ef6f
                                                                                                                          • Instruction Fuzzy Hash: 322174716003059BDB2A9F69DC55FDA77ECAF59730F200A1AF8A1D72D0E7709881CB61
                                                                                                                          Function 0031DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0031DB0A
                                                                                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0031DB5E
                                                                                                                          • __swprintf.LIBCMT ref: 0031DB77
                                                                                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,0036DC00), ref: 0031DBB5
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                          • String ID: %lu
                                                                                                                          • API String ID: 3164766367-685833217
                                                                                                                          • Opcode ID: 6e5c65963c1836651fb28f1981952d4b96c654936636f9d9f2188d42bf9aef96
                                                                                                                          • Instruction ID: 65172aa4de5018ac86a46da8fb70abc78f76a7607199ae7ec923c6f62bf06566
                                                                                                                          • Opcode Fuzzy Hash: 6e5c65963c1836651fb28f1981952d4b96c654936636f9d9f2188d42bf9aef96
                                                                                                                          • Instruction Fuzzy Hash: FB216035A00209AFCB15EFA4C985DEEBBB8EF49704B104069F50AD7351DB71EA41CF61
                                                                                                                          Function 0030C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0030C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0030C84A
                                                                                                                            • Part of subcall function 0030C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0030C85D
                                                                                                                            • Part of subcall function 0030C82D: GetCurrentThreadId.KERNEL32 ref: 0030C864
                                                                                                                            • Part of subcall function 0030C82D: AttachThreadInput.USER32(00000000), ref: 0030C86B
                                                                                                                          • GetFocus.USER32 ref: 0030CA05
                                                                                                                            • Part of subcall function 0030C876: GetParent.USER32(?), ref: 0030C884
                                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 0030CA4E
                                                                                                                          • EnumChildWindows.USER32(?,0030CAC4), ref: 0030CA76
                                                                                                                          • __swprintf.LIBCMT ref: 0030CA90
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                                                                          • String ID: %s%d
                                                                                                                          • API String ID: 3187004680-1110647743
                                                                                                                          • Opcode ID: 33250c4badf5b4648b119fc236d93b134e19393f68026719194618fbd5aa1746
                                                                                                                          • Instruction ID: ccd928c589260dc46c981dbbae7f1b6d86b6fa228c797984b12b2a2721fa532b
                                                                                                                          • Opcode Fuzzy Hash: 33250c4badf5b4648b119fc236d93b134e19393f68026719194618fbd5aa1746
                                                                                                                          • Instruction Fuzzy Hash: E61184716212097BCB12BFA0DC99FEA376CAF44714F009166FE08AA182DB709946DB70
                                                                                                                          Function 002F7A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __lock.LIBCMT ref: 002F7AD8
                                                                                                                            • Part of subcall function 002F7CF4: __mtinitlocknum.LIBCMT ref: 002F7D06
                                                                                                                            • Part of subcall function 002F7CF4: EnterCriticalSection.KERNEL32(00000000,?,002F7ADD,0000000D), ref: 002F7D1F
                                                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 002F7AE5
                                                                                                                          • __lock.LIBCMT ref: 002F7AF9
                                                                                                                          • ___addlocaleref.LIBCMT ref: 002F7B17
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                                                                          • String ID: `5
                                                                                                                          • API String ID: 1687444384-416709829
                                                                                                                          • Opcode ID: 566619ad0ac6b1ed5907763d244fd6dc039fb644d66b6857e034beca0ae60885
                                                                                                                          • Instruction ID: 45083605f196cf9d80bdc16ceaafbdb8966d7d5f29526aa1b2ac05d337f0ff58
                                                                                                                          • Opcode Fuzzy Hash: 566619ad0ac6b1ed5907763d244fd6dc039fb644d66b6857e034beca0ae60885
                                                                                                                          • Instruction Fuzzy Hash: 3501AD75414B049FE721EF75C90A75AF7F0EF00325F20885EE59A976A0CBB0A654CF11
                                                                                                                          Function 0033E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 0033E33D
                                                                                                                          • _memset.LIBCMT ref: 0033E34C
                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00393D00,00393D44), ref: 0033E37B
                                                                                                                          • CloseHandle.KERNEL32 ref: 0033E38D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _memset$CloseCreateHandleProcess
                                                                                                                          • String ID: D=9
                                                                                                                          • API String ID: 3277943733-3175038136
                                                                                                                          • Opcode ID: cf69dad8b5de827ed3e59caf53570fe60329df70c24fa1c4ab3e0e95050a9ff9
                                                                                                                          • Instruction ID: 566074f7def4bc0a36ba3220fe798a0b8138ae4ebaaaffa1efcb719a4f5a9b6d
                                                                                                                          • Opcode Fuzzy Hash: cf69dad8b5de827ed3e59caf53570fe60329df70c24fa1c4ab3e0e95050a9ff9
                                                                                                                          • Instruction Fuzzy Hash: DAF082F5550304BEE7121B60AC5AFBBBE5CDB04754F004422FF08DA1E2D3769E1086A9
                                                                                                                          Function 00331945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003319F3
                                                                                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00331A26
                                                                                                                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00331B49
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00331BBF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2364364464-0
                                                                                                                          • Opcode ID: ed7087b55a21cfe2cf9880c14c13c4863268a2917b29147988f4576d15fce610
                                                                                                                          • Instruction ID: 8adcff8b9f1d9518842305b735c56ec2f4f4006e74cce6024a787ca4f3a03dae
                                                                                                                          • Opcode Fuzzy Hash: ed7087b55a21cfe2cf9880c14c13c4863268a2917b29147988f4576d15fce610
                                                                                                                          • Instruction Fuzzy Hash: E281C470650200EBDF21AF65C886BADBBE9EF08720F158459F905AF392D7B4AD51CF90
                                                                                                                          Function 00311C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00311CB4
                                                                                                                          • VariantClear.OLEAUT32(00000013), ref: 00311D26
                                                                                                                          • VariantClear.OLEAUT32(00000000), ref: 00311D81
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00311DF8
                                                                                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00311E26
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Variant$Clear$ChangeInitType
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4136290138-0
                                                                                                                          • Opcode ID: c1b76b42ccd2088d9079998f569dafa9ea2dd0a71a795b30bc8e21ee08323e6e
                                                                                                                          • Instruction ID: 76667f2bd47aec3e87e2c35c858a4ada90da221f7b26c9b149359c37d708ae14
                                                                                                                          • Opcode Fuzzy Hash: c1b76b42ccd2088d9079998f569dafa9ea2dd0a71a795b30bc8e21ee08323e6e
                                                                                                                          • Instruction Fuzzy Hash: 125137B5A00209EFDB15CF58D880AEAB7B8FF4C314B158559EA59DB311E730EA51CFA0
                                                                                                                          Function 00330688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002D936C: __swprintf.LIBCMT ref: 002D93AB
                                                                                                                            • Part of subcall function 002D936C: __itow.LIBCMT ref: 002D93DF
                                                                                                                          • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 003306EE
                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0033077D
                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 0033079B
                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 003307E1
                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000004), ref: 003307FB
                                                                                                                            • Part of subcall function 002EE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0031A574,?,?,00000000,00000008), ref: 002EE675
                                                                                                                            • Part of subcall function 002EE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0031A574,?,?,00000000,00000008), ref: 002EE699
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 327935632-0
                                                                                                                          • Opcode ID: e2d37a8de73d53f6eb1fa3e92b13e44ae5e2508c41dc082d2dee5a9a048c5aaf
                                                                                                                          • Instruction ID: 511d2ff1d4d4296a197d7d8d37f839048315ac09a9d139dfd5a865225e9ca057
                                                                                                                          • Opcode Fuzzy Hash: e2d37a8de73d53f6eb1fa3e92b13e44ae5e2508c41dc082d2dee5a9a048c5aaf
                                                                                                                          • Instruction Fuzzy Hash: 5E517775A00205DFCB05EFA8C4959ADB7B9BF48310F15809AEA16AB362DB30ED45CF80
                                                                                                                          Function 00332E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00333C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00332BB5,?,?), ref: 00333C1D
                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00332EEF
                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00332F2E
                                                                                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00332F75
                                                                                                                          • RegCloseKey.ADVAPI32(?,?), ref: 00332FA1
                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00332FAE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3740051246-0
                                                                                                                          • Opcode ID: 9ac7e306c33d2d70528db22c4aa7a9317e32807259cd18f7b21dadcd347b90e0
                                                                                                                          • Instruction ID: 37e92ea3a0b3e74ea8e2366a7a0a01e873b672db624a8ec8790449dff812b998
                                                                                                                          • Opcode Fuzzy Hash: 9ac7e306c33d2d70528db22c4aa7a9317e32807259cd18f7b21dadcd347b90e0
                                                                                                                          • Instruction Fuzzy Hash: A0513471218204AFD705EF64C881EABB7F9EF88304F10885EF5959B2A1DB30E915CB52
                                                                                                                          Function 0033CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 6d79cf840e6d9e90b45ba097fb6830fc0ab9b830d8fcb28b30ce19e3e2e0c86d
                                                                                                                          • Instruction ID: 8336d45f4d59fe91c81b34bb1e4d7a660ef668fa3148279b9a6f24eddbd2d16a
                                                                                                                          • Opcode Fuzzy Hash: 6d79cf840e6d9e90b45ba097fb6830fc0ab9b830d8fcb28b30ce19e3e2e0c86d
                                                                                                                          • Instruction Fuzzy Hash: 8D41D379910205AFCB22DF68CCC4FA9BB68FB09311F161265F85AB72E1C730AD41DB50
                                                                                                                          Function 00321206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003212B4
                                                                                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003212DD
                                                                                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0032131C
                                                                                                                            • Part of subcall function 002D936C: __swprintf.LIBCMT ref: 002D93AB
                                                                                                                            • Part of subcall function 002D936C: __itow.LIBCMT ref: 002D93DF
                                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00321341
                                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00321349
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1389676194-0
                                                                                                                          • Opcode ID: b5f2a8af2d778a4c15a2386ef2b91a0b60f30d5260a52f67fce3b51cce1fb9af
                                                                                                                          • Instruction ID: 50f5b051437d6b1927946aaa5c7d81e53c997530836bba176eec009229183dc3
                                                                                                                          • Opcode Fuzzy Hash: b5f2a8af2d778a4c15a2386ef2b91a0b60f30d5260a52f67fce3b51cce1fb9af
                                                                                                                          • Instruction Fuzzy Hash: B1410A35A10605DFDB01EF64C981AAEBBF9FF08314B148099E90AAB362DB31ED51DF51
                                                                                                                          Function 002EB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCursorPos.USER32(000000FF), ref: 002EB64F
                                                                                                                          • ScreenToClient.USER32(00000000,000000FF), ref: 002EB66C
                                                                                                                          • GetAsyncKeyState.USER32(00000001), ref: 002EB691
                                                                                                                          • GetAsyncKeyState.USER32(00000002), ref: 002EB69F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AsyncState$ClientCursorScreen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4210589936-0
                                                                                                                          • Opcode ID: ed93f72245975cc9bc6d3670dbd758cde74f5b16a29e30ce41ab410d4fcd8e45
                                                                                                                          • Instruction ID: 3ca208ffe97ce4a8ec9c404ce96c751dcf6f2d9aae3dba70d7adb26656da4977
                                                                                                                          • Opcode Fuzzy Hash: ed93f72245975cc9bc6d3670dbd758cde74f5b16a29e30ce41ab410d4fcd8e45
                                                                                                                          • Instruction Fuzzy Hash: 32416235604255FFDF279F65C884AEABBB8FB05324F504319F82996290C730AD64DF91
                                                                                                                          Function 0030B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0030B369
                                                                                                                          • PostMessageW.USER32(?,00000201,00000001), ref: 0030B413
                                                                                                                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0030B41B
                                                                                                                          • PostMessageW.USER32(?,00000202,00000000), ref: 0030B429
                                                                                                                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0030B431
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessagePostSleep$RectWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3382505437-0
                                                                                                                          • Opcode ID: 9441bb9bedacd59d4286bd2d098d51d2a428525a8e0cef0b1caaf595417142cc
                                                                                                                          • Instruction ID: 43b6a894d743fc33c32dcc5e8f27bee589810f2e304ef4cfc1329e5fd59626d3
                                                                                                                          • Opcode Fuzzy Hash: 9441bb9bedacd59d4286bd2d098d51d2a428525a8e0cef0b1caaf595417142cc
                                                                                                                          • Instruction Fuzzy Hash: D631FF71901319EBDF15CF68DD4CA9EBBB9EB00315F104229F820AB1D1C3B09E50CB90
                                                                                                                          Function 0030DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsWindowVisible.USER32(?), ref: 0030DBD7
                                                                                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0030DBF4
                                                                                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0030DC2C
                                                                                                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0030DC52
                                                                                                                          • _wcsstr.LIBCMT ref: 0030DC5C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3902887630-0
                                                                                                                          • Opcode ID: 6d0720b31d6e2923ae7a495fc3674b2d5e12763bd9cbd7658c25d1d8d1df5cbf
                                                                                                                          • Instruction ID: e65300c3bc98a292b155aeaef829fa035e33734679a126c3bd6aed527dd29734
                                                                                                                          • Opcode Fuzzy Hash: 6d0720b31d6e2923ae7a495fc3674b2d5e12763bd9cbd7658c25d1d8d1df5cbf
                                                                                                                          • Instruction Fuzzy Hash: A2213472205244BBFB269B799C59E7F7BECDF45750F104039F80ACA0D1EAA1CC41D6A0
                                                                                                                          Function 0030BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0030BC90
                                                                                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0030BCC2
                                                                                                                          • __itow.LIBCMT ref: 0030BCDA
                                                                                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0030BD00
                                                                                                                          • __itow.LIBCMT ref: 0030BD11
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$__itow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3379773720-0
                                                                                                                          • Opcode ID: 9eb9592dfd71009daa0a93e05df780ab9d55fd601d3f57a293c9620a213ec5d3
                                                                                                                          • Instruction ID: 964cdefb7e3e09a0dd98e4a12dc354c1ae701098b9c804caab28f35e64eb7162
                                                                                                                          • Opcode Fuzzy Hash: 9eb9592dfd71009daa0a93e05df780ab9d55fd601d3f57a293c9620a213ec5d3
                                                                                                                          • Instruction Fuzzy Hash: E221C335601718BBDB22AE658C56FDEFA6CAF49750F400025FA05EB2C1DB608D4587A1
                                                                                                                          Function 00316318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002D50E6: _wcsncpy.LIBCMT ref: 002D50FA
                                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,?,003160C3), ref: 00316369
                                                                                                                          • GetLastError.KERNEL32(?,?,?,003160C3), ref: 00316374
                                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,003160C3), ref: 00316388
                                                                                                                          • _wcsrchr.LIBCMT ref: 003163AA
                                                                                                                            • Part of subcall function 00316318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,003160C3), ref: 003163E0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3633006590-0
                                                                                                                          • Opcode ID: d59158913308f9e9cda6fcd0e34778ecad599c336227dbd2de20459a315d5ab3
                                                                                                                          • Instruction ID: 42a3e075ffb5f11e8031d8c1c4c78cb1fcefd21526f23615032fa613348b9dab
                                                                                                                          • Opcode Fuzzy Hash: d59158913308f9e9cda6fcd0e34778ecad599c336227dbd2de20459a315d5ab3
                                                                                                                          • Instruction Fuzzy Hash: 1C210B3551421596DB2BABF4AC43FEA239CEF1D391F5008A5F025C30E0EB60D9C08A51
                                                                                                                          Function 00328B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0032A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0032A84E
                                                                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00328BD3
                                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00328BE2
                                                                                                                          • connect.WSOCK32(00000000,?,00000010), ref: 00328BFE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastconnectinet_addrsocket
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3701255441-0
                                                                                                                          • Opcode ID: d54905385d51eacedf3f32b21bea2f92b97df44f41db136f3aee0362cc837f6c
                                                                                                                          • Instruction ID: 4f6666a9617c31bc21eab510f9c271c51ccc746be36a85f09208c9f6f9096f83
                                                                                                                          • Opcode Fuzzy Hash: d54905385d51eacedf3f32b21bea2f92b97df44f41db136f3aee0362cc837f6c
                                                                                                                          • Instruction Fuzzy Hash: 9F21CD312002249FCB12AF68DC85B7EB7ADEF48720F054449F916AB3A2CB70AC018B61
                                                                                                                          Function 00328420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsWindow.USER32(00000000), ref: 00328441
                                                                                                                          • GetForegroundWindow.USER32 ref: 00328458
                                                                                                                          • GetDC.USER32(00000000), ref: 00328494
                                                                                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 003284A0
                                                                                                                          • ReleaseDC.USER32(00000000,00000003), ref: 003284DB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$ForegroundPixelRelease
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4156661090-0
                                                                                                                          • Opcode ID: 12bf14badb8136a273dbda2366e469a2a521ee3c5eb2f2e1e7ae4e5aab366792
                                                                                                                          • Instruction ID: d7cf86c7b62713024ce783ebd4f45d20d041e842f75e5de07153752d72e2d143
                                                                                                                          • Opcode Fuzzy Hash: 12bf14badb8136a273dbda2366e469a2a521ee3c5eb2f2e1e7ae4e5aab366792
                                                                                                                          • Instruction Fuzzy Hash: 6421A135A00204AFD711EFA5D889AAEBBE9EF48301F048479E84A97361CF70AC41CB60
                                                                                                                          Function 002EAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 002EAFE3
                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 002EAFF2
                                                                                                                          • BeginPath.GDI32(?), ref: 002EB009
                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 002EB033
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ObjectSelect$BeginCreatePath
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3225163088-0
                                                                                                                          • Opcode ID: a8cad02d61f5e5eb8e1de9e6473ea712bff6e99d3b7731d87524de8794401bbc
                                                                                                                          • Instruction ID: 00c3716a285c1e050da47870c2da6335d6a31b29ff3476042f505290b2f1c257
                                                                                                                          • Opcode Fuzzy Hash: a8cad02d61f5e5eb8e1de9e6473ea712bff6e99d3b7731d87524de8794401bbc
                                                                                                                          • Instruction Fuzzy Hash: F6219DB1C10346AFDB239F56EC4879A7B7CBB10356F54421AE821A61B0C37269A18F91
                                                                                                                          Function 002F217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __calloc_crt.LIBCMT ref: 002F21A9
                                                                                                                          • CreateThread.KERNEL32(?,?,002F22DF,00000000,?,?), ref: 002F21ED
                                                                                                                          • GetLastError.KERNEL32 ref: 002F21F7
                                                                                                                          • _free.LIBCMT ref: 002F2200
                                                                                                                          • __dosmaperr.LIBCMT ref: 002F220B
                                                                                                                            • Part of subcall function 002F7C0E: __getptd_noexit.LIBCMT ref: 002F7C0E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2664167353-0
                                                                                                                          • Opcode ID: ce92b3a4b3a42c57ade33f2dc9702045ba62675c1876a76f61323f58bb813ae7
                                                                                                                          • Instruction ID: 552c8f30e57970d2f97baf695fc9fa2af94f3f5687ebb382e6aab4a863fed9fe
                                                                                                                          • Opcode Fuzzy Hash: ce92b3a4b3a42c57ade33f2dc9702045ba62675c1876a76f61323f58bb813ae7
                                                                                                                          • Instruction Fuzzy Hash: 1C11A93211434E9FA711AFA5DC41D7BB798EF067E0B100439FF1486151DB7198318AA1
                                                                                                                          Function 0030ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0030ABD7
                                                                                                                          • GetLastError.KERNEL32(?,0030A69F,?,?,?), ref: 0030ABE1
                                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,0030A69F,?,?,?), ref: 0030ABF0
                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,0030A69F,?,?,?), ref: 0030ABF7
                                                                                                                          • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0030AC0E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 842720411-0
                                                                                                                          • Opcode ID: 3370b213bbf9ad9a3cf6091d247fab80e2039525aa807c66f3a1064c419f6727
                                                                                                                          • Instruction ID: 46dc0367e1af24ab7b65edb760d8ee8ef217b22678c8696fc1ef8f15af21c610
                                                                                                                          • Opcode Fuzzy Hash: 3370b213bbf9ad9a3cf6091d247fab80e2039525aa807c66f3a1064c419f6727
                                                                                                                          • Instruction Fuzzy Hash: 31018170201304BFEB228FA9EC58D6B3BBCEF8A355B110429F406C32A0DA71CD41CB61
                                                                                                                          Function 00317A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00317A74
                                                                                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00317A82
                                                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00317A8A
                                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00317A94
                                                                                                                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00317AD0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2833360925-0
                                                                                                                          • Opcode ID: c3bf5b204f346f184f386c8d7c1693e5686ed18e965f288ab9cc8156e74dea45
                                                                                                                          • Instruction ID: c096c11661ed9899678e8c573831d1873efa6bca173b91187e4cc58e01c16082
                                                                                                                          • Opcode Fuzzy Hash: c3bf5b204f346f184f386c8d7c1693e5686ed18e965f288ab9cc8156e74dea45
                                                                                                                          • Instruction Fuzzy Hash: EF012931C04A19EBCF16AFE5DC48ADDBB7CFF0C752F090455E902B2260DB30969087A1
                                                                                                                          Function 00309ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CLSIDFromProgID.OLE32 ref: 00309ADC
                                                                                                                          • ProgIDFromCLSID.OLE32(?,00000000), ref: 00309AF7
                                                                                                                          • lstrcmpiW.KERNEL32(?,00000000), ref: 00309B05
                                                                                                                          • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00309B15
                                                                                                                          • CLSIDFromString.OLE32(?,?), ref: 00309B21
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3897988419-0
                                                                                                                          • Opcode ID: d54658f12af4733e129b0a024d924ac878cdcdfcc8ad02b3d6e0b5e7455609e7
                                                                                                                          • Instruction ID: 916504b23a0e86641de6179ba06b1c2b6bfd15b191c2085bc203ed458194077d
                                                                                                                          • Opcode Fuzzy Hash: d54658f12af4733e129b0a024d924ac878cdcdfcc8ad02b3d6e0b5e7455609e7
                                                                                                                          • Instruction Fuzzy Hash: 3B01A276601204BFDB224F58EC44B9A7BFDEF44362F144025F906D6261D770DD409BA0
                                                                                                                          Function 0030AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0030AA79
                                                                                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0030AA83
                                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0030AA92
                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0030AA99
                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0030AAAF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 44706859-0
                                                                                                                          • Opcode ID: cbbd2be722b9d3d0cae1f7e1bca4d51e6bc7826dc9c381aba2a23d4ceb555533
                                                                                                                          • Instruction ID: 71757af330604ea6518a6b492c450a910e8ba24937863b1690595f07d397bc9b
                                                                                                                          • Opcode Fuzzy Hash: cbbd2be722b9d3d0cae1f7e1bca4d51e6bc7826dc9c381aba2a23d4ceb555533
                                                                                                                          • Instruction Fuzzy Hash: 6EF04F752117046FEB225FA4AC89E6B3BACFF49755F000419F941C71E1DB609C41CA61
                                                                                                                          Function 0030AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0030AADA
                                                                                                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0030AAE4
                                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0030AAF3
                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0030AAFA
                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0030AB10
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 44706859-0
                                                                                                                          • Opcode ID: f8a740a905142a4962f5fef618f16a23156ddc0fb3c06b9a798f59389bc79c40
                                                                                                                          • Instruction ID: cbe9140b1e3c644987b9ff029ee2aa1a38d6489f47403861e7be70cbf9f008a1
                                                                                                                          • Opcode Fuzzy Hash: f8a740a905142a4962f5fef618f16a23156ddc0fb3c06b9a798f59389bc79c40
                                                                                                                          • Instruction Fuzzy Hash: 15F04F752017086FEB220FA8EC98E6B3B6DFF45755F400029F942C71A0CA609941CA61
                                                                                                                          Function 0030EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0030EC94
                                                                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0030ECAB
                                                                                                                          • MessageBeep.USER32(00000000), ref: 0030ECC3
                                                                                                                          • KillTimer.USER32(?,0000040A), ref: 0030ECDF
                                                                                                                          • EndDialog.USER32(?,00000001), ref: 0030ECF9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3741023627-0
                                                                                                                          • Opcode ID: a142d53291c4e51181ac6c79988cb57cdc930031ce34814ed05e98aeccef960c
                                                                                                                          • Instruction ID: 97dc205976cf3fac7b754a6336b5b7c286b3b68e841c877aa4ca190623cf7275
                                                                                                                          • Opcode Fuzzy Hash: a142d53291c4e51181ac6c79988cb57cdc930031ce34814ed05e98aeccef960c
                                                                                                                          • Instruction Fuzzy Hash: 54018130600715ABFB369B50DE5EB967BBCFB00B06F000959F582A54E0EBF1AA84CB40
                                                                                                                          Function 002EB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • EndPath.GDI32(?), ref: 002EB0BA
                                                                                                                          • StrokeAndFillPath.GDI32(?,?,0034E680,00000000,?,?,?), ref: 002EB0D6
                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 002EB0E9
                                                                                                                          • DeleteObject.GDI32 ref: 002EB0FC
                                                                                                                          • StrokePath.GDI32(?), ref: 002EB117
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2625713937-0
                                                                                                                          • Opcode ID: 7fff986f1defbf497bdfb1107b688737280d2c750fffe9437b35b468bda3f190
                                                                                                                          • Instruction ID: 9f1522c9e101247501cb2c7d14591e855c1a946723c3111e208ecd90be8a16a4
                                                                                                                          • Opcode Fuzzy Hash: 7fff986f1defbf497bdfb1107b688737280d2c750fffe9437b35b468bda3f190
                                                                                                                          • Instruction Fuzzy Hash: 3EF01935410646EFCB339F66EC0C7553B68A701362F488316E829A90F0C7328975CF20
                                                                                                                          Function 0031F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoInitialize.OLE32(00000000), ref: 0031F2DA
                                                                                                                          • CoCreateInstance.OLE32(0035DA7C,00000000,00000001,0035D8EC,?), ref: 0031F2F2
                                                                                                                          • CoUninitialize.OLE32 ref: 0031F555
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateInitializeInstanceUninitialize
                                                                                                                          • String ID: .lnk
                                                                                                                          • API String ID: 948891078-24824748
                                                                                                                          • Opcode ID: 9bd87985fe3bac6b4ee6a0a199db1af5fb78b5d252be0a77a56158a1136d74eb
                                                                                                                          • Instruction ID: 6b0168de1099767c27129136c10cc228ed5732d3cf91aff36ca7b515407cfef7
                                                                                                                          • Opcode Fuzzy Hash: 9bd87985fe3bac6b4ee6a0a199db1af5fb78b5d252be0a77a56158a1136d74eb
                                                                                                                          • Instruction Fuzzy Hash: C7A16B72114201AFD300EF64C881DABB7ECEF99704F50491EF156972A2EBB0EA59CF52
                                                                                                                          Function 0031E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002D660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D53B1,?,?,002D61FF,?,00000000,00000001,00000000), ref: 002D662F
                                                                                                                          • CoInitialize.OLE32(00000000), ref: 0031E85D
                                                                                                                          • CoCreateInstance.OLE32(0035DA7C,00000000,00000001,0035D8EC,?), ref: 0031E876
                                                                                                                          • CoUninitialize.OLE32 ref: 0031E893
                                                                                                                            • Part of subcall function 002D936C: __swprintf.LIBCMT ref: 002D93AB
                                                                                                                            • Part of subcall function 002D936C: __itow.LIBCMT ref: 002D93DF
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                                          • String ID: .lnk
                                                                                                                          • API String ID: 2126378814-24824748
                                                                                                                          • Opcode ID: 7df215fdf198ed455f0f3c25eba6e22712c69cb28a55563f5845f035eaa54091
                                                                                                                          • Instruction ID: c02f53d0c897898ecf594a252793ce0f898b6ef722c3db590ee41f61cf3dd7dd
                                                                                                                          • Opcode Fuzzy Hash: 7df215fdf198ed455f0f3c25eba6e22712c69cb28a55563f5845f035eaa54091
                                                                                                                          • Instruction Fuzzy Hash: 6DA134756043019FCB15EF14C884D5ABBE9BF88710F158989F99A9B3A1CB32EC85CF91
                                                                                                                          Function 002F325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __startOneArgErrorHandling.LIBCMT ref: 002F32ED
                                                                                                                            • Part of subcall function 002FE0D0: __87except.LIBCMT ref: 002FE10B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorHandling__87except__start
                                                                                                                          • String ID: pow
                                                                                                                          • API String ID: 2905807303-2276729525
                                                                                                                          • Opcode ID: ce2a9228b286c953bf32d72d4dfd70c954df6099f1e4fc120ceab40ccbe3935c
                                                                                                                          • Instruction ID: 4dfcb10b5f5c44376c59584df3bfa3e0d1ac3363990b094ce919a702864fa8bd
                                                                                                                          • Opcode Fuzzy Hash: ce2a9228b286c953bf32d72d4dfd70c954df6099f1e4fc120ceab40ccbe3935c
                                                                                                                          • Instruction Fuzzy Hash: EA516C6193820F86CF17EB14CD0137BEB989B407D0F218D79EA85811B5EF748DB49B81
                                                                                                                          Function 00314606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0036DC50,?,0000000F,0000000C,00000016,0036DC50,?), ref: 00314645
                                                                                                                            • Part of subcall function 002D936C: __swprintf.LIBCMT ref: 002D93AB
                                                                                                                            • Part of subcall function 002D936C: __itow.LIBCMT ref: 002D93DF
                                                                                                                          • CharUpperBuffW.USER32(?,?,00000000,?), ref: 003146C5
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: BuffCharUpper$__itow__swprintf
                                                                                                                          • String ID: REMOVE$THIS
                                                                                                                          • API String ID: 3797816924-776492005
                                                                                                                          • Opcode ID: d66b7d346b04ec3c7e8a698527772042601a931906779f00a5cd9dfdf7df6ffb
                                                                                                                          • Instruction ID: 8ab2d6c6e872fc39116f022a0fd7842b56dd5a07cc0124a9c9c364d642e6a345
                                                                                                                          • Opcode Fuzzy Hash: d66b7d346b04ec3c7e8a698527772042601a931906779f00a5cd9dfdf7df6ffb
                                                                                                                          • Instruction Fuzzy Hash: D3416C34A002099FCF06EFA4C881AADB7B5FF4D314F14805AE956AB392DB309D95CB50
                                                                                                                          Function 0030C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0031430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0030BC08,?,?,00000034,00000800,?,00000034), ref: 00314335
                                                                                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0030C1D3
                                                                                                                            • Part of subcall function 003142D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0030BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00314300
                                                                                                                            • Part of subcall function 0031422F: GetWindowThreadProcessId.USER32(?,?), ref: 0031425A
                                                                                                                            • Part of subcall function 0031422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0030BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0031426A
                                                                                                                            • Part of subcall function 0031422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0030BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00314280
                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0030C240
                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0030C28D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                          • String ID: @
                                                                                                                          • API String ID: 4150878124-2766056989
                                                                                                                          • Opcode ID: c21336793d6c365f330c4b47c6fa6f7352b236e50e9b8750a7010dc2184d951d
                                                                                                                          • Instruction ID: 528df8f7316deeabed746ab5411f1f3577ba5ffddc82a1ea01b65f0d55994ec5
                                                                                                                          • Opcode Fuzzy Hash: c21336793d6c365f330c4b47c6fa6f7352b236e50e9b8750a7010dc2184d951d
                                                                                                                          • Instruction Fuzzy Hash: CB415B7690021CAFDB16DFA4CC91EEEB7B8AF09300F004595FA55BB180DA716E85CB61
                                                                                                                          Function 0033A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0036DC00,00000000,?,?,?,?), ref: 0033A6D8
                                                                                                                          • GetWindowLongW.USER32 ref: 0033A6F5
                                                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0033A705
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Long
                                                                                                                          • String ID: SysTreeView32
                                                                                                                          • API String ID: 847901565-1698111956
                                                                                                                          • Opcode ID: c0a91501bd6d49c5d32dbc8129b5949bc9bb5f05331f3a861a0af9c9c29778fd
                                                                                                                          • Instruction ID: 3a76aa3b5c923880e36cce250a053424f13a1cab0ca25bb75994e7f66828e07a
                                                                                                                          • Opcode Fuzzy Hash: c0a91501bd6d49c5d32dbc8129b5949bc9bb5f05331f3a861a0af9c9c29778fd
                                                                                                                          • Instruction Fuzzy Hash: BF31AF31640606AFDB228F78CC85BEA77A9FB49324F254715F8B5A32E0D770EC519B50
                                                                                                                          Function 00325180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 00325190
                                                                                                                          • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 003251C6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CrackInternet_memset
                                                                                                                          • String ID: |$D2
                                                                                                                          • API String ID: 1413715105-1414044161
                                                                                                                          • Opcode ID: 6ef49433407b53fd57eb3d9435da9ca676ae301fd4086ed80883bc51c86cdace
                                                                                                                          • Instruction ID: 1e4734aa96af47b7e2574b9fac42c33483487cc2733cf3c0653360aa2c7c1dec
                                                                                                                          • Opcode Fuzzy Hash: 6ef49433407b53fd57eb3d9435da9ca676ae301fd4086ed80883bc51c86cdace
                                                                                                                          • Instruction Fuzzy Hash: 58311A71810119ABCF01AFA4DC85AEEBFB9FF14740F100016F915A6266DA31AA15CF60
                                                                                                                          Function 0033A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0033A15E
                                                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0033A172
                                                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 0033A196
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$Window
                                                                                                                          • String ID: SysMonthCal32
                                                                                                                          • API String ID: 2326795674-1439706946
                                                                                                                          • Opcode ID: 25c7233e6fc3d42c365f4e0a1b5c8d155e0c3dd1aced8fd660ebc7d045f62fd4
                                                                                                                          • Instruction ID: 2142af3eec27473a0f16b82c593805de22bc33f43507e48c3497e7a767b44fc5
                                                                                                                          • Opcode Fuzzy Hash: 25c7233e6fc3d42c365f4e0a1b5c8d155e0c3dd1aced8fd660ebc7d045f62fd4
                                                                                                                          • Instruction Fuzzy Hash: F621A132510218ABEF169FA4CC82FEA3B79EF48714F110214FE55AB1D0D6B5AC51DB90
                                                                                                                          Function 0033A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0033A941
                                                                                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0033A94F
                                                                                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0033A956
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$DestroyWindow
                                                                                                                          • String ID: msctls_updown32
                                                                                                                          • API String ID: 4014797782-2298589950
                                                                                                                          • Opcode ID: bddcd3be9de727e029d43bd20f8bc2af345ded990c4eaf2f70a93327c595cfab
                                                                                                                          • Instruction ID: 53668a332b37dfd017490a27fb0799cacbf61d5f9ef082f9114a9f9ca65c8504
                                                                                                                          • Opcode Fuzzy Hash: bddcd3be9de727e029d43bd20f8bc2af345ded990c4eaf2f70a93327c595cfab
                                                                                                                          • Instruction Fuzzy Hash: BE2192B5600609AFDB12DF14CCD1D7737ADEB5A394F050059FA44AB261CB31EC118B61
                                                                                                                          Function 003399A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00339A30
                                                                                                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00339A40
                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00339A65
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$MoveWindow
                                                                                                                          • String ID: Listbox
                                                                                                                          • API String ID: 3315199576-2633736733
                                                                                                                          • Opcode ID: ec54e84aadc7da67c40ebb8711c73de35a3f2394ac669dfcab3d625ae6bde0ee
                                                                                                                          • Instruction ID: adef6e3c2e8dfb5a3f356b194f44539d7f6f7d3710982766954d7260380be3e0
                                                                                                                          • Opcode Fuzzy Hash: ec54e84aadc7da67c40ebb8711c73de35a3f2394ac669dfcab3d625ae6bde0ee
                                                                                                                          • Instruction Fuzzy Hash: 8D218332650118BFEB268F54CC85FBB3BAEEF89750F018129F9549B1A0C6B19C5287A0
                                                                                                                          Function 0033A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0033A46D
                                                                                                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0033A482
                                                                                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0033A48F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: msctls_trackbar32
                                                                                                                          • API String ID: 3850602802-1010561917
                                                                                                                          • Opcode ID: 7b83e952a2fd4f70200005a5075054e7aac39f823a98d4230e7dae1e16c88826
                                                                                                                          • Instruction ID: 3b0ee4e522a34fed7f027c36d4642dd5c6aa2ac0f420275eaeecf2cb6a115f2e
                                                                                                                          • Opcode Fuzzy Hash: 7b83e952a2fd4f70200005a5075054e7aac39f823a98d4230e7dae1e16c88826
                                                                                                                          • Instruction Fuzzy Hash: C6110A71240308BEEF225F65CC46FEB3B6DEF89754F024118FA45A61E1D6B2E811CB20
                                                                                                                          Function 002F2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,002F2350,?), ref: 002F22A1
                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 002F22A8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: RoInitialize$combase.dll
                                                                                                                          • API String ID: 2574300362-340411864
                                                                                                                          • Opcode ID: 2a72a1569d37d46e84074801f4aceff3833101a06513d391c76ef5bcb682b0f5
                                                                                                                          • Instruction ID: 110f30727ea93b0a9056deec15678f68f87ce18926af69ef03be8e33f16c6112
                                                                                                                          • Opcode Fuzzy Hash: 2a72a1569d37d46e84074801f4aceff3833101a06513d391c76ef5bcb682b0f5
                                                                                                                          • Instruction Fuzzy Hash: 03E01A78AA0301AFEB625F70EC49B65366CAB01702F104062F602D50B0CBBA4088DF04
                                                                                                                          Function 002F235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,002F2276), ref: 002F2376
                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 002F237D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: RoUninitialize$combase.dll
                                                                                                                          • API String ID: 2574300362-2819208100
                                                                                                                          • Opcode ID: 54813550cdacd7d50da17f9fbb8f7ec141f63dfe9bafd8490b4eb4c234b7d208
                                                                                                                          • Instruction ID: 9eb3a9f3d8c9ca8dd394765a55f39449f08a57e6e5e1862e03c35ca439e99aac
                                                                                                                          • Opcode Fuzzy Hash: 54813550cdacd7d50da17f9fbb8f7ec141f63dfe9bafd8490b4eb4c234b7d208
                                                                                                                          • Instruction Fuzzy Hash: CFE0B6B8554305EFEB375F60ED0DB253A6DBB00702F100466F60AE60B0CBBA5458DB15
                                                                                                                          Function 0034AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LocalTime__swprintf
                                                                                                                          • String ID: %.3d$WIN_XPe
                                                                                                                          • API String ID: 2070861257-2409531811
                                                                                                                          • Opcode ID: ca33e8b8e6690b06f163aa052a3b71211239eb826d7b72937b7b3d2a007a4311
                                                                                                                          • Instruction ID: 99b4044abbdeb664b53e44c20ec76e9110390b00e5ebf7b160467ab4bb766eac
                                                                                                                          • Opcode Fuzzy Hash: ca33e8b8e6690b06f163aa052a3b71211239eb826d7b72937b7b3d2a007a4311
                                                                                                                          • Instruction Fuzzy Hash: 05E0EC71884A58DBCA92A7509D859F9B3FCA704741F500492B90AE5810E735AF94AA12
                                                                                                                          Function 00332205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,003321FB,?,003323EF), ref: 00332213
                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00332225
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: GetProcessId$kernel32.dll
                                                                                                                          • API String ID: 2574300362-399901964
                                                                                                                          • Opcode ID: 6cb669f7cdb683d68c18b9f5ea368fabb04252b9ee9b8c832d37a92deeca708d
                                                                                                                          • Instruction ID: f35f266d6ced7bf6c32a81981525a819a9dee610177feba3c4b94db9c278c75a
                                                                                                                          • Opcode Fuzzy Hash: 6cb669f7cdb683d68c18b9f5ea368fabb04252b9ee9b8c832d37a92deeca708d
                                                                                                                          • Instruction Fuzzy Hash: 52D0A734400B179FC7B35F30FC4864376E8EB09301F014859F842E2560D770D8808790
                                                                                                                          Function 002D42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000000,002D42EC,?,002D42AA,?), ref: 002D4304
                                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002D4316
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                          • API String ID: 2574300362-1355242751
                                                                                                                          • Opcode ID: bcc3d8c2258c20d52b1f02614f3e59f371d2a89ca202829d32f2d098229359d1
                                                                                                                          • Instruction ID: b3fd2e58f530aca88ef184ba900f3904a2f3853b808bbe051f45e80d53e9855e
                                                                                                                          • Opcode Fuzzy Hash: bcc3d8c2258c20d52b1f02614f3e59f371d2a89ca202829d32f2d098229359d1
                                                                                                                          • Instruction Fuzzy Hash: F8D0A730414B139FC7B26F34E80C64276E8EB04702F10449AF452D2370D7B0CC808710
                                                                                                                          Function 002D434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,002D41BB,002D4341,?,002D422F,?,002D41BB,?,?,?,?,002D39FE,?,00000001), ref: 002D4359
                                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002D436B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                          • API String ID: 2574300362-3689287502
                                                                                                                          • Opcode ID: 2cfb572c7a57f33f32f8d009cce73f0f73220df308254b2c5b5276ba9bc62912
                                                                                                                          • Instruction ID: 89c72cbcc9d20ae4490e0e53aeb82fa0a28816db35d02ea8927e7157403ff17e
                                                                                                                          • Opcode Fuzzy Hash: 2cfb572c7a57f33f32f8d009cce73f0f73220df308254b2c5b5276ba9bc62912
                                                                                                                          • Instruction Fuzzy Hash: 28D0A730410B139FC7726F34E808A4276E8AB10716F10449AF482E2360D7B0DD808710
                                                                                                                          Function 00310539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(oleaut32.dll,?,0031051D,?,003105FE), ref: 00310547
                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00310559
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                                                                          • API String ID: 2574300362-1071820185
                                                                                                                          • Opcode ID: 8ae266a3cf08c8e0d1ec252e6510914c5fc91de6195cb789cd582af81070a769
                                                                                                                          • Instruction ID: 52605f72f8dfd3c29442038f534de4467b4d44743eccb1db874a9d4920a36f61
                                                                                                                          • Opcode Fuzzy Hash: 8ae266a3cf08c8e0d1ec252e6510914c5fc91de6195cb789cd582af81070a769
                                                                                                                          • Instruction Fuzzy Hash: 82D0A730404B129FC7369F31E80868676F8AF05302F11C45DF447D2160D6B0C9C0CB10
                                                                                                                          Function 00310564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0031052F,?,003106D7), ref: 00310572
                                                                                                                          • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00310584
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                                                                          • API String ID: 2574300362-1587604923
                                                                                                                          • Opcode ID: 307afa9121d6cf02ec6081a07ee19d4aa83b662dc818834a618ba85848e67894
                                                                                                                          • Instruction ID: 885a40f859372fb6451c0afc7eef38bb99c73de5c9bf65b1fb63e0aad7d7fbb7
                                                                                                                          • Opcode Fuzzy Hash: 307afa9121d6cf02ec6081a07ee19d4aa83b662dc818834a618ba85848e67894
                                                                                                                          • Instruction Fuzzy Hash: 5CD05E30404B129EC7266F31A848A8277E8AB09301F11845AE942D2160D6B0C5C0CB20
                                                                                                                          Function 0032ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,0032ECBE,?,0032EBBB), ref: 0032ECD6
                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0032ECE8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                                          • API String ID: 2574300362-1816364905
                                                                                                                          • Opcode ID: a4657a2d808d145a76d94b5f03aed3784ab287c05f00dd5f7f63d9e2101adc07
                                                                                                                          • Instruction ID: 8fba5ba0da5a0534fa504948773d6b51734bd439afbdf7b0521c9e05c72444d2
                                                                                                                          • Opcode Fuzzy Hash: a4657a2d808d145a76d94b5f03aed3784ab287c05f00dd5f7f63d9e2101adc07
                                                                                                                          • Instruction Fuzzy Hash: 41D0A730400B339FCB336FB1F8497427AE8AB00301F01845AF846D2660DB70D8808720
                                                                                                                          Function 0032BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0032BAD3,00000001,0032B6EE,?,0036DC00), ref: 0032BAEB
                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0032BAFD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                          • API String ID: 2574300362-199464113
                                                                                                                          • Opcode ID: 2ea58673e15657db4c175c3f778681df49afe8feca54e0a70c8775c80f5bb3b9
                                                                                                                          • Instruction ID: e47086f5c92fbea98d2f0276de316f137f4837ecbb1c884436e0df19b8907298
                                                                                                                          • Opcode Fuzzy Hash: 2ea58673e15657db4c175c3f778681df49afe8feca54e0a70c8775c80f5bb3b9
                                                                                                                          • Instruction Fuzzy Hash: 2BD05E70804B229EC7326F30B848A52B7E8AB00301F114859E843D2560E770D880C710
                                                                                                                          Function 00333BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00333BD1,?,00333E06), ref: 00333BE9
                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00333BFB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                          • API String ID: 2574300362-4033151799
                                                                                                                          • Opcode ID: ca44217a6a290e860fce22edcb93282e83e181e67dcc95db4728d432afafa93b
                                                                                                                          • Instruction ID: 90536a97d71ec5962ad7b5a72d2a2491f2598cb422194ff961b595d1700129b2
                                                                                                                          • Opcode Fuzzy Hash: ca44217a6a290e860fce22edcb93282e83e181e67dcc95db4728d432afafa93b
                                                                                                                          • Instruction Fuzzy Hash: 2DD0A770500B139FC7326F70E8486C3BEF8AB01315F118459E446E2560E6B4C5C08F10
                                                                                                                          Function 00309B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: aac862e3fd8e7dd0bd7a9ea167c92d518b16276f4fe4dc8dbac8d11ba9e12de6
                                                                                                                          • Instruction ID: 42ea498ea504b1ecbcb60b00c7085d4de5193b56a2e4f0e67aee0132941009fe
                                                                                                                          • Opcode Fuzzy Hash: aac862e3fd8e7dd0bd7a9ea167c92d518b16276f4fe4dc8dbac8d11ba9e12de6
                                                                                                                          • Instruction Fuzzy Hash: F6C16B75A0121AEFDB15CF94C8A4BAEB7B9FF48700F11459AE801AF292D730DE41CB90
                                                                                                                          Function 0032AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CoInitialize.OLE32(00000000), ref: 0032AAB4
                                                                                                                          • CoUninitialize.OLE32 ref: 0032AABF
                                                                                                                            • Part of subcall function 00310213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0031027B
                                                                                                                          • VariantInit.OLEAUT32(?), ref: 0032AACA
                                                                                                                          • VariantClear.OLEAUT32(?), ref: 0032AD9D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 780911581-0
                                                                                                                          • Opcode ID: 912b4bb1865f4998f01880e8974c2de10ed8875193d2172c781a6089dc5f4336
                                                                                                                          • Instruction ID: 20848132eafae875fdb0e636117c2d17f74274f54f06e358908e7172a03fa282
                                                                                                                          • Opcode Fuzzy Hash: 912b4bb1865f4998f01880e8974c2de10ed8875193d2172c781a6089dc5f4336
                                                                                                                          • Instruction Fuzzy Hash: 4FA16A75204B119FCB11EF14D491B1AB7E9BF88710F158449FA9A9B3A2CB30ED54CF86
                                                                                                                          Function 003091CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Variant$AllocClearCopyInitString
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2808897238-0
                                                                                                                          • Opcode ID: 88ee40410a1306c56e051885cf95272b08c512b3369fb4ad0d49a5f74358f4af
                                                                                                                          • Instruction ID: 438cdfbf2fde6db5eb00e63cf89ade4e1087afcd27b434a4b035615db0ae0f31
                                                                                                                          • Opcode Fuzzy Hash: 88ee40410a1306c56e051885cf95272b08c512b3369fb4ad0d49a5f74358f4af
                                                                                                                          • Instruction Fuzzy Hash: 465195346153069BDB269F66D4B176EB3E9EF48310F20885FE546CB6D3DB7098808F05
                                                                                                                          Function 0033C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetWindowRect.USER32(01046C08,?), ref: 0033C544
                                                                                                                          • ScreenToClient.USER32(?,00000002), ref: 0033C574
                                                                                                                          • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0033C5DA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$ClientMoveRectScreen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3880355969-0
                                                                                                                          • Opcode ID: 49225651c771372e558583211a33c490a10eac8e892c868ce767c573f50753d2
                                                                                                                          • Instruction ID: d308cb6cf124b30bf91b1cc6596cd42376815881952ff6d98db55ee3d2f87d56
                                                                                                                          • Opcode Fuzzy Hash: 49225651c771372e558583211a33c490a10eac8e892c868ce767c573f50753d2
                                                                                                                          • Instruction Fuzzy Hash: 5E518071A10205EFDF22CF68C8C1AAE77B9FB45320F159259F825AB290D730ED81CB90
                                                                                                                          Function 0030C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0030C462
                                                                                                                          • __itow.LIBCMT ref: 0030C49C
                                                                                                                            • Part of subcall function 0030C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0030C753
                                                                                                                          • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0030C505
                                                                                                                          • __itow.LIBCMT ref: 0030C55A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend$__itow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3379773720-0
                                                                                                                          • Opcode ID: 7ca2cd3c808b091e4fe938330fdc09fbf55a3aa0c9290904a85e00795c89c460
                                                                                                                          • Instruction ID: 040c1d98ef04e1a478ab1d51d5fb1475872a3ac56a182d02a5d744efe7e18181
                                                                                                                          • Opcode Fuzzy Hash: 7ca2cd3c808b091e4fe938330fdc09fbf55a3aa0c9290904a85e00795c89c460
                                                                                                                          • Instruction Fuzzy Hash: A341C571A10209ABDF26EF58CC61BEE7BB9AF49700F00001AFA05A72C1DB749E55CF91
                                                                                                                          Function 0031390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00313966
                                                                                                                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 00313982
                                                                                                                          • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 003139EF
                                                                                                                          • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00313A4D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 432972143-0
                                                                                                                          • Opcode ID: 279d07d8d31d02f059302e69e430241f5fcdf535864b48906a61855732cd2031
                                                                                                                          • Instruction ID: 6647d226c9362be7f460c252b7bc5a0b31dd581acad25d431f20d670c3f3a935
                                                                                                                          • Opcode Fuzzy Hash: 279d07d8d31d02f059302e69e430241f5fcdf535864b48906a61855732cd2031
                                                                                                                          • Instruction Fuzzy Hash: 13410770A04248AAEF3B8B64C805BFEBBB99F5D321F04015AE4C1A62D1C7B48ED5D765
                                                                                                                          Function 0031E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0031E742
                                                                                                                          • GetLastError.KERNEL32(?,00000000), ref: 0031E768
                                                                                                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0031E78D
                                                                                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0031E7B9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3321077145-0
                                                                                                                          • Opcode ID: 1f56092aecf2bed860c0f052d2e875fb4bcc09fb90efe2924f52dc0b25ca5391
                                                                                                                          • Instruction ID: de6b1bdf176146ab2056af6334fba4b449412e549c8e79cb5a809b962782e59e
                                                                                                                          • Opcode Fuzzy Hash: 1f56092aecf2bed860c0f052d2e875fb4bcc09fb90efe2924f52dc0b25ca5391
                                                                                                                          • Instruction Fuzzy Hash: 0F412539200650DFCB16AF59C44498DBBE5BF59710F198489E906AB3A2CB71FD908F91
                                                                                                                          Function 0033B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0033B5D1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InvalidateRect
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 634782764-0
                                                                                                                          • Opcode ID: a98ade1d31e643f8280019f3a359da9b5ee8fc019c2dfd3e64018ebdfd34c68b
                                                                                                                          • Instruction ID: 095272211110bc080b43dd90dc3ae3b5cd3e50190c709e46344dcde94f5d3f8b
                                                                                                                          • Opcode Fuzzy Hash: a98ade1d31e643f8280019f3a359da9b5ee8fc019c2dfd3e64018ebdfd34c68b
                                                                                                                          • Instruction Fuzzy Hash: 7A319C74601208ABEF239F18CCCAFA9B769AB06350F654502FB51E66E2C731A9909B51
                                                                                                                          Function 0033D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ClientToScreen.USER32(?,?), ref: 0033D807
                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0033D87D
                                                                                                                          • PtInRect.USER32(?,?,0033ED5A), ref: 0033D88D
                                                                                                                          • MessageBeep.USER32(00000000), ref: 0033D8FE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1352109105-0
                                                                                                                          • Opcode ID: 4fc96aa607d9168daa4311905df1893375fe4d89a4026ea9bf6b0fb611dcae68
                                                                                                                          • Instruction ID: a00303e28144a3c6742898eef40509672ee9d25cdd94213867b81fecc3a3e589
                                                                                                                          • Opcode Fuzzy Hash: 4fc96aa607d9168daa4311905df1893375fe4d89a4026ea9bf6b0fb611dcae68
                                                                                                                          • Instruction Fuzzy Hash: D0415974A00219DFCB13DF59E8C4BA9BBF9BB49311F1981AAE8149F261D731E945CB40
                                                                                                                          Function 00313A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00313AB8
                                                                                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00313AD4
                                                                                                                          • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00313B34
                                                                                                                          • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00313B92
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 432972143-0
                                                                                                                          • Opcode ID: 66eae63ab91251b8f341bb55c5552685ca806967125cabce1fc9d2a2c3ed9bf2
                                                                                                                          • Instruction ID: afb027095800e553b087d7e26a932b8713c3212a1133ad085a7211562cf1a769
                                                                                                                          • Opcode Fuzzy Hash: 66eae63ab91251b8f341bb55c5552685ca806967125cabce1fc9d2a2c3ed9bf2
                                                                                                                          • Instruction Fuzzy Hash: 79314670A08258AEEF3B8B6488197FE7BB99B4D310F05411AE481971D1E7748BC5C766
                                                                                                                          Function 00304004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00304038
                                                                                                                          • __isleadbyte_l.LIBCMT ref: 00304066
                                                                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00304094
                                                                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 003040CA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3058430110-0
                                                                                                                          • Opcode ID: 3b8f7cb6767e0c68ce93f1e6ba9ecf1c640b1c044127b799251d535e4eda5b3e
                                                                                                                          • Instruction ID: e5e105aa0fa35dd30fac9e38516c8dd5a3e3de3ee3e4067520f33ec0514a3718
                                                                                                                          • Opcode Fuzzy Hash: 3b8f7cb6767e0c68ce93f1e6ba9ecf1c640b1c044127b799251d535e4eda5b3e
                                                                                                                          • Instruction Fuzzy Hash: D831E670601206EFDB229F35CC54B7ABBA9FF40350F164028E751A71E0E731EAA0DB90
                                                                                                                          Function 00337CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetForegroundWindow.USER32 ref: 00337CB9
                                                                                                                            • Part of subcall function 00315F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00315F6F
                                                                                                                            • Part of subcall function 00315F55: GetCurrentThreadId.KERNEL32 ref: 00315F76
                                                                                                                            • Part of subcall function 00315F55: AttachThreadInput.USER32(00000000,?,0031781F), ref: 00315F7D
                                                                                                                          • GetCaretPos.USER32(?), ref: 00337CCA
                                                                                                                          • ClientToScreen.USER32(00000000,?), ref: 00337D03
                                                                                                                          • GetForegroundWindow.USER32 ref: 00337D09
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2759813231-0
                                                                                                                          • Opcode ID: 11655b299e4cbf3863d2c0c2ea1eb916f37ca109e4cf2af36504746f786876c3
                                                                                                                          • Instruction ID: 28abeaff56620088d99fc8fbab87164d4601cbb929dc5f509d3077b6ffd21e3f
                                                                                                                          • Opcode Fuzzy Hash: 11655b299e4cbf3863d2c0c2ea1eb916f37ca109e4cf2af36504746f786876c3
                                                                                                                          • Instruction Fuzzy Hash: 41314F72900108AFCB11EFA6C8859EFBBFDEF58310F119466E815E7211DA309E45CFA0
                                                                                                                          Function 0033F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EB34E: GetWindowLongW.USER32(?,000000EB), ref: 002EB35F
                                                                                                                          • GetCursorPos.USER32(?), ref: 0033F211
                                                                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0034E4C0,?,?,?,?,?), ref: 0033F226
                                                                                                                          • GetCursorPos.USER32(?), ref: 0033F270
                                                                                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0034E4C0,?,?,?), ref: 0033F2A6
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2864067406-0
                                                                                                                          • Opcode ID: 1b6c08a96e9f71e5482d6bf882c686f7679beef5ea131d37dac072316f7052bc
                                                                                                                          • Instruction ID: 96ed6fb56b3c0be9d3cf90528ee6419d27663d4319176dfbf8bcdd52f2d9df05
                                                                                                                          • Opcode Fuzzy Hash: 1b6c08a96e9f71e5482d6bf882c686f7679beef5ea131d37dac072316f7052bc
                                                                                                                          • Instruction Fuzzy Hash: ED21A03D900118EFCB278F94C898EEB7BB9EF0A311F444869F905972A1D3319D60DB90
                                                                                                                          Function 0032431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00324358
                                                                                                                            • Part of subcall function 003243E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00324401
                                                                                                                            • Part of subcall function 003243E2: InternetCloseHandle.WININET(00000000), ref: 0032449E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Internet$CloseConnectHandleOpen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1463438336-0
                                                                                                                          • Opcode ID: 4d22bd441782ac5827a4578f5d76720cd9a51df42e98d40b3e200a7a967cc321
                                                                                                                          • Instruction ID: 5e72a29cc2d7a809fe9aa52cccacf56695fb489aed068e203f362b674873effa
                                                                                                                          • Opcode Fuzzy Hash: 4d22bd441782ac5827a4578f5d76720cd9a51df42e98d40b3e200a7a967cc321
                                                                                                                          • Instruction Fuzzy Hash: 13218E79200725BBEB239F60EC00FBBB7ADFF48711F14401ABA1596660DB7198219B90
                                                                                                                          Function 00338A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00338AA6
                                                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00338AC0
                                                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00338ACE
                                                                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00338ADC
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$Long$AttributesLayered
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2169480361-0
                                                                                                                          • Opcode ID: 1d11232f04fdd62aec5653c32b6e0682a392c276c535ea49d831e9ba1f619399
                                                                                                                          • Instruction ID: 20edf4638e6d842af2b17e6470d1900e7480ae47eef3f7aa5cad7d73b53de7c8
                                                                                                                          • Opcode Fuzzy Hash: 1d11232f04fdd62aec5653c32b6e0682a392c276c535ea49d831e9ba1f619399
                                                                                                                          • Instruction Fuzzy Hash: 5D11D031255611AFD716AB28CC45FBA77ADEF85321F14411AF816CB3E2CF70AC118B90
                                                                                                                          Function 00328A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00328AE0
                                                                                                                          • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00328AF2
                                                                                                                          • accept.WSOCK32(00000000,00000000,00000000), ref: 00328AFF
                                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00328B16
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastacceptselect
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 385091864-0
                                                                                                                          • Opcode ID: 90a96c0d9071f18c10842a1df9fd2453b382e8a494404f176b3e00911c1e4684
                                                                                                                          • Instruction ID: 9b0c1407d0701cb67b5ad002934613980ac159045e7d3645457e75ad59e92ac7
                                                                                                                          • Opcode Fuzzy Hash: 90a96c0d9071f18c10842a1df9fd2453b382e8a494404f176b3e00911c1e4684
                                                                                                                          • Instruction Fuzzy Hash: B6219372A001249FC7219F69D885A9EBBECEF49710F01416AF84AD7291DB749A418F90
                                                                                                                          Function 00310AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 00311E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00310ABB,?,?,?,0031187A,00000000,000000EF,00000119,?,?), ref: 00311E77
                                                                                                                            • Part of subcall function 00311E68: lstrcpyW.KERNEL32(00000000,?,?,00310ABB,?,?,?,0031187A,00000000,000000EF,00000119,?,?,00000000), ref: 00311E9D
                                                                                                                            • Part of subcall function 00311E68: lstrcmpiW.KERNEL32(00000000,?,00310ABB,?,?,?,0031187A,00000000,000000EF,00000119,?,?), ref: 00311ECE
                                                                                                                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0031187A,00000000,000000EF,00000119,?,?,00000000), ref: 00310AD4
                                                                                                                          • lstrcpyW.KERNEL32(00000000,?,?,0031187A,00000000,000000EF,00000119,?,?,00000000), ref: 00310AFA
                                                                                                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,0031187A,00000000,000000EF,00000119,?,?,00000000), ref: 00310B2E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrcmpilstrcpylstrlen
                                                                                                                          • String ID: cdecl
                                                                                                                          • API String ID: 4031866154-3896280584
                                                                                                                          • Opcode ID: 035b822e27d79d10afc233ce908818da0049dffb5db7ad9989db7b08a96abca1
                                                                                                                          • Instruction ID: 1a51448bbf8fa71da67001f13cbc8e0e1f672722ae939ffeb9940f6a51b26366
                                                                                                                          • Opcode Fuzzy Hash: 035b822e27d79d10afc233ce908818da0049dffb5db7ad9989db7b08a96abca1
                                                                                                                          • Instruction Fuzzy Hash: 83117536114305AFDB2A9F64D845DBA77A8FF49354F81806AE905CB150EB71D990C7A0
                                                                                                                          Function 00302F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _free.LIBCMT ref: 00302FB5
                                                                                                                            • Part of subcall function 002F395C: __FF_MSGBANNER.LIBCMT ref: 002F3973
                                                                                                                            • Part of subcall function 002F395C: __NMSG_WRITE.LIBCMT ref: 002F397A
                                                                                                                            • Part of subcall function 002F395C: RtlAllocateHeap.NTDLL(01020000,00000000,00000001,00000001,00000000,?,?,002EF507,?,0000000E), ref: 002F399F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateHeap_free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 614378929-0
                                                                                                                          • Opcode ID: b1f00087dfa1893689a148b907015852765b226cd770cd082837ef4fa2fab925
                                                                                                                          • Instruction ID: 365a1d6fd4852c50096669f95d638c204f31c6b675e1aba816fd7d87418fd537
                                                                                                                          • Opcode Fuzzy Hash: b1f00087dfa1893689a148b907015852765b226cd770cd082837ef4fa2fab925
                                                                                                                          • Instruction Fuzzy Hash: 5511E73240B216ABDB333B70AC1467A7B9CAF107E0F214536F909D61A1DB30C9509F90
                                                                                                                          Function 0031058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 003105AC
                                                                                                                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003105C7
                                                                                                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003105DD
                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 00310632
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3137044355-0
                                                                                                                          • Opcode ID: ccfaadb5b3fdb6a1490b071604cc9cd2b9365083b4e961c7837e3d8f21688bc7
                                                                                                                          • Instruction ID: c40422104cdd913b3bf8aca8b06a2d11fa7e0eab52f5e5c99e34b3240cd5cbc8
                                                                                                                          • Opcode Fuzzy Hash: ccfaadb5b3fdb6a1490b071604cc9cd2b9365083b4e961c7837e3d8f21688bc7
                                                                                                                          • Instruction Fuzzy Hash: 3B218171900309EFDB2A8F91DC88ADABBBCEF48704F008469E516D6050DBB4EAD5DF50
                                                                                                                          Function 00316713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00316733
                                                                                                                          • _memset.LIBCMT ref: 00316754
                                                                                                                          • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 003167A6
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 003167AF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1157408455-0
                                                                                                                          • Opcode ID: f7b16ec831f4d86afe208e90d73178d5f8f62b0bfea1d4035ebc1b36641fa3e1
                                                                                                                          • Instruction ID: 20f739934200f1d0b471bf104c458b7cc2f9a942578b4ead87902336203c92d5
                                                                                                                          • Opcode Fuzzy Hash: f7b16ec831f4d86afe208e90d73178d5f8f62b0bfea1d4035ebc1b36641fa3e1
                                                                                                                          • Instruction Fuzzy Hash: 7711CA759012287AE73157A5AC4DFEBBABCEF44764F10419AF504E71D0D2744F80CB64
                                                                                                                          Function 0030B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0030AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0030AA79
                                                                                                                            • Part of subcall function 0030AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0030AA83
                                                                                                                            • Part of subcall function 0030AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0030AA92
                                                                                                                            • Part of subcall function 0030AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0030AA99
                                                                                                                            • Part of subcall function 0030AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0030AAAF
                                                                                                                          • GetLengthSid.ADVAPI32(?,00000000,0030ADE4,?,?), ref: 0030B21B
                                                                                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0030B227
                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 0030B22E
                                                                                                                          • CopySid.ADVAPI32(?,00000000,?), ref: 0030B247
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4217664535-0
                                                                                                                          • Opcode ID: ebd7488cfb2bbceb53118b6ff78d3a0106a6223882c1248c336bed7a650594a3
                                                                                                                          • Instruction ID: ded781cbfd72eb9a293507e7eca913dad581e8d8bb080d93d552011166368429
                                                                                                                          • Opcode Fuzzy Hash: ebd7488cfb2bbceb53118b6ff78d3a0106a6223882c1248c336bed7a650594a3
                                                                                                                          • Instruction Fuzzy Hash: 9E11CE71A01205EFCB16DF98DCA4AAEB7ADEF84304F14882DE942972A0D731AE44CB50
                                                                                                                          Function 0030B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0030B498
                                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0030B4AA
                                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0030B4C0
                                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0030B4DB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3850602802-0
                                                                                                                          • Opcode ID: fb331158ef0f5a7479369ac12794ed20b48377ccdefc5d110235398c215db5bb
                                                                                                                          • Instruction ID: 6fb20a8f6cfd916d82b9019035eb95c4de3eae5f78727d9cfa085be7cb02133b
                                                                                                                          • Opcode Fuzzy Hash: fb331158ef0f5a7479369ac12794ed20b48377ccdefc5d110235398c215db5bb
                                                                                                                          • Instruction Fuzzy Hash: 0A11187A901218FFDB11DFA9C985F9DBBB8FB08710F204091E604B7295D771AE11DB94
                                                                                                                          Function 002EB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EB34E: GetWindowLongW.USER32(?,000000EB), ref: 002EB35F
                                                                                                                          • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 002EB5A5
                                                                                                                          • GetClientRect.USER32(?,?), ref: 0034E69A
                                                                                                                          • GetCursorPos.USER32(?), ref: 0034E6A4
                                                                                                                          • ScreenToClient.USER32(?,?), ref: 0034E6AF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4127811313-0
                                                                                                                          • Opcode ID: 0938105d8b59bc98e1ab0ef6c421f6da733ce2977c35eaafae634d93dc00f172
                                                                                                                          • Instruction ID: 7118544613175da2c8e4b0915a2f7db84dc044abf045d0ec71309800309068e3
                                                                                                                          • Opcode Fuzzy Hash: 0938105d8b59bc98e1ab0ef6c421f6da733ce2977c35eaafae634d93dc00f172
                                                                                                                          • Instruction Fuzzy Hash: 5F11483191016ABFCB12DF94DC858EE7BB9FB09305F810451F912E7150D374BA92CBA1
                                                                                                                          Function 0031732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00317352
                                                                                                                          • MessageBoxW.USER32(?,?,?,?), ref: 00317385
                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0031739B
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003173A2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2880819207-0
                                                                                                                          • Opcode ID: eb5cb80fb9f0b7e8b692fb1d0b6d0e7dacca60f2ffe0bad567c579ac5eefb2c4
                                                                                                                          • Instruction ID: 57586949819c862481e5498f32a64c88365f7976b3e654af5a46f46bf39d5e9f
                                                                                                                          • Opcode Fuzzy Hash: eb5cb80fb9f0b7e8b692fb1d0b6d0e7dacca60f2ffe0bad567c579ac5eefb2c4
                                                                                                                          • Instruction Fuzzy Hash: 831104B6A08204AFC7079BA8DC09ADE7BBD9B49311F084716F925D32A1D7708E409BA1
                                                                                                                          Function 002ED17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002ED1BA
                                                                                                                          • GetStockObject.GDI32(00000011), ref: 002ED1CE
                                                                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 002ED1D8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateMessageObjectSendStockWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3970641297-0
                                                                                                                          • Opcode ID: 37a3ffd536e9cd1876e0f32e69957e71b2e9b9955f23f85f0ec4ae6a02291541
                                                                                                                          • Instruction ID: 99e01a2847759e5f31b62ea937277f8aa9847d0440c134018939ac667fd65d56
                                                                                                                          • Opcode Fuzzy Hash: 37a3ffd536e9cd1876e0f32e69957e71b2e9b9955f23f85f0ec4ae6a02291541
                                                                                                                          • Instruction Fuzzy Hash: E411AD7255168ABFEB124FA1DC50EEABB6DFF08365F440102FA195A060C771DD609BA0
                                                                                                                          Function 00304DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3016257755-0
                                                                                                                          • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                                          • Instruction ID: 4afffc025298a1fd9df625cb872fdc65a4944d5d29718b07a85810c5fd36ce59
                                                                                                                          • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                                          • Instruction Fuzzy Hash: D30149B600114EBBCF135E84DD258EE3F27BB18350B598455FE28590B1D336CAB2EB81
                                                                                                                          Function 002F7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002F7A0D: __getptd_noexit.LIBCMT ref: 002F7A0E
                                                                                                                          • __lock.LIBCMT ref: 002F748F
                                                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 002F74AC
                                                                                                                          • _free.LIBCMT ref: 002F74BF
                                                                                                                          • InterlockedIncrement.KERNEL32(01033CC8), ref: 002F74D7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2704283638-0
                                                                                                                          • Opcode ID: 4de99c3a120c984514940adcbf97ad67972f38f13b5d0906fe15bb3e9b4c6cb5
                                                                                                                          • Instruction ID: caa41c86c8c23f8f56b9a26ebe96c1038e9fce38dd73859e9f0444584306c57b
                                                                                                                          • Opcode Fuzzy Hash: 4de99c3a120c984514940adcbf97ad67972f38f13b5d0906fe15bb3e9b4c6cb5
                                                                                                                          • Instruction Fuzzy Hash: A001D635929B1A97D723AF24940977DFB70BF04B90F184076F624A3690C7745961CFD2
                                                                                                                          Function 0033EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 002EAFE3
                                                                                                                            • Part of subcall function 002EAF83: SelectObject.GDI32(?,00000000), ref: 002EAFF2
                                                                                                                            • Part of subcall function 002EAF83: BeginPath.GDI32(?), ref: 002EB009
                                                                                                                            • Part of subcall function 002EAF83: SelectObject.GDI32(?,00000000), ref: 002EB033
                                                                                                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0033EA8E
                                                                                                                          • LineTo.GDI32(00000000,?,?), ref: 0033EA9B
                                                                                                                          • EndPath.GDI32(00000000), ref: 0033EAAB
                                                                                                                          • StrokePath.GDI32(00000000), ref: 0033EAB9
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1539411459-0
                                                                                                                          • Opcode ID: 33e28d9aebed690101aa596b81ec6728c6d58a632fed4af52e7d4ef4c0a199e3
                                                                                                                          • Instruction ID: 655e2ca16962f4f156f27ed9ba70e432de90557562a4f56a2567e068052c9f04
                                                                                                                          • Opcode Fuzzy Hash: 33e28d9aebed690101aa596b81ec6728c6d58a632fed4af52e7d4ef4c0a199e3
                                                                                                                          • Instruction Fuzzy Hash: ABF05E3204525ABBDB23AF94AC09FCA3F1DAF06312F144102FE11660F187755661DB95
                                                                                                                          Function 0030C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0030C84A
                                                                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0030C85D
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0030C864
                                                                                                                          • AttachThreadInput.USER32(00000000), ref: 0030C86B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2710830443-0
                                                                                                                          • Opcode ID: d25b3c3089c71fb444f85a62d59fdfe85f57e06e1817d464f0967b356576fd8e
                                                                                                                          • Instruction ID: 293edea02e6a6358e9d526c6526dd8b52e6af166a65b0880152cf5214d48dd7c
                                                                                                                          • Opcode Fuzzy Hash: d25b3c3089c71fb444f85a62d59fdfe85f57e06e1817d464f0967b356576fd8e
                                                                                                                          • Instruction Fuzzy Hash: C1E06D71142328BADB221BA2DC0DEDB7F1CEF067A2F808121B60D844A1C6B1C581CBE0
                                                                                                                          Function 0030B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentThread.KERNEL32 ref: 0030B0D6
                                                                                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,0030AC9D), ref: 0030B0DD
                                                                                                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0030AC9D), ref: 0030B0EA
                                                                                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,0030AC9D), ref: 0030B0F1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CurrentOpenProcessThreadToken
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3974789173-0
                                                                                                                          • Opcode ID: 7dbac1bd4ff604a73c6538f3057d5a37fdea7f750055ca1ab836ba2794528532
                                                                                                                          • Instruction ID: 2ee5cffd14f2926704d9c17d9b81e537574abcf62393049832e6a9704482e70a
                                                                                                                          • Opcode Fuzzy Hash: 7dbac1bd4ff604a73c6538f3057d5a37fdea7f750055ca1ab836ba2794528532
                                                                                                                          • Instruction Fuzzy Hash: 7AE086326013129BD7311FB15C0CB477BACEF55793F128828F241DA0E0EB348441C760
                                                                                                                          Function 002EB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSysColor.USER32(00000008), ref: 002EB496
                                                                                                                          • SetTextColor.GDI32(?,000000FF), ref: 002EB4A0
                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 002EB4B5
                                                                                                                          • GetStockObject.GDI32(00000005), ref: 002EB4BD
                                                                                                                          • GetWindowDC.USER32(?,00000000), ref: 0034DE2B
                                                                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0034DE38
                                                                                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 0034DE51
                                                                                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 0034DE6A
                                                                                                                          • GetPixel.GDI32(00000000,?,?), ref: 0034DE8A
                                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 0034DE95
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1946975507-0
                                                                                                                          • Opcode ID: efc07135ab384926416dca7fd66ffd8602b3c7db10f825bf18a6578a08c1d6a6
                                                                                                                          • Instruction ID: 95a99ef04161a5afcd0d6f535a02699bcde39d4e4a0ba59f321b7ff829202a72
                                                                                                                          • Opcode Fuzzy Hash: efc07135ab384926416dca7fd66ffd8602b3c7db10f825bf18a6578a08c1d6a6
                                                                                                                          • Instruction Fuzzy Hash: EDE06D31100780AADB331F74AC09BD93B15AB12336F00C626F6699C0F1C3B18680CB11
                                                                                                                          Function 0034B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2889604237-0
                                                                                                                          • Opcode ID: 183077ab6ef3d026d7f3674a60a217d0edd844aa10f3e532f7b398c644b8f494
                                                                                                                          • Instruction ID: b396164bc603e225135de7b9456585eff8be108a73d15a77365f85c0c9a575a8
                                                                                                                          • Opcode Fuzzy Hash: 183077ab6ef3d026d7f3674a60a217d0edd844aa10f3e532f7b398c644b8f494
                                                                                                                          • Instruction Fuzzy Hash: 76E01AB1100304EFDB125F70DC4862D7BACEB4C352F528806F85ACB261CBB498418B40
                                                                                                                          Function 0030B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0030B2DF
                                                                                                                          • UnloadUserProfile.USERENV(?,?), ref: 0030B2EB
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0030B2F4
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0030B2FC
                                                                                                                            • Part of subcall function 0030AB24: GetProcessHeap.KERNEL32(00000000,?,0030A848), ref: 0030AB2B
                                                                                                                            • Part of subcall function 0030AB24: HeapFree.KERNEL32(00000000), ref: 0030AB32
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 146765662-0
                                                                                                                          • Opcode ID: 54d91bd7cc471c396d6158a51fcf8ff3d82d13ce40134bc5f83b42aa73e55430
                                                                                                                          • Instruction ID: d807ae85c8f9c1931f8d285c55866ae5779a95234b775c178c04efd98ff16b41
                                                                                                                          • Opcode Fuzzy Hash: 54d91bd7cc471c396d6158a51fcf8ff3d82d13ce40134bc5f83b42aa73e55430
                                                                                                                          • Instruction Fuzzy Hash: 1CE0463A104605BFDB136F95EC08859FFBAFF993227108621F615C1575CB329471EB91
                                                                                                                          Function 0034B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2889604237-0
                                                                                                                          • Opcode ID: abda5bb732d12ff69674b0552b1f4ed6c53d9f355ceedd29c6f53c2ee63f43a6
                                                                                                                          • Instruction ID: 430ec411d7475915a9dc3e3e9cb24954ede6bfc8740036b289ec68f62f8119d3
                                                                                                                          • Opcode Fuzzy Hash: abda5bb732d12ff69674b0552b1f4ed6c53d9f355ceedd29c6f53c2ee63f43a6
                                                                                                                          • Instruction Fuzzy Hash: 7FE046B1500340EFDB125F70DC4862D7BACEB4C362F52880AF95ECB261CBB898428F00
                                                                                                                          Function 0030DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • OleSetContainedObject.OLE32(?,00000001), ref: 0030DEAA
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ContainedObject
                                                                                                                          • String ID: AutoIt3GUI$Container
                                                                                                                          • API String ID: 3565006973-3941886329
                                                                                                                          • Opcode ID: c7b9e2e8524683a9a8b0726c27864c487d186dc6e3d130847f76490c903f8f2d
                                                                                                                          • Instruction ID: 8f2f04639e365e221d552f4454bf0450999ff9010b596092021580a4354d711d
                                                                                                                          • Opcode Fuzzy Hash: c7b9e2e8524683a9a8b0726c27864c487d186dc6e3d130847f76490c903f8f2d
                                                                                                                          • Instruction Fuzzy Hash: EB912674601702AFDB15DFA4C894A6ABBF9BF49710F20846DF94ACF691DB70E841CB60
                                                                                                                          Function 0031290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcscpy
                                                                                                                          • String ID: I/4$I/4
                                                                                                                          • API String ID: 3048848545-2367095951
                                                                                                                          • Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                                                                          • Instruction ID: a1bad18be479d306b408b63cd987a16086459b060dc054e55d0bda1e544109d9
                                                                                                                          • Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                                                                          • Instruction Fuzzy Hash: F841E931900616AACF2ADF98D4419FEBB74EF4C710F55505BE981A7291DB309EF2CBA0
                                                                                                                          Function 002EBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • Sleep.KERNEL32(00000000), ref: 002EBCDA
                                                                                                                          • GlobalMemoryStatusEx.KERNEL32 ref: 002EBCF3
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: GlobalMemorySleepStatus
                                                                                                                          • String ID: @
                                                                                                                          • API String ID: 2783356886-2766056989
                                                                                                                          • Opcode ID: 4adc3b7207cbdf0023e9d9af475eb0d9d40a621acc4df7bf60ecf89a67cd8cd5
                                                                                                                          • Instruction ID: 9bcfe3fd9258a1178abf7990b70de4671876971a860ca9882b73a266f9b0bc42
                                                                                                                          • Opcode Fuzzy Hash: 4adc3b7207cbdf0023e9d9af475eb0d9d40a621acc4df7bf60ecf89a67cd8cd5
                                                                                                                          • Instruction Fuzzy Hash: E8512A71418784DBE320AF15D885BAFBBECFB95354F914C4EF1C9410A2DBB095AC8B52
                                                                                                                          Function 0031C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002D44ED: __fread_nolock.LIBCMT ref: 002D450B
                                                                                                                          • _wcscmp.LIBCMT ref: 0031C65D
                                                                                                                          • _wcscmp.LIBCMT ref: 0031C670
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: _wcscmp$__fread_nolock
                                                                                                                          • String ID: FILE
                                                                                                                          • API String ID: 4029003684-3121273764
                                                                                                                          • Opcode ID: b2d44f2213ed33e634780dc50de8f58ac481dc6bb3c535bb1534a08ee062187f
                                                                                                                          • Instruction ID: 2c0cdb9ed65c162ce9609cbea9cdc86168e1867da3e2c4b384d3181e1fd51adc
                                                                                                                          • Opcode Fuzzy Hash: b2d44f2213ed33e634780dc50de8f58ac481dc6bb3c535bb1534a08ee062187f
                                                                                                                          • Instruction Fuzzy Hash: 4B41D672A1020ABBDF21AAA4DC41FEF77B9AF49714F00047AF605EB181D7709A54CB51
                                                                                                                          Function 0033A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0033A85A
                                                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0033A86F
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: '
                                                                                                                          • API String ID: 3850602802-1997036262
                                                                                                                          • Opcode ID: 372e2d21150c4061c39bbd37ac0913ca621a327f2eca721ffbd74cbd726e60c2
                                                                                                                          • Instruction ID: 73558f57838d037bcaeac7f90bf99fa215ee24caf66843b37bd02507d566c614
                                                                                                                          • Opcode Fuzzy Hash: 372e2d21150c4061c39bbd37ac0913ca621a327f2eca721ffbd74cbd726e60c2
                                                                                                                          • Instruction Fuzzy Hash: 4841E774E017099FDB55CFA8C8C1BDABBB9FB08300F15006AE945AB391D771A942CF91
                                                                                                                          Function 0033975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DestroyWindow.USER32(?,?,?,?), ref: 0033980E
                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0033984A
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$DestroyMove
                                                                                                                          • String ID: static
                                                                                                                          • API String ID: 2139405536-2160076837
                                                                                                                          • Opcode ID: ca9d86747d9a65a978af4e4db359549e833e9b66065f34d955d0ed87964c9233
                                                                                                                          • Instruction ID: e19a841a92ad10cb1f481c3624df232fa406ef50d0f9eb414e184d0616e210a7
                                                                                                                          • Opcode Fuzzy Hash: ca9d86747d9a65a978af4e4db359549e833e9b66065f34d955d0ed87964c9233
                                                                                                                          • Instruction Fuzzy Hash: 68317071110604AADB119F74CC81BFB73ADFF99760F51861AF8A9DB190CA71AC51CB60
                                                                                                                          Function 00315157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 003151C6
                                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00315201
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InfoItemMenu_memset
                                                                                                                          • String ID: 0
                                                                                                                          • API String ID: 2223754486-4108050209
                                                                                                                          • Opcode ID: ad5681da9385aef7988d91793ee8942b38be9e694baf5da4784efab98927f31d
                                                                                                                          • Instruction ID: ef36721ae40292f8424a5cb495aa107ec9d63dd55766bc88c928f31c74919feb
                                                                                                                          • Opcode Fuzzy Hash: ad5681da9385aef7988d91793ee8942b38be9e694baf5da4784efab98927f31d
                                                                                                                          • Instruction Fuzzy Hash: 7A31E932600705DBEB2ACF99D845BEEBBF8EFCD350F150829E991A71A0D7709985CB10
                                                                                                                          Function 0032658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __snwprintf
                                                                                                                          • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                                                          • API String ID: 2391506597-2584243854
                                                                                                                          • Opcode ID: 53d3d89f8b5f011411aef68c1fa56f316172c84a4af2473f28da54a9093e8e8a
                                                                                                                          • Instruction ID: f32921ae0e451031bf51d2bfee1f03a353da3c3ae658e6558eeda09cb9a08e39
                                                                                                                          • Opcode Fuzzy Hash: 53d3d89f8b5f011411aef68c1fa56f316172c84a4af2473f28da54a9093e8e8a
                                                                                                                          • Instruction Fuzzy Hash: C3218271610228AFCF12EFA4D882EEE77B4AF45740F10445AF405AB281DB74EE55CFA1
                                                                                                                          Function 003393CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0033945C
                                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00339467
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: Combobox
                                                                                                                          • API String ID: 3850602802-2096851135
                                                                                                                          • Opcode ID: 30e0b304e1e1ac8070fc78b67eb027713b1df5fd9290ed84a6e76edad6b85f4c
                                                                                                                          • Instruction ID: 3dd219f72520b1ad013e83c38159ede0cd2aad21075c0392b5ec870118f7cf7b
                                                                                                                          • Opcode Fuzzy Hash: 30e0b304e1e1ac8070fc78b67eb027713b1df5fd9290ed84a6e76edad6b85f4c
                                                                                                                          • Instruction Fuzzy Hash: 2111B6B1710209AFEF12DE55DCC0FBB376EEB483A4F110126F9199B2A0D6719C528760
                                                                                                                          Function 0033DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002EB34E: GetWindowLongW.USER32(?,000000EB), ref: 002EB35F
                                                                                                                          • GetActiveWindow.USER32 ref: 0033DA7B
                                                                                                                          • EnumChildWindows.USER32(?,0033D75F,00000000), ref: 0033DAF5
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$ActiveChildEnumLongWindows
                                                                                                                          • String ID: T12
                                                                                                                          • API String ID: 3814560230-2591951180
                                                                                                                          • Opcode ID: 524bb81156170f79263f45a989a67458aa64e86360ad32fd16f7a2d521e002f4
                                                                                                                          • Instruction ID: 519aba119b241d3dc492ee573fad9a984034e2dc34d0d5f8c306d2c887a9e5b8
                                                                                                                          • Opcode Fuzzy Hash: 524bb81156170f79263f45a989a67458aa64e86360ad32fd16f7a2d521e002f4
                                                                                                                          • Instruction Fuzzy Hash: 72212F79604201DFC716DF28E890AA6B7F9EF59320F150619F965973E0D731A850CF60
                                                                                                                          Function 003398FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 002ED17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002ED1BA
                                                                                                                            • Part of subcall function 002ED17C: GetStockObject.GDI32(00000011), ref: 002ED1CE
                                                                                                                            • Part of subcall function 002ED17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 002ED1D8
                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00339968
                                                                                                                          • GetSysColor.USER32(00000012), ref: 00339982
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                          • String ID: static
                                                                                                                          • API String ID: 1983116058-2160076837
                                                                                                                          • Opcode ID: 9d3a1bc040cf872be46988ce71a56cccac0eb367b2aad9690fbcd8586e9b6d64
                                                                                                                          • Instruction ID: 81bd88767e2c95c8217ce6ee9bc84ab20a08c27a4641b8e17e5c1021eadd68db
                                                                                                                          • Opcode Fuzzy Hash: 9d3a1bc040cf872be46988ce71a56cccac0eb367b2aad9690fbcd8586e9b6d64
                                                                                                                          • Instruction Fuzzy Hash: D5113A72520209AFDB15DFB8CC85EEA7BA8FB08344F014A19F955E3150E775E851DB50
                                                                                                                          Function 00339617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 00339699
                                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003396A8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LengthMessageSendTextWindow
                                                                                                                          • String ID: edit
                                                                                                                          • API String ID: 2978978980-2167791130
                                                                                                                          • Opcode ID: a3d7255696142e91779ecbff10bfb44cfa4ce32971169152a87d0a6285f8ccca
                                                                                                                          • Instruction ID: f8fccbf997b17ea93b9e8dfb638c05979989b1caad70379a9392c20759c8a8fd
                                                                                                                          • Opcode Fuzzy Hash: a3d7255696142e91779ecbff10bfb44cfa4ce32971169152a87d0a6285f8ccca
                                                                                                                          • Instruction Fuzzy Hash: B2119D71501204EAEB125F64DC81BEB376DEB05378F514715F964971E0C7B19C519B60
                                                                                                                          Function 00315262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _memset.LIBCMT ref: 003152D5
                                                                                                                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003152F4
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InfoItemMenu_memset
                                                                                                                          • String ID: 0
                                                                                                                          • API String ID: 2223754486-4108050209
                                                                                                                          • Opcode ID: 92de2405620879b0aac6786553765c062eb7e3ce7c772098c46d8a19dd6144a1
                                                                                                                          • Instruction ID: cc75de0b5021f96a8f43183d5209e784571d466515f135baf4820e772c36e885
                                                                                                                          • Opcode Fuzzy Hash: 92de2405620879b0aac6786553765c062eb7e3ce7c772098c46d8a19dd6144a1
                                                                                                                          • Instruction Fuzzy Hash: 8911263B901615EBDB2ADB98CC04BDD77BCAB89350F160421E9A1E7290D3B0ED41D790
                                                                                                                          Function 00324D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00324DF5
                                                                                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00324E1E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Internet$OpenOption
                                                                                                                          • String ID: <local>
                                                                                                                          • API String ID: 942729171-4266983199
                                                                                                                          • Opcode ID: ab01aabc6e2096223ebd48cfc2d87e3f22be67d6bdafc329a3efafd5d24b5338
                                                                                                                          • Instruction ID: 0bd41702b55dc87d262e07c866b9430ab6df3902173c2212a3aeb8fcaaa1f7c4
                                                                                                                          • Opcode Fuzzy Hash: ab01aabc6e2096223ebd48cfc2d87e3f22be67d6bdafc329a3efafd5d24b5338
                                                                                                                          • Instruction Fuzzy Hash: C011ACB0601331BBDB268F61D888EFBFAACFF06755F11822AF50596540D3706980C6E0
                                                                                                                          Function 002FA70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 003037A7
                                                                                                                          • ___raise_securityfailure.LIBCMT ref: 0030388E
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                                          • String ID: (9
                                                                                                                          • API String ID: 3761405300-599013391
                                                                                                                          • Opcode ID: 975b7f4a6b970d92310fb07cf57a8f462b7e03a8a46a165e3d15061a7f3eb097
                                                                                                                          • Instruction ID: db0a68cae235d7cd64279e59a01050aa46d6258d777e2736c8b27faf74e7cdd3
                                                                                                                          • Opcode Fuzzy Hash: 975b7f4a6b970d92310fb07cf57a8f462b7e03a8a46a165e3d15061a7f3eb097
                                                                                                                          • Instruction Fuzzy Hash: D52125B5901B04CFE74ADF28E9956017BBCBB48314F10582BE504CB3A1E3F26980CF45
                                                                                                                          Function 0032A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0032A84E
                                                                                                                          • htons.WSOCK32(00000000,?,00000000), ref: 0032A88B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: htonsinet_addr
                                                                                                                          • String ID: 255.255.255.255
                                                                                                                          • API String ID: 3832099526-2422070025
                                                                                                                          • Opcode ID: 177602aff384e3510c91e4d82db5abb9fcf2f80c186b195fad496958268cf52d
                                                                                                                          • Instruction ID: 4bcd151d5f1b90733f8091f6e63119aa0e770722246573ae158b8b723231d5ad
                                                                                                                          • Opcode Fuzzy Hash: 177602aff384e3510c91e4d82db5abb9fcf2f80c186b195fad496958268cf52d
                                                                                                                          • Instruction Fuzzy Hash: 40014538200315ABCB22AF68DC86FADB768EF04310F108426F9129B3D1D731E801C752
                                                                                                                          Function 0030B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0030B7EF
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: ComboBox$ListBox
                                                                                                                          • API String ID: 3850602802-1403004172
                                                                                                                          • Opcode ID: dbd94e8f865dd52727c2e9ed159f8ca3dffcadefc38d3d4eaa38377e3f788a49
                                                                                                                          • Instruction ID: c9f68af7d44b1b2b8152010bc7069e9f9ec59c966ca52c84431676bd4dc2ab6e
                                                                                                                          • Opcode Fuzzy Hash: dbd94e8f865dd52727c2e9ed159f8ca3dffcadefc38d3d4eaa38377e3f788a49
                                                                                                                          • Instruction Fuzzy Hash: 5501F171612215ABCB0AEBA4CC629FE73ADAF06310B10061AF462673D2EB705C18CB90
                                                                                                                          Function 0030B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 0030B6EB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: ComboBox$ListBox
                                                                                                                          • API String ID: 3850602802-1403004172
                                                                                                                          • Opcode ID: aa5de5eec7b369d1b35626757b40c848f4083e6a06f40c56bd521852e64c7d3e
                                                                                                                          • Instruction ID: 67fb45dbbda8f5015f26b48fd2e9c8cdd5dd6cb5f13ce5c34ac654d663693be4
                                                                                                                          • Opcode Fuzzy Hash: aa5de5eec7b369d1b35626757b40c848f4083e6a06f40c56bd521852e64c7d3e
                                                                                                                          • Instruction Fuzzy Hash: 2201A7716421096BCB0AEBA4C962FFF73AC9F05344F10001AB442772D1DF559E188BB5
                                                                                                                          Function 0030B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 0030B76C
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessageSend
                                                                                                                          • String ID: ComboBox$ListBox
                                                                                                                          • API String ID: 3850602802-1403004172
                                                                                                                          • Opcode ID: c991d9c95bef63eb68197a65bd2155c090bb9c375be48a53c10bd630ed4274f7
                                                                                                                          • Instruction ID: 6c30bb7930629db65d0a7dad8500320f00b2b3240ea2266fca0f044848e87e52
                                                                                                                          • Opcode Fuzzy Hash: c991d9c95bef63eb68197a65bd2155c090bb9c375be48a53c10bd630ed4274f7
                                                                                                                          • Instruction Fuzzy Hash: F70186B5642105ABCB06FBA4C962EFF73AC9F05744F60001AB841B32D2DB649E19CBB5
                                                                                                                          Function 002F4D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: __calloc_crt
                                                                                                                          • String ID: "9
                                                                                                                          • API String ID: 3494438863-478567092
                                                                                                                          • Opcode ID: f20d3ccf21ee58075278c6c34e67e44aa7ed3b10022c175330f8d5e7d23a4811
                                                                                                                          • Instruction ID: ca914c711149a68a92d178b28db254e4e24f32290d14d77240669b8e7ec268c1
                                                                                                                          • Opcode Fuzzy Hash: f20d3ccf21ee58075278c6c34e67e44aa7ed3b10022c175330f8d5e7d23a4811
                                                                                                                          • Instruction Fuzzy Hash: F6F0A47122AA066AE756EF29BC51A77F798E7057A0F10057BF300CA284E7B1C8514B94
                                                                                                                          Function 002D4024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadImageW.USER32(002D0000,00000063,00000001,00000010,00000010,00000000), ref: 002D4048
                                                                                                                          • EnumResourceNamesW.KERNEL32(00000000,0000000E,003167E9,00000063,00000000,75C10280,?,?,002D3EE1,?,?,000000FF), ref: 003441B3
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: EnumImageLoadNamesResource
                                                                                                                          • String ID: >-
                                                                                                                          • API String ID: 1578290342-3760968596
                                                                                                                          • Opcode ID: 2490ae67125b08d39207dd203c50899c6775532f45e7f03f51d5be84d691deb5
                                                                                                                          • Instruction ID: 56473ccbdacd39d5ddcb45958ff02201ae35011c7761e0bd80c8dbe6ab9a956a
                                                                                                                          • Opcode Fuzzy Hash: 2490ae67125b08d39207dd203c50899c6775532f45e7f03f51d5be84d691deb5
                                                                                                                          • Instruction Fuzzy Hash: 3EF01D71650316B7E6225B1AAC4AFD63BADA745BB6F100507F614AA2E0D2F294908A90
                                                                                                                          Function 00317744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ClassName_wcscmp
                                                                                                                          • String ID: #32770
                                                                                                                          • API String ID: 2292705959-463685578
                                                                                                                          • Opcode ID: 33327eb0ec26f42e5ef2222bed30e1fc8f10f3d89e7cb3858644106f57f8ea54
                                                                                                                          • Instruction ID: b4d3a403db77ceb290954a664e055a44cd9a349b46b6378b031e767516850a7f
                                                                                                                          • Opcode Fuzzy Hash: 33327eb0ec26f42e5ef2222bed30e1fc8f10f3d89e7cb3858644106f57f8ea54
                                                                                                                          • Instruction Fuzzy Hash: 1EE0D87760432867D721EAA9DC49ED7FBACEB55B60F010066F905D3181E670E651C7D0
                                                                                                                          Function 0030A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0030A63F
                                                                                                                            • Part of subcall function 002F13F1: _doexit.LIBCMT ref: 002F13FB
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Message_doexit
                                                                                                                          • String ID: AutoIt$Error allocating memory.
                                                                                                                          • API String ID: 1993061046-4017498283
                                                                                                                          • Opcode ID: 7e5fcce769680e06ccb299dccdd93a378252deda8de4e21c1f481855fc468884
                                                                                                                          • Instruction ID: 8782f648349e6a74c187aafb7b53226f7428db4b973b6deac35ab9e1d53aaa01
                                                                                                                          • Opcode Fuzzy Hash: 7e5fcce769680e06ccb299dccdd93a378252deda8de4e21c1f481855fc468884
                                                                                                                          • Instruction Fuzzy Hash: 9CD02B313C032C33C21636993C1BFC5754C8B14B91F440062FB08951C24AE289A002D9
                                                                                                                          Function 0034AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetSystemDirectoryW.KERNEL32(?), ref: 0034ACC0
                                                                                                                          • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0034AEBD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DirectoryFreeLibrarySystem
                                                                                                                          • String ID: WIN_XPe
                                                                                                                          • API String ID: 510247158-3257408948
                                                                                                                          • Opcode ID: 86f7037afea41f98f9c332a35e90e6802bf5c0587545f3d58abd32ff7ff9eee8
                                                                                                                          • Instruction ID: 9da75955c84dbf5c96e31edb551b042c64af8559521af45df8e3b658edfb8d3e
                                                                                                                          • Opcode Fuzzy Hash: 86f7037afea41f98f9c332a35e90e6802bf5c0587545f3d58abd32ff7ff9eee8
                                                                                                                          • Instruction Fuzzy Hash: BAE03970C50A09AFCB52DBA5D9889ECB7BCAB48701F108086E002B6560CB706E84DF22
                                                                                                                          Function 00338698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003386A2
                                                                                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003386B5
                                                                                                                            • Part of subcall function 00317A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00317AD0
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                                                          • String ID: Shell_TrayWnd
                                                                                                                          • API String ID: 529655941-2988720461
                                                                                                                          • Opcode ID: 215658bf12da64220621bd2aaff082a5c0e1f442d64af6de1b9aabbcceb885aa
                                                                                                                          • Instruction ID: 266b110f4393d54b89b865560f61086349b75076061a3e5d58ec45b2ec384236
                                                                                                                          • Opcode Fuzzy Hash: 215658bf12da64220621bd2aaff082a5c0e1f442d64af6de1b9aabbcceb885aa
                                                                                                                          • Instruction Fuzzy Hash: 22D01231385314B7E67A77709C1BFC67A2C9F05B12F100815F749AA2E0C9E0E940C755
                                                                                                                          Function 003386CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003386E2
                                                                                                                          • PostMessageW.USER32(00000000), ref: 003386E9
                                                                                                                            • Part of subcall function 00317A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00317AD0
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1711302571.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1711280294.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000035D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711380043.000000000037E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711459129.000000000038A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          • Associated: 00000000.00000002.1711482200.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_2d0000_(2).jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                                                          • String ID: Shell_TrayWnd
                                                                                                                          • API String ID: 529655941-2988720461
                                                                                                                          • Opcode ID: 3d8795eaf7a39ca411ff76305534b5484f5aaafd5cd433f98a15db2cd21de124
                                                                                                                          • Instruction ID: 4a912455f863b5bc2b1831bb4c4224082f85f6a591dbc88efd9cb0f338ad6185
                                                                                                                          • Opcode Fuzzy Hash: 3d8795eaf7a39ca411ff76305534b5484f5aaafd5cd433f98a15db2cd21de124
                                                                                                                          • Instruction Fuzzy Hash: 27D0C9313853146BE67A67709C0BFC66A289B09B12F500815B645AA2E0C9A0A9408759