Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
%01% (2).exe

Overview

General Information

Sample name:%01% (2).exe
renamed because original name is a hash value
Original sample name:2024000000025 scan_Price - 10523 2023935164- BUET 0%01% (2).exe
Analysis ID:1428642
MD5:ee090d75b586451e3947cb9bf513d681
SHA1:453a65ca7642cba8e11b43aecdb563c56aeed799
SHA256:c896ae987be1363f02a909bd617fd8519d47e7b55e8cc9b65c96af0c22a5a016
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla, PureLog Stealer, RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • %01% (2).exe (PID: 1612 cmdline: "C:\Users\user\Desktop\%01% (2).exe" MD5: EE090D75B586451E3947CB9BF513D681)
    • name.exe (PID: 2664 cmdline: "C:\Users\user\Desktop\%01% (2).exe" MD5: C0DB2BD3588FE07C904D83E8446E21D8)
      • RegSvcs.exe (PID: 6924 cmdline: "C:\Users\user\Desktop\%01% (2).exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 6932 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • name.exe (PID: 5688 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: C0DB2BD3588FE07C904D83E8446E21D8)
      • RegSvcs.exe (PID: 5156 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.suhavuz.com.tr", "Username": "proje@suhavuz.com.tr", "Password": "proje.3535"}

Threatname: RedLine

{"C2 url": ["andrae.unoc@gmail.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3746511239.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000007.00000002.3746511239.0000000000400000.00000040.80000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x1300:$s3: 83 EC 38 53 B0 1C 88 44 24 2B 88 44 24 2F B0 95 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1fdd0:$s5: delete[]
    • 0x1f288:$s6: constructor or from DllMain.
    00000007.00000002.3773291877.0000000004321000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000007.00000002.3773291877.0000000004321000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.3773291877.0000000004321000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Click to see the 20 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.name.exe.37b0000.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            6.2.name.exe.37b0000.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
            • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
            • 0x700:$s3: 83 EC 38 53 B0 1C 88 44 24 2B 88 44 24 2F B0 95 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
            • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
            • 0x1e9d0:$s5: delete[]
            • 0x1de88:$s6: constructor or from DllMain.
            7.2.RegSvcs.exe.4373190.8.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              7.2.RegSvcs.exe.4373190.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                7.2.RegSvcs.exe.4373190.8.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  Click to see the 67 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 6932, ProcessName: wscript.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 6932, ProcessName: wscript.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\name.exe, ProcessId: 2664, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 7.2.RegSvcs.exe.3190000.5.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.suhavuz.com.tr", "Username": "proje@suhavuz.com.tr", "Password": "proje.3535"}
                  Source: 7.2.RegSvcs.exe.3190000.5.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["andrae.unoc@gmail.com"]}
                  Multi AV Scanner detection for submitted file
                  Source: %01% (2).exeReversingLabs: Detection: 47%
                  Source: %01% (2).exeVirustotal: Detection: 38%Perma Link
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\directory\name.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: %01% (2).exeJoe Sandbox ML: detected
                  Source: %01% (2).exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: _.pdb source: RegSvcs.exe, 00000007.00000002.3773291877.0000000004321000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3755274332.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3754666135.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3749800134.00000000013A1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4516437589.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: name.exe, 00000006.00000003.3606397019.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.3605868771.0000000003800000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3740767332.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3740621582.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: name.exe, 00000006.00000003.3606397019.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.3605868771.0000000003800000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3740767332.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3740621582.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00ADDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00ADDBBE
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AAC2A2 FindFirstFileExW,0_2_00AAC2A2
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE68EE FindFirstFileW,FindClose,0_2_00AE68EE
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00AE698F
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00ADD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00ADD076
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00ADD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00ADD3A9
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AE9642
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AE979D
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00AE9B2B
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00AE5C97
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,6_2_003EDBBE
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003BC2A2 FindFirstFileExW,6_2_003BC2A2
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003F68EE FindFirstFileW,FindClose,6_2_003F68EE
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,6_2_003F698F
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_003ED076
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_003ED3A9
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_003F9642
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_003F979D
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,6_2_003F9B2B
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003F5C97 FindFirstFileW,FindNextFileW,FindClose,6_2_003F5C97
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: andrae.unoc@gmail.com
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AECE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00AECE44
                  Source: RegSvcs.exe, 00000007.00000002.3773291877.0000000004321000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3755274332.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3756526050.0000000003190000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3754666135.0000000002EAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, cPKWk.cs.Net Code: _9sMYVnhfB
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_068092D0 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,0680A160,00000000,000000007_2_068092D0
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AEEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00AEEAFF
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AEED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00AEED6A
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_003FED6A
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AEEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00AEEAFF
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00ADAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00ADAA57
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00B09576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B09576
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00419576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,6_2_00419576

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 6.2.name.exe.37b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.4373190.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.30e0ee8.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.30e0ee8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.4373190.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.2ef0046.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.2eef15e.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.30e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.30e0000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 10.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.3190000.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.2ef0046.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.2eef15e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000007.00000002.3746511239.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000006.00000002.3609129468.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000007.00000002.3755274332.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000007.00000002.3756526050.0000000003190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0000000A.00000002.3749818307.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Binary is likely a compiled AutoIt script file
                  Source: %01% (2).exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: %01% (2).exe, 00000000.00000000.2050744864.0000000000B32000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1a95b594-6
                  Source: %01% (2).exe, 00000000.00000000.2050744864.0000000000B32000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_bdc29a8b-6
                  Source: %01% (2).exe, 00000000.00000003.3569485090.0000000003A71000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4018c188-8
                  Source: %01% (2).exe, 00000000.00000003.3569485090.0000000003A71000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3f9e48ff-d
                  Source: name.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: name.exe, 00000006.00000002.3607728233.0000000000442000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b95361bf-b
                  Source: name.exe, 00000006.00000002.3607728233.0000000000442000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_b9e639e9-f
                  Source: name.exe, 0000000A.00000002.3744719029.0000000000442000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2b17f1ee-c
                  Source: name.exe, 0000000A.00000002.3744719029.0000000000442000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7594d4bc-8
                  Source: %01% (2).exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_52e91140-5
                  Source: %01% (2).exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_1a4c92ed-7
                  Source: name.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_45591e23-1
                  Source: name.exe.0.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_86773335-e
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00ADD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00ADD5EB
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AD1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00AD1201
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00ADE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00ADE8F6
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,6_2_003EE8F6
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A780600_2_00A78060
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE20460_2_00AE2046
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AD82980_2_00AD8298
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AAE4FF0_2_00AAE4FF
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AA676B0_2_00AA676B
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00B048730_2_00B04873
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A9CAA00_2_00A9CAA0
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A7CAF00_2_00A7CAF0
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A8CC390_2_00A8CC39
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AA6DD90_2_00AA6DD9
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A8D07D0_2_00A8D07D
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A791C00_2_00A791C0
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A8B1190_2_00A8B119
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A913940_2_00A91394
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A779200_2_00A77920
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A8997D0_2_00A8997D
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A97A4A0_2_00A97A4A
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A97CA70_2_00A97CA7
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AA9EEE0_2_00AA9EEE
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AFBE440_2_00AFBE44
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003880606_2_00388060
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003F20466_2_003F2046
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003E82986_2_003E8298
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003BE4FF6_2_003BE4FF
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003B676B6_2_003B676B
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_004148736_2_00414873
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003ACAA06_2_003ACAA0
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0038CAF06_2_0038CAF0
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0039CC396_2_0039CC39
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003B6DD96_2_003B6DD9
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0039B1196_2_0039B119
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003891C06_2_003891C0
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003A13946_2_003A1394
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003A781B6_2_003A781B
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003879206_2_00387920
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0039997D6_2_0039997D
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003A7A4A6_2_003A7A4A
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003A7CA76_2_003A7CA7
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0040BE446_2_0040BE44
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003B9EEE6_2_003B9EEE
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0038BF406_2_0038BF40
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_01AF36706_2_01AF3670
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00408C607_2_00408C60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040DC117_2_0040DC11
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00407C3F7_2_00407C3F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00418CCC7_2_00418CCC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00406CA07_2_00406CA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004028B07_2_004028B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041A4BE7_2_0041A4BE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004182447_2_00418244
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004016507_2_00401650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402F207_2_00402F20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004193C47_2_004193C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004187887_2_00418788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402F897_2_00402F89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402B907_2_00402B90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004073A07_2_004073A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132DB007_2_0132DB00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132CEE87_2_0132CEE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013210307_2_01321030
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01320FD07_2_01320FD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132D2307_2_0132D230
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01320EE07_2_01320EE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_067D9FF87_2_067D9FF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_067DBFC07_2_067DBFC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_067D79587_2_067D7958
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_067D45187_2_067D4518
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_067D00407_2_067D0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_067D001F7_2_067D001F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_067DD0C87_2_067DD0C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06800FF47_2_06800FF4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06802FB07_2_06802FB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069456B87_2_069456B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069402307_2_06940230
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_067D450A7_2_067D450A
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 10_2_013D367010_2_013D3670
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_02BDCEE811_2_02BDCEE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_02BDDB0011_2_02BDDB00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_02BD0EE011_2_02BD0EE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_02BDD23011_2_02BDD230
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_02BD103011_2_02BD1030
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_065ABFC011_2_065ABFC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_065A445811_2_065A4458
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_065A795811_2_065A7958
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_065AADF011_2_065AADF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_065A9FE811_2_065A9FE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_065A7C5011_2_065A7C50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_065A004011_2_065A0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_065A000611_2_065A0006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_065AD0C811_2_065AD0C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_065D0FBC11_2_065D0FBC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_065D2FB011_2_065D2FB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_067158A811_2_067158A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_067110D011_2_067110D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 44 times
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 00389CB3 appears 31 times
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 003A0A30 appears 46 times
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 0039F9F2 appears 40 times
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: String function: 00A79CB3 appears 31 times
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: String function: 00A8F9F2 appears 40 times
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: String function: 00A90A30 appears 46 times
                  Source: %01% (2).exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 6.2.name.exe.37b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 7.2.RegSvcs.exe.4373190.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 7.2.RegSvcs.exe.30e0ee8.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 7.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 7.2.RegSvcs.exe.30e0ee8.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 7.2.RegSvcs.exe.4373190.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 7.2.RegSvcs.exe.2ef0046.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 7.2.RegSvcs.exe.2eef15e.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 7.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 7.2.RegSvcs.exe.30e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 7.2.RegSvcs.exe.30e0000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 10.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 7.2.RegSvcs.exe.3190000.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 7.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 7.2.RegSvcs.exe.2ef0046.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 7.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 7.2.RegSvcs.exe.2eef15e.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000007.00000002.3746511239.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000006.00000002.3609129468.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000007.00000002.3755274332.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000007.00000002.3756526050.0000000003190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0000000A.00000002.3749818307.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                  Source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/10@0/0
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE37B5 GetLastError,FormatMessageW,0_2_00AE37B5
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AD10BF AdjustTokenPrivileges,CloseHandle,0_2_00AD10BF
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AD16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00AD16C3
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003E10BF AdjustTokenPrivileges,CloseHandle,6_2_003E10BF
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,6_2_003E16C3
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00AE51CD
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AFA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00AFA67C
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00AE648E
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00A742A2
                  Source: C:\Users\user\Desktop\%01% (2).exeFile created: C:\Users\user\AppData\Local\directoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\%01% (2).exeFile created: C:\Users\user\AppData\Local\Temp\aut1158.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
                  Source: %01% (2).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000007.00000002.3756879412.000000000345D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3756879412.0000000003470000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4516596960.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4516596960.0000000002FBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: %01% (2).exeReversingLabs: Detection: 47%
                  Source: %01% (2).exeVirustotal: Detection: 38%
                  Source: C:\Users\user\Desktop\%01% (2).exeFile read: C:\Users\user\Desktop\%01% (2).exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\%01% (2).exe "C:\Users\user\Desktop\%01% (2).exe"
                  Source: C:\Users\user\Desktop\%01% (2).exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\%01% (2).exe"
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\%01% (2).exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
                  Source: C:\Users\user\Desktop\%01% (2).exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\%01% (2).exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\%01% (2).exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: %01% (2).exeStatic file information: File size 1203200 > 1048576
                  Source: %01% (2).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: %01% (2).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: %01% (2).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: %01% (2).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: %01% (2).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: %01% (2).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: %01% (2).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: _.pdb source: RegSvcs.exe, 00000007.00000002.3773291877.0000000004321000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3755274332.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3754666135.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3749800134.00000000013A1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4516437589.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: name.exe, 00000006.00000003.3606397019.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.3605868771.0000000003800000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3740767332.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3740621582.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: name.exe, 00000006.00000003.3606397019.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.3605868771.0000000003800000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3740767332.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3740621582.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp
                  Source: %01% (2).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: %01% (2).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: %01% (2).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: %01% (2).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: %01% (2).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 7.2.RegSvcs.exe.30e0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 7.2.RegSvcs.exe.2ef0046.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 7.2.RegSvcs.exe.4373190.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 7.2.RegSvcs.exe.4326458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A742DE
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A90A76 push ecx; ret 0_2_00A90A89
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003A0A76 push ecx; ret 6_2_003A0A89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041C40C push cs; iretd 7_2_0041C4E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00423149 push eax; ret 7_2_00423179
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041C50E push cs; iretd 7_2_0041C4E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004231C8 push eax; ret 7_2_00423179
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040E21D push ecx; ret 7_2_0040E230
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041C6BE push ebx; ret 7_2_0041C6BF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132470E pushfd ; retf 7_2_01324719
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01324758 push edi; retf 7_2_0132475E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06802579 push es; iretd 7_2_0680257C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0680B6C1 push es; ret 7_2_0680B6D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069435C1 push es; ret 7_2_069435D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_02BD470E pushfd ; retf 11_2_02BD4719
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_02BD4758 push edi; retf 11_2_02BD475E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_065D2579 push es; iretd 11_2_065D257C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_065D7630 push es; ret 11_2_065D7640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_065DB681 push es; ret 11_2_065DB690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_067136A1 push es; ret 11_2_067136B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_067131B3 push es; retf 11_2_067131B4
                  Source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, 3QjbQ514BDx.csHigh entropy of concatenated method names: 'arDtJUYq12', 'RTBi1iRXzw', 'UDMiCrfBHK', 'L7Fif5m76vm', 'Sed5mR2JaA9', 'nxx0bRM', 'ZAx4', 'e6N73', 'eydA19jgbYf', 'asdkABtJZ'
                  Source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HfMWH8vXVcA31', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 7.2.RegSvcs.exe.30e0ee8.4.raw.unpack, 3QjbQ514BDx.csHigh entropy of concatenated method names: 'arDtJUYq12', 'RTBi1iRXzw', 'UDMiCrfBHK', 'L7Fif5m76vm', 'Sed5mR2JaA9', 'nxx0bRM', 'ZAx4', 'e6N73', 'eydA19jgbYf', 'asdkABtJZ'
                  Source: 7.2.RegSvcs.exe.30e0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HfMWH8vXVcA31', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 7.2.RegSvcs.exe.2ef0046.2.raw.unpack, 3QjbQ514BDx.csHigh entropy of concatenated method names: 'arDtJUYq12', 'RTBi1iRXzw', 'UDMiCrfBHK', 'L7Fif5m76vm', 'Sed5mR2JaA9', 'nxx0bRM', 'ZAx4', 'e6N73', 'eydA19jgbYf', 'asdkABtJZ'
                  Source: 7.2.RegSvcs.exe.2ef0046.2.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HfMWH8vXVcA31', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 7.2.RegSvcs.exe.4373190.8.raw.unpack, 3QjbQ514BDx.csHigh entropy of concatenated method names: 'arDtJUYq12', 'RTBi1iRXzw', 'UDMiCrfBHK', 'L7Fif5m76vm', 'Sed5mR2JaA9', 'nxx0bRM', 'ZAx4', 'e6N73', 'eydA19jgbYf', 'asdkABtJZ'
                  Source: 7.2.RegSvcs.exe.4373190.8.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HfMWH8vXVcA31', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 7.2.RegSvcs.exe.4326458.6.raw.unpack, 3QjbQ514BDx.csHigh entropy of concatenated method names: 'arDtJUYq12', 'RTBi1iRXzw', 'UDMiCrfBHK', 'L7Fif5m76vm', 'Sed5mR2JaA9', 'nxx0bRM', 'ZAx4', 'e6N73', 'eydA19jgbYf', 'asdkABtJZ'
                  Source: 7.2.RegSvcs.exe.4326458.6.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HfMWH8vXVcA31', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: C:\Users\user\Desktop\%01% (2).exeFile created: C:\Users\user\AppData\Local\directory\name.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\directory\name.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\directory\name.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbsJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A8F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00A8F98E
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00B01C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00B01C41
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0039F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_0039F98E
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00411C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,6_2_00411C41
                  Source: C:\Users\user\Desktop\%01% (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Found API chain indicative of sandbox detection
                  Source: C:\Users\user\AppData\Local\directory\name.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                  Source: C:\Users\user\Desktop\%01% (2).exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-94969
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,7_2_004019F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2400000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397045Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396935Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396716Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396172Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395949Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395823Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395280Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395172Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394843Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2400000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399841Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398147Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398029Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397921Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397593Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396387Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396171Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395843Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395296Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395187Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395078Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394968Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394750Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394640Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394202Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393545Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393327Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393218Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393109Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1793Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8069Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1580Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8296Jump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeAPI coverage: 3.3 %
                  Source: C:\Users\user\AppData\Local\directory\name.exeAPI coverage: 4.3 %
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00ADDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00ADDBBE
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AAC2A2 FindFirstFileExW,0_2_00AAC2A2
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE68EE FindFirstFileW,FindClose,0_2_00AE68EE
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00AE698F
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00ADD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00ADD076
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00ADD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00ADD3A9
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AE9642
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AE979D
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00AE9B2B
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00AE5C97
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,6_2_003EDBBE
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003BC2A2 FindFirstFileExW,6_2_003BC2A2
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003F68EE FindFirstFileW,FindClose,6_2_003F68EE
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,6_2_003F698F
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_003ED076
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_003ED3A9
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_003F9642
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_003F979D
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,6_2_003F9B2B
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003F5C97 FindFirstFileW,FindNextFileW,FindClose,6_2_003F5C97
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A742DE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2400000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397045Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396935Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396716Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396172Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395949Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395823Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395280Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395172Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394843Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2400000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399841Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2399734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398147Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2398029Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397921Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397593Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2397046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396387Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396171Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2396062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395843Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395296Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395187Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2395078Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394968Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394750Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394640Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394202Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2394093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393545Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393327Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393218Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 2393109Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AEEAA2 BlockInput,0_2_00AEEAA2
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AA2622
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,7_2_004019F0
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A742DE
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A94CE8 mov eax, dword ptr fs:[00000030h]0_2_00A94CE8
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003A4CE8 mov eax, dword ptr fs:[00000030h]6_2_003A4CE8
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_01AF3500 mov eax, dword ptr fs:[00000030h]6_2_01AF3500
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_01AF3560 mov eax, dword ptr fs:[00000030h]6_2_01AF3560
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_01AF1ED0 mov eax, dword ptr fs:[00000030h]6_2_01AF1ED0
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 10_2_013D3500 mov eax, dword ptr fs:[00000030h]10_2_013D3500
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 10_2_013D3560 mov eax, dword ptr fs:[00000030h]10_2_013D3560
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 10_2_013D1ED0 mov eax, dword ptr fs:[00000030h]10_2_013D1ED0
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AD0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00AD0B62
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AA2622
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A9083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A9083F
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A909D5 SetUnhandledExceptionFilter,0_2_00A909D5
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A90C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00A90C21
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_003B2622
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_003A083F
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003A09D5 SetUnhandledExceptionFilter,6_2_003A09D5
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_003A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_003A0C21
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0040CE09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0040E61C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00416F6A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004123F1 SetUnhandledExceptionFilter,7_2_004123F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\directory\name.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: EFF008Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C87008Jump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AD1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00AD1201
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AB2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00AB2BA5
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00ADB226 SendInput,keybd_event,0_2_00ADB226
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AF22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00AF22DA
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\%01% (2).exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AD0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00AD0B62
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AD1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00AD1663
                  Source: %01% (2).exe, name.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: RegSvcs.exe, 00000007.00000002.3756879412.0000000003385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR
                  Source: RegSvcs.exe, 00000007.00000002.3756879412.0000000003385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q3<b>[ Program Manager]</b> (20/04/2024 04:19:36)<br>
                  Source: RegSvcs.exe, 00000007.00000002.3756879412.0000000003385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: %01% (2).exe, name.exeBinary or memory string: Shell_TrayWnd
                  Source: RegSvcs.exe, 00000007.00000002.3756879412.0000000003385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q9<b>[ Program Manager]</b> (20/04/2024 04:19:36)<br>{Win}rTH
                  Source: RegSvcs.exe, 00000007.00000002.3756879412.0000000003385000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q8<b>[ Program Manager]</b> (20/04/2024 04:19:36)<br>{Win}TH
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A90698 cpuid 0_2_00A90698
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,7_2_00417A20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AE8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00AE8195
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00ACD27A GetUserNameW,0_2_00ACD27A
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AAB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00AAB952
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00A742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A742DE
                  Source: C:\Users\user\Desktop\%01% (2).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4373190.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0ee8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0ee8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4373190.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2ef0046.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2eef15e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.3190000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2ef0046.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2eef15e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3773291877.0000000004321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3755274332.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3756526050.0000000003190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3754666135.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6924, type: MEMORYSTR
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4373190.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0ee8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0ee8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4373190.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2ef0046.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2eef15e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.3190000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2ef0046.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2eef15e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3773291877.0000000004321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3755274332.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3756526050.0000000003190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3754666135.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 6.2.name.exe.37b0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3746511239.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3609129468.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.3749818307.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: name.exeBinary or memory string: WIN_81
                  Source: name.exeBinary or memory string: WIN_XP
                  Source: name.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                  Source: name.exeBinary or memory string: WIN_XPe
                  Source: name.exeBinary or memory string: WIN_VISTA
                  Source: name.exeBinary or memory string: WIN_7
                  Source: name.exeBinary or memory string: WIN_8
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4373190.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0ee8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0ee8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4373190.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2ef0046.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2eef15e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.3190000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2ef0046.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2eef15e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3773291877.0000000004321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3756879412.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3755274332.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3756526050.0000000003190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3754666135.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.4516596960.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6924, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5156, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4373190.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0ee8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0ee8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4373190.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2ef0046.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2eef15e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.3190000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2ef0046.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2eef15e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3773291877.0000000004321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3755274332.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3756526050.0000000003190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3754666135.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6924, type: MEMORYSTR
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4373190.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.3190000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0ee8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4325570.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0ee8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4373190.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2ef0046.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2eef15e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4326458.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.30e0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.3190000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4325570.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2ef0046.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.4326458.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.2eef15e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3773291877.0000000004321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3755274332.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3756526050.0000000003190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3754666135.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 6.2.name.exe.37b0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3746511239.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3609129468.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.3749818307.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AF1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00AF1204
                  Source: C:\Users\user\Desktop\%01% (2).exeCode function: 0_2_00AF1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00AF1806
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00401204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,6_2_00401204
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00401806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,6_2_00401806

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		121
                  Windows Management Instrumentation                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		321
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt2
                  Valid Accounts                  		2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  Software Packing                  		NTDS48
                  System Information Discovery                  		Distributed Component Object Model321
                  Input Capture                  		Protocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets24
                  Security Software Discovery                  		SSH4
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                  Registry Run Keys / Startup Folder                  		1
                  Masquerading                  		Cached Domain Credentials221
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Valid Accounts                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job221
                  Virtualization/Sandbox Evasion                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428642 Sample: %01% (2).exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 11 other signatures 2->34 7 %01% (2).exe 6 2->7         started        11 wscript.exe 1 2->11         started        process3 file4 24 C:\Users\user\AppData\Local\...\name.exe, PE32 7->24 dropped 46 Binary is likely a compiled AutoIt script file 7->46 13 name.exe 3 7->13         started        48 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->48 17 name.exe 2 11->17         started        signatures5 process6 file7 26 C:\Users\user\AppData\Roaming\...\name.vbs, data 13->26 dropped 50 Binary is likely a compiled AutoIt script file 13->50 52 Machine Learning detection for dropped file 13->52 54 Drops VBS files to the startup folder 13->54 56 Found API chain indicative of sandbox detection 13->56 19 RegSvcs.exe 2 13->19         started        58 Writes to foreign memory regions 17->58 60 Maps a DLL or memory area into another process 17->60 22 RegSvcs.exe 2 17->22         started        signatures8 process9 signatures10 36 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->36 38 Tries to steal Mail credentials (via file / registry access) 19->38 40 Contains functionality to register a low level keyboard hook 19->40 42 Tries to harvest and steal browser information (history, passwords, etc) 22->42 44 Installs a global keyboard hook 22->44

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  %01% (2).exe47%ReversingLabsWin32.Spyware.RedLine
                  %01% (2).exe39%VirustotalBrowse
                  %01% (2).exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\directory\name.exe100%Joe Sandbox ML

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  andrae.unoc@gmail.comtrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://account.dyn.com/RegSvcs.exe, 00000007.00000002.3773291877.0000000004321000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3755274332.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3756526050.0000000003190000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3754666135.0000000002EAF000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high

                      World Map of Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1428642
                      Start date and time:2024-04-19 10:56:51 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 11m 9s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:12
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:%01% (2).exe
                      renamed because original name is a hash value
                      Original Sample Name:2024000000025 scan_Price - 10523 2023935164- BUET 0%01% (2).exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.expl.evad.winEXE@10/10@0/0
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 96%
                      • Number of executed functions: 47
                      • Number of non-executed functions: 303
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240s for sample files taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      11:00:11API Interceptor200286x Sleep call for process: RegSvcs.exe modified
                      11:00:14AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Temp\aut1158.tmp

                      Download File
                      Process:C:\Users\user\Desktop\%01% (2).exe
                      File Type:data
                      Category:dropped
                      Size (bytes):261970
                      Entropy (8bit):7.978843053004149
                      Encrypted:false
                      SSDEEP:6144:XgCMIypujaVbUQ9jQmM4g/fLxrY2YR3TfwGOsJysRkf:XHKpc24Q9jQmM4sS2e3ToDsI
                      MD5:A9D2280020CBA43361D03EE0A9648F7D
                      SHA1:9A98B391EA2B972A984908A43E4275D99FD062FD
                      SHA-256:3404AD5C0D2BB1342AC0D6DBBA0844943931AC2C27AF795B5988F6AD7C92E3B8
                      SHA-512:847668A3C45AB5D8CD349A5BD9B21F13E7DFFEAADDB5073B8DEBBBA40F7E11060C712D972BC402919CDD2C2F0FBC8E24A8F3B2B8FDAC9E0C88D5311CCFF7B2A3
                      Malicious:false
                      Reputation:low
                      Preview:EA06......:t..^aC.Pit.^.A........J..f......}]@..}H.Sf.Z..+.C..k$..2....Y$.:.H*2.,..j..".Z,.!(....X...8.I...5. ....G.b.N.3..=.L43.5.y?......jc....s.`..-.......E1....+..{...,.9...........1.A)t....A.|..0.Mt*.:..B..:T*..W2.0.xp...x|i@....3.:]>b........J..K...4...0..(5.|..H.(s...&$.%..P.T;..c*..q........R...O.!Z.P......6.....=#.......B...d.`...|1...G......X.A:......T| ..>5..Mj ....`.Ph3....K..<|.F..=%..j`..#x..M.W..(......U..0%...3..A...x.>.H.osr..3.).p.t..v.A.Of1>}R.......o...cp.?.......;.....P,..}^aN.Pi..&......1..Y.,...8.`,\xU....'.|]3.o.Pf.zM..L..9{X.;.f..~.,m..J..i5..:a..l.._..cX.`.x{v.iJ..&.......C.......P>.M.>i.Q.......>....c"..~TZX...P...~}".S..cqJ\.....".K4.{.Pi4.6b..D.9..M.[....j.C.W.B...}..a..K..a;.w.........=T......P.....k...r.(\/.6...zJ.....,..u6......~7v{y.....f...4s'...4../.yF..k.......@.i..k=Ja".on.[^.o...d....'._.4...aW....]?{...g....!...b<.,.+4...kg..D,...8...@.=..ko...z....:.B.XI..y.....y%;..R.4...f.r....V.A.K....'V..q. ....H.k~.3._.

                      C:\Users\user\AppData\Local\Temp\aut11C7.tmp

                      Download File
                      Process:C:\Users\user\Desktop\%01% (2).exe
                      File Type:data
                      Category:dropped
                      Size (bytes):9868
                      Entropy (8bit):7.601928719200755
                      Encrypted:false
                      SSDEEP:192:0ZsqLUGeKtxWQa8oYzZtKQauwrQ3n+sMeO6K30Z8nel4QrRS7NLfDz5D/bC4+z:zqLFLtx3a8oYzZtKIwM3+wK30jlFRSXC
                      MD5:294057C85BEFFF6A50B329229DF71465
                      SHA1:4B4EC3CE184DEAD0EAFB51C0DDBE3376F2002459
                      SHA-256:6570CF3560A5174B10202400DE682700162D056A597210193B4391034BC75436
                      SHA-512:D27CE50C5CB46091B0FDD8FA4309A1A4632869840400623784DE04F2AEF71034068F808B088F6022F6553A350D11E49B1F066D21AECA4B892AEF0B7C524178E7
                      Malicious:false
                      Reputation:low
                      Preview:EA06..t..V)UjMN.X.V&.)...Y.^&.Y..c.Ll.;..a2....Y..ob.M.@...a6.N'3I..ib....]........K........|...o..b..`.....8.....9.X.30...,.....2.Z..k9..6.@.o.l..X......g.9...v0..X....N.,.I.........9..&....r.'.Y...c ....Aa.H.......F.3<..Y@.6...$.`....f@...x..j....Br.....Xf.0..l....n...Y&@5_..h....&.5_..p.U.., 5_....U..,.5_..`.U..f@5\..>3...M.^.a.Z..k6.z..o6......@.....3y..G../Z.M. .....jr....n.u....$.`./.o8...f.G_T.......>_.......zk5....i....3 ...................`.M..`... ...c...@..(.'.4.X.{>K...c.MlS@..X..._..p.....>K.#G.b..3|v9..G.4.X.@8_..kc..i|v9....c.h.,v..........7.Ml.K5...M..0;..8.Nf.0.L..6i..f..+..ff6)...6.N,....f...E...Y....3.I.....M.......vI.....0.....2p....<d....,vb........N@!+..'& ....,fo2..,.).......r.2.X...c3k$.ef.Y.!...Gf@....,f.9..,.. .#7.....c.0.....y..p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b.!....F ....B5c.L.3........vn.....f.;%.r...B3P.....;8.X...a.M... ......

                      C:\Users\user\AppData\Local\Temp\aut6D0B.tmp

                      Download File
                      Process:C:\Users\user\AppData\Local\directory\name.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):261970
                      Entropy (8bit):7.978843053004149
                      Encrypted:false
                      SSDEEP:6144:XgCMIypujaVbUQ9jQmM4g/fLxrY2YR3TfwGOsJysRkf:XHKpc24Q9jQmM4sS2e3ToDsI
                      MD5:A9D2280020CBA43361D03EE0A9648F7D
                      SHA1:9A98B391EA2B972A984908A43E4275D99FD062FD
                      SHA-256:3404AD5C0D2BB1342AC0D6DBBA0844943931AC2C27AF795B5988F6AD7C92E3B8
                      SHA-512:847668A3C45AB5D8CD349A5BD9B21F13E7DFFEAADDB5073B8DEBBBA40F7E11060C712D972BC402919CDD2C2F0FBC8E24A8F3B2B8FDAC9E0C88D5311CCFF7B2A3
                      Malicious:false
                      Reputation:low
                      Preview:EA06......:t..^aC.Pit.^.A........J..f......}]@..}H.Sf.Z..+.C..k$..2....Y$.:.H*2.,..j..".Z,.!(....X...8.I...5. ....G.b.N.3..=.L43.5.y?......jc....s.`..-.......E1....+..{...,.9...........1.A)t....A.|..0.Mt*.:..B..:T*..W2.0.xp...x|i@....3.:]>b........J..K...4...0..(5.|..H.(s...&$.%..P.T;..c*..q........R...O.!Z.P......6.....=#.......B...d.`...|1...G......X.A:......T| ..>5..Mj ....`.Ph3....K..<|.F..=%..j`..#x..M.W..(......U..0%...3..A...x.>.H.osr..3.).p.t..v.A.Of1>}R.......o...cp.?.......;.....P,..}^aN.Pi..&......1..Y.,...8.`,\xU....'.|]3.o.Pf.zM..L..9{X.;.f..~.,m..J..i5..:a..l.._..cX.`.x{v.iJ..&.......C.......P>.M.>i.Q.......>....c"..~TZX...P...~}".S..cqJ\.....".K4.{.Pi4.6b..D.9..M.[....j.C.W.B...}..a..K..a;.w.........=T......P.....k...r.(\/.6...zJ.....,..u6......~7v{y.....f...4s'...4../.yF..k.......@.i..k=Ja".on.[^.o...d....'._.4...aW....]?{...g....!...b<.,.+4...kg..D,...8...@.=..ko...z....:.B.XI..y.....y%;..R.4...f.r....V.A.K....'V..q. ....H.k~.3._.

                      C:\Users\user\AppData\Local\Temp\aut6D5A.tmp

                      Download File
                      Process:C:\Users\user\AppData\Local\directory\name.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):9868
                      Entropy (8bit):7.601928719200755
                      Encrypted:false
                      SSDEEP:192:0ZsqLUGeKtxWQa8oYzZtKQauwrQ3n+sMeO6K30Z8nel4QrRS7NLfDz5D/bC4+z:zqLFLtx3a8oYzZtKIwM3+wK30jlFRSXC
                      MD5:294057C85BEFFF6A50B329229DF71465
                      SHA1:4B4EC3CE184DEAD0EAFB51C0DDBE3376F2002459
                      SHA-256:6570CF3560A5174B10202400DE682700162D056A597210193B4391034BC75436
                      SHA-512:D27CE50C5CB46091B0FDD8FA4309A1A4632869840400623784DE04F2AEF71034068F808B088F6022F6553A350D11E49B1F066D21AECA4B892AEF0B7C524178E7
                      Malicious:false
                      Reputation:low
                      Preview:EA06..t..V)UjMN.X.V&.)...Y.^&.Y..c.Ll.;..a2....Y..ob.M.@...a6.N'3I..ib....]........K........|...o..b..`.....8.....9.X.30...,.....2.Z..k9..6.@.o.l..X......g.9...v0..X....N.,.I.........9..&....r.'.Y...c ....Aa.H.......F.3<..Y@.6...$.`....f@...x..j....Br.....Xf.0..l....n...Y&@5_..h....&.5_..p.U.., 5_....U..,.5_..`.U..f@5\..>3...M.^.a.Z..k6.z..o6......@.....3y..G../Z.M. .....jr....n.u....$.`./.o8...f.G_T.......>_.......zk5....i....3 ...................`.M..`... ...c...@..(.'.4.X.{>K...c.MlS@..X..._..p.....>K.#G.b..3|v9..G.4.X.@8_..kc..i|v9....c.h.,v..........7.Ml.K5...M..0;..8.Nf.0.L..6i..f..+..ff6)...6.N,....f...E...Y....3.I.....M.......vI.....0.....2p....<d....,vb........N@!+..'& ....,fo2..,.).......r.2.X...c3k$.ef.Y.!...Gf@....,f.9..,.. .#7.....c.0.....y..p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b.!....F ....B5c.L.3........vn.....f.;%.r...B3P.....;8.X...a.M... ......

                      C:\Users\user\AppData\Local\Temp\autA254.tmp

                      Download File
                      Process:C:\Users\user\AppData\Local\directory\name.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):261970
                      Entropy (8bit):7.978843053004149
                      Encrypted:false
                      SSDEEP:6144:XgCMIypujaVbUQ9jQmM4g/fLxrY2YR3TfwGOsJysRkf:XHKpc24Q9jQmM4sS2e3ToDsI
                      MD5:A9D2280020CBA43361D03EE0A9648F7D
                      SHA1:9A98B391EA2B972A984908A43E4275D99FD062FD
                      SHA-256:3404AD5C0D2BB1342AC0D6DBBA0844943931AC2C27AF795B5988F6AD7C92E3B8
                      SHA-512:847668A3C45AB5D8CD349A5BD9B21F13E7DFFEAADDB5073B8DEBBBA40F7E11060C712D972BC402919CDD2C2F0FBC8E24A8F3B2B8FDAC9E0C88D5311CCFF7B2A3
                      Malicious:false
                      Reputation:low
                      Preview:EA06......:t..^aC.Pit.^.A........J..f......}]@..}H.Sf.Z..+.C..k$..2....Y$.:.H*2.,..j..".Z,.!(....X...8.I...5. ....G.b.N.3..=.L43.5.y?......jc....s.`..-.......E1....+..{...,.9...........1.A)t....A.|..0.Mt*.:..B..:T*..W2.0.xp...x|i@....3.:]>b........J..K...4...0..(5.|..H.(s...&$.%..P.T;..c*..q........R...O.!Z.P......6.....=#.......B...d.`...|1...G......X.A:......T| ..>5..Mj ....`.Ph3....K..<|.F..=%..j`..#x..M.W..(......U..0%...3..A...x.>.H.osr..3.).p.t..v.A.Of1>}R.......o...cp.?.......;.....P,..}^aN.Pi..&......1..Y.,...8.`,\xU....'.|]3.o.Pf.zM..L..9{X.;.f..~.,m..J..i5..:a..l.._..cX.`.x{v.iJ..&.......C.......P>.M.>i.Q.......>....c"..~TZX...P...~}".S..cqJ\.....".K4.{.Pi4.6b..D.9..M.[....j.C.W.B...}..a..K..a;.w.........=T......P.....k...r.(\/.6...zJ.....,..u6......~7v{y.....f...4s'...4../.yF..k.......@.i..k=Ja".on.[^.o...d....'._.4...aW....]?{...g....!...b<.,.+4...kg..D,...8...@.=..ko...z....:.B.XI..y.....y%;..R.4...f.r....V.A.K....'V..q. ....H.k~.3._.

                      C:\Users\user\AppData\Local\Temp\autA2A3.tmp

                      Download File
                      Process:C:\Users\user\AppData\Local\directory\name.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):9868
                      Entropy (8bit):7.601928719200755
                      Encrypted:false
                      SSDEEP:192:0ZsqLUGeKtxWQa8oYzZtKQauwrQ3n+sMeO6K30Z8nel4QrRS7NLfDz5D/bC4+z:zqLFLtx3a8oYzZtKIwM3+wK30jlFRSXC
                      MD5:294057C85BEFFF6A50B329229DF71465
                      SHA1:4B4EC3CE184DEAD0EAFB51C0DDBE3376F2002459
                      SHA-256:6570CF3560A5174B10202400DE682700162D056A597210193B4391034BC75436
                      SHA-512:D27CE50C5CB46091B0FDD8FA4309A1A4632869840400623784DE04F2AEF71034068F808B088F6022F6553A350D11E49B1F066D21AECA4B892AEF0B7C524178E7
                      Malicious:false
                      Reputation:low
                      Preview:EA06..t..V)UjMN.X.V&.)...Y.^&.Y..c.Ll.;..a2....Y..ob.M.@...a6.N'3I..ib....]........K........|...o..b..`.....8.....9.X.30...,.....2.Z..k9..6.@.o.l..X......g.9...v0..X....N.,.I.........9..&....r.'.Y...c ....Aa.H.......F.3<..Y@.6...$.`....f@...x..j....Br.....Xf.0..l....n...Y&@5_..h....&.5_..p.U.., 5_....U..,.5_..`.U..f@5\..>3...M.^.a.Z..k6.z..o6......@.....3y..G../Z.M. .....jr....n.u....$.`./.o8...f.G_T.......>_.......zk5....i....3 ...................`.M..`... ...c...@..(.'.4.X.{>K...c.MlS@..X..._..p.....>K.#G.b..3|v9..G.4.X.@8_..kc..i|v9....c.h.,v..........7.Ml.K5...M..0;..8.Nf.0.L..6i..f..+..ff6)...6.N,....f...E...Y....3.I.....M.......vI.....0.....2p....<d....,vb........N@!+..'& ....,fo2..,.).......r.2.X...c3k$.ef.Y.!...Gf@....,f.9..,.. .#7.....c.0.....y..p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b.!....F ....B5c.L.3........vn.....f.;%.r...B3P.....;8.X...a.M... ......

                      C:\Users\user\AppData\Local\Temp\eupolyzoan

                      Download File
                      Process:C:\Users\user\Desktop\%01% (2).exe
                      File Type:data
                      Category:dropped
                      Size (bytes):268288
                      Entropy (8bit):7.836397234309545
                      Encrypted:false
                      SSDEEP:6144:59zvzLuAalCYpNypNnUaIU/+ONOSUB5ELQ9TncZsHNp0:59zvzLu/YYpNinZIU/+ONOSmELcEsHs
                      MD5:6E6FE7119940137D6E0A089B5C764CC4
                      SHA1:DAB4AA293048AA094193857E3626BCFC74CA637F
                      SHA-256:2129B9D9072C38AE12C2A04B957A5BA611CA6B04CA21E9A9339326F1B5122264
                      SHA-512:F7890D92B2F717FF9E9CA52E0D80A28DED754FB3B39399036033F97D6D35F9F3AA0421EA199CA57FA10D7A21F80C565BE988BFA611178A865402999862C32170
                      Malicious:false
                      Reputation:low
                      Preview:y..A3W0C4AKO.CA.W0C0AKOtJCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO.JCA>H.M0.B...B..vd+Y2k?F%$3Q:. Q/% @j!$.%E-.(%op..a]8T&.LFE.JCA0W0CXQ.b.;.?.&.=.0.1.i<?.&.=;..1.;.?.&.=l0.1.i-?,&.=.b"1.;.?.tK=.0.1f# ).&.=0AKO4JCA0W0C0AKO..\'0W0C`.KOxKGAD.0.0AKO4JCA.W.B;@BO4.BA0+2C0AKO..CA0G0C0.JO4J.A0G0C0CKO1JCA0W0C5AKO4JCA074C0EKO.qAA2W0.0A[O4ZCA0W C0QKO4JCA W0C0AKO4JCA.B2C`AKO4*AA..1C0AKO4JCA0W0C0AKO4JCA0W0C..JO(JCA0W0C0AKO4JCA0W0C0AKO4JCA.Z2CpAKO4JCA0W0C0.JO.KCA0W0C0AKO4JCA0W0C0AKO4JCA.#U;DAKO,.BA0G0C0.JO4NCA0W0C0AKO4JCA.W0#.3/.@+CA.:0C0.JO4$CA0.1C0AKO4JCA0W0CpAK..."5QW0C.qKO4jAA0A0C0KIO4JCA0W0C0AKOtJC..%C1SAKO..BA072C0.JO4jAA0W0C0AKO4JCApW0.0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA0W0C0AKO4JCA

                      C:\Users\user\AppData\Local\Temp\ultraradicalism

                      Download File
                      Process:C:\Users\user\Desktop\%01% (2).exe
                      File Type:ASCII text, with very long lines (29714), with no line terminators
                      Category:dropped
                      Size (bytes):29714
                      Entropy (8bit):3.5435263299838864
                      Encrypted:false
                      SSDEEP:768:PiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbiE+Il/id4vfF3if6gyt:PiTZ+2QoioGRk6ZklputwjpjBkCiw2Rj
                      MD5:4C4365B2F686F326E18927A106326D8B
                      SHA1:27D9B8C391FA295881DDDC81B77894AE31E034FC
                      SHA-256:E966D757A5B576825109BCE8FA284FDA8B7AB644070B03FA22683F4C3EEBD3A8
                      SHA-512:2C693B87CE445FE947A4A4ED5E2E34110834F418DA6EE17C6277EEE0811791C34882F7386C6E387E273F5263F0E57E73789B745A335DED27762E92684AD47C0A
                      Malicious:false
                      Reputation:low
                      Preview:ZXJVISJXZX6R1BKY0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000006689857effffff33c966894d80ba7300

                      C:\Users\user\AppData\Local\directory\name.exe

                      Download File
                      Process:C:\Users\user\Desktop\%01% (2).exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):115497984
                      Entropy (8bit):7.99960492568963
                      Encrypted:true
                      SSDEEP:786432:orkcrObCvfQq+fQDgWqoe5BBR6ZEv08LCvbc:KrJQq+f5x+vbc
                      MD5:C0DB2BD3588FE07C904D83E8446E21D8
                      SHA1:DC5C26420C9F493B51B745A2F384B81732881E15
                      SHA-256:3A76C19672CFE1F04CBD3F94337BE7817B93E975565B9173498A71F58BF642FE
                      SHA-512:16C905334142057C522AE8C163CA160684A65F0164F53BA7F7658521E78FEFE906CFAA1E866501C203CA6FB85C4CEB59D75B588185C883CCF95ACA7D5B377D93
                      Malicious:true
                      Antivirus:
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Reputation:low
                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...@.!f..........".................w.............@..................................W....@...@.......@.....................d...|....@.......................@...u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........@......................@..@.reloc...u...@...v..................@..B........................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

                      Download File
                      Process:C:\Users\user\AppData\Local\directory\name.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):274
                      Entropy (8bit):3.408374803490271
                      Encrypted:false
                      SSDEEP:6:DMM8lfm3OOQdUfclzXUEZ+lX1Al1AE6nriIM8lfQVn:DsO+vNlDQ1A1z4mA2n
                      MD5:86948B136B1F801E8D67F09107FE8579
                      SHA1:958A64F475E162FD6B7EE3A5CC11E1D49EF7CF99
                      SHA-256:AAE1242E1E0755FD14206D7FF8807311E68529F049AB1A47EA105E405C9494F7
                      SHA-512:9572FB2BCBB26BFF379A3ED930BEFECD6BC1A185A8FD5B47E60D7B09A50CD49C8B92569EB9667B0EFE71540232E46BC3D64B8BAB8A5996EAB9CE3625B5E08E4F
                      Malicious:true
                      Reputation:low
                      Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.n.a.m.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.080763663655111
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:%01% (2).exe
                      File size:1'203'200 bytes
                      MD5:ee090d75b586451e3947cb9bf513d681
                      SHA1:453a65ca7642cba8e11b43aecdb563c56aeed799
                      SHA256:c896ae987be1363f02a909bd617fd8519d47e7b55e8cc9b65c96af0c22a5a016
                      SHA512:7d63308825a60464d91927b93e5c04a49f2eea7bf4297b183cc045d36f23718000af0b42abbb203a9187cadc24d78d3c4cc6051bb15907be49487772c6ddb8fc
                      SSDEEP:24576:AqDEvCTbMWu7rQYlBQcBiT6rprG8aKGlUkj+pdOcdNev:ATvC/MTQYxsWR7aKWUki3/d
                      TLSH:4345BF0273C1C062FF9B92734B5AF6515BBC79260123A61F13A81DB9BE701B1563E7A3
                      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                      File Icon

                      Icon Hash:aaf3e3e3938382a0

                      Static PE Info

                      General

                      Entrypoint:0x420577
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x6621E640 [Fri Apr 19 03:34:24 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:948cc502fe9226992dce9417f952fce3

                      Entrypoint Preview

                      Instruction
                      call 00007F64CCE05F03h
                      jmp 00007F64CCE0580Fh
                      push ebp
                      mov ebp, esp
                      push esi
                      push dword ptr [ebp+08h]
                      mov esi, ecx
                      call 00007F64CCE059EDh
                      mov dword ptr [esi], 0049FDF0h
                      mov eax, esi
                      pop esi
                      pop ebp
                      retn 0004h
                      and dword ptr [ecx+04h], 00000000h
                      mov eax, ecx
                      and dword ptr [ecx+08h], 00000000h
                      mov dword ptr [ecx+04h], 0049FDF8h
                      mov dword ptr [ecx], 0049FDF0h
                      ret
                      push ebp
                      mov ebp, esp
                      push esi
                      push dword ptr [ebp+08h]
                      mov esi, ecx
                      call 00007F64CCE059BAh
                      mov dword ptr [esi], 0049FE0Ch
                      mov eax, esi
                      pop esi
                      pop ebp
                      retn 0004h
                      and dword ptr [ecx+04h], 00000000h
                      mov eax, ecx
                      and dword ptr [ecx+08h], 00000000h
                      mov dword ptr [ecx+04h], 0049FE14h
                      mov dword ptr [ecx], 0049FE0Ch
                      ret
                      push ebp
                      mov ebp, esp
                      push esi
                      mov esi, ecx
                      lea eax, dword ptr [esi+04h]
                      mov dword ptr [esi], 0049FDD0h
                      and dword ptr [eax], 00000000h
                      and dword ptr [eax+04h], 00000000h
                      push eax
                      mov eax, dword ptr [ebp+08h]
                      add eax, 04h
                      push eax
                      call 00007F64CCE085ADh
                      pop ecx
                      pop ecx
                      mov eax, esi
                      pop esi
                      pop ebp
                      retn 0004h
                      lea eax, dword ptr [ecx+04h]
                      mov dword ptr [ecx], 0049FDD0h
                      push eax
                      call 00007F64CCE085F8h
                      pop ecx
                      ret
                      push ebp
                      mov ebp, esp
                      push esi
                      mov esi, ecx
                      lea eax, dword ptr [esi+04h]
                      mov dword ptr [esi], 0049FDD0h
                      push eax
                      call 00007F64CCE085E1h
                      test byte ptr [ebp+08h], 00000001h
                      pop ecx

                      Rich Headers

                      Programming Language:
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x4f0dc.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1240000x7594.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0xd40000x4f0dc0x4f20051807bef9ca1bd18c6a0c15fd10d7f7dFalse0.9167314622827805data7.869289643682498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x1240000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                      RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                      RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                      RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                      RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                      RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                      RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                      RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                      RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                      RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                      RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                      RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                      RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                      RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                      RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                      RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                      RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                      RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                      RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                      RT_RCDATA0xdc7b80x46372data1.0003337946189526
                      RT_GROUP_ICON0x122b2c0x76dataEnglishGreat Britain0.6610169491525424
                      RT_GROUP_ICON0x122ba40x14dataEnglishGreat Britain1.25
                      RT_GROUP_ICON0x122bb80x14dataEnglishGreat Britain1.15
                      RT_GROUP_ICON0x122bcc0x14dataEnglishGreat Britain1.25
                      RT_VERSION0x122be00x10cdataEnglishGreat Britain0.5932835820895522
                      RT_MANIFEST0x122cec0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                      Imports

                      DLLImport
                      WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                      VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                      MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                      WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                      PSAPI.DLLGetProcessMemoryInfo
                      IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                      USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                      UxTheme.dllIsThemeActive
                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                      USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                      GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                      SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                      OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishGreat Britain

                      Network Behavior

                      No network behavior found

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:10:57:34
                      Start date:19/04/2024
                      Path:C:\Users\user\Desktop\%01% (2).exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\%01% (2).exe"
                      Imagebase:0xa70000
                      File size:1'203'200 bytes
                      MD5 hash:EE090D75B586451E3947CB9BF513D681
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:6
                      Start time:11:00:09
                      Start date:19/04/2024
                      Path:C:\Users\user\AppData\Local\directory\name.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\%01% (2).exe"
                      Imagebase:0x380000
                      File size:115'497'984 bytes
                      MD5 hash:C0DB2BD3588FE07C904D83E8446E21D8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.3609129468.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000002.3609129468.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                      Antivirus matches:
                      • Detection: 100%, Joe Sandbox ML
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:7
                      Start time:11:00:10
                      Start date:19/04/2024
                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\%01% (2).exe"
                      Imagebase:0xcf0000
                      File size:45'984 bytes
                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.3746511239.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000002.3746511239.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3773291877.0000000004321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3773291877.0000000004321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.3773291877.0000000004321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3756879412.0000000003321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3755274332.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3755274332.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.3755274332.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000007.00000002.3755274332.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3756526050.0000000003190000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3756526050.0000000003190000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.3756526050.0000000003190000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000007.00000002.3756526050.0000000003190000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3754666135.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3754666135.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.3754666135.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:9
                      Start time:11:00:22
                      Start date:19/04/2024
                      Path:C:\Windows\System32\wscript.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
                      Imagebase:0x7ff7ab200000
                      File size:170'496 bytes
                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:10
                      Start time:11:00:23
                      Start date:19/04/2024
                      Path:C:\Users\user\AppData\Local\directory\name.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Local\directory\name.exe"
                      Imagebase:0x380000
                      File size:115'497'984 bytes
                      MD5 hash:C0DB2BD3588FE07C904D83E8446E21D8
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.3749818307.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000A.00000002.3749818307.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:11
                      Start time:11:00:23
                      Start date:19/04/2024
                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Local\directory\name.exe"
                      Imagebase:0xac0000
                      File size:45'984 bytes
                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.4516596960.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high
                      Has exited:false

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:2.6%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:2.8%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:53
                        execution_graph 93830 a71044 93835 a710f3 93830->93835 93832 a7104a 93871 a900a3 29 API calls __onexit 93832->93871 93834 a71054 93872 a71398 93835->93872 93839 a7116a 93882 a7a961 93839->93882 93842 a7a961 22 API calls 93843 a7117e 93842->93843 93844 a7a961 22 API calls 93843->93844 93845 a71188 93844->93845 93846 a7a961 22 API calls 93845->93846 93847 a711c6 93846->93847 93848 a7a961 22 API calls 93847->93848 93849 a71292 93848->93849 93887 a7171c 93849->93887 93853 a712c4 93854 a7a961 22 API calls 93853->93854 93855 a712ce 93854->93855 93908 a81940 93855->93908 93857 a712f9 93918 a71aab 93857->93918 93859 a71315 93860 a71325 GetStdHandle 93859->93860 93861 a7137a 93860->93861 93862 ab2485 93860->93862 93866 a71387 OleInitialize 93861->93866 93862->93861 93863 ab248e 93862->93863 93925 a8fddb 93863->93925 93865 ab2495 93935 ae011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 93865->93935 93866->93832 93868 ab249e 93936 ae0944 CreateThread 93868->93936 93870 ab24aa CloseHandle 93870->93861 93871->93834 93937 a713f1 93872->93937 93875 a713f1 22 API calls 93876 a713d0 93875->93876 93877 a7a961 22 API calls 93876->93877 93878 a713dc 93877->93878 93944 a76b57 93878->93944 93880 a71129 93881 a71bc3 6 API calls 93880->93881 93881->93839 93883 a8fe0b 22 API calls 93882->93883 93884 a7a976 93883->93884 93885 a8fddb 22 API calls 93884->93885 93886 a71174 93885->93886 93886->93842 93888 a7a961 22 API calls 93887->93888 93889 a7172c 93888->93889 93890 a7a961 22 API calls 93889->93890 93891 a71734 93890->93891 93892 a7a961 22 API calls 93891->93892 93893 a7174f 93892->93893 93894 a8fddb 22 API calls 93893->93894 93895 a7129c 93894->93895 93896 a71b4a 93895->93896 93897 a71b58 93896->93897 93898 a7a961 22 API calls 93897->93898 93899 a71b63 93898->93899 93900 a7a961 22 API calls 93899->93900 93901 a71b6e 93900->93901 93902 a7a961 22 API calls 93901->93902 93903 a71b79 93902->93903 93904 a7a961 22 API calls 93903->93904 93905 a71b84 93904->93905 93906 a8fddb 22 API calls 93905->93906 93907 a71b96 RegisterWindowMessageW 93906->93907 93907->93853 93909 a81981 93908->93909 93915 a8195d 93908->93915 93989 a90242 5 API calls __Init_thread_wait 93909->93989 93911 a8198b 93911->93915 93990 a901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 93911->93990 93913 a88727 93917 a8196e 93913->93917 93992 a901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 93913->93992 93915->93917 93991 a90242 5 API calls __Init_thread_wait 93915->93991 93917->93857 93919 ab272d 93918->93919 93920 a71abb 93918->93920 93993 ae3209 23 API calls 93919->93993 93922 a8fddb 22 API calls 93920->93922 93924 a71ac3 93922->93924 93923 ab2738 93924->93859 93928 a8fde0 93925->93928 93926 a9ea0c ___std_exception_copy 21 API calls 93926->93928 93927 a8fdfa 93927->93865 93928->93926 93928->93927 93931 a8fdfc 93928->93931 93994 a94ead 7 API calls 2 library calls 93928->93994 93930 a9066d 93996 a932a4 RaiseException 93930->93996 93931->93930 93995 a932a4 RaiseException 93931->93995 93933 a9068a 93933->93865 93935->93868 93936->93870 93997 ae092a 28 API calls 93936->93997 93938 a7a961 22 API calls 93937->93938 93939 a713fc 93938->93939 93940 a7a961 22 API calls 93939->93940 93941 a71404 93940->93941 93942 a7a961 22 API calls 93941->93942 93943 a713c6 93942->93943 93943->93875 93945 a76b67 _wcslen 93944->93945 93946 ab4ba1 93944->93946 93949 a76ba2 93945->93949 93950 a76b7d 93945->93950 93967 a793b2 93946->93967 93948 ab4baa 93948->93948 93952 a8fddb 22 API calls 93949->93952 93956 a76f34 22 API calls 93950->93956 93954 a76bae 93952->93954 93953 a76b85 __fread_nolock 93953->93880 93957 a8fe0b 93954->93957 93956->93953 93959 a8fddb 93957->93959 93960 a8fdfa 93959->93960 93963 a8fdfc 93959->93963 93971 a9ea0c 93959->93971 93978 a94ead 7 API calls 2 library calls 93959->93978 93960->93953 93962 a9066d 93980 a932a4 RaiseException 93962->93980 93963->93962 93979 a932a4 RaiseException 93963->93979 93965 a9068a 93965->93953 93968 a793c0 93967->93968 93969 a793c9 __fread_nolock 93967->93969 93968->93969 93983 a7aec9 93968->93983 93969->93948 93969->93969 93976 aa3820 __dosmaperr 93971->93976 93972 aa385e 93982 a9f2d9 20 API calls __dosmaperr 93972->93982 93973 aa3849 RtlAllocateHeap 93975 aa385c 93973->93975 93973->93976 93975->93959 93976->93972 93976->93973 93981 a94ead 7 API calls 2 library calls 93976->93981 93978->93959 93979->93962 93980->93965 93981->93976 93982->93975 93984 a7aedc 93983->93984 93985 a7aed9 __fread_nolock 93983->93985 93986 a8fddb 22 API calls 93984->93986 93985->93969 93987 a7aee7 93986->93987 93988 a8fe0b 22 API calls 93987->93988 93988->93985 93989->93911 93990->93915 93991->93913 93992->93917 93993->93923 93994->93928 93995->93930 93996->93933 93998 a72de3 93999 a72df0 __wsopen_s 93998->93999 94000 ab2c2b ___scrt_fastfail 93999->94000 94001 a72e09 93999->94001 94004 ab2c47 GetOpenFileNameW 94000->94004 94014 a73aa2 94001->94014 94005 ab2c96 94004->94005 94007 a76b57 22 API calls 94005->94007 94009 ab2cab 94007->94009 94009->94009 94011 a72e27 94042 a744a8 94011->94042 94071 ab1f50 94014->94071 94017 a73ace 94020 a76b57 22 API calls 94017->94020 94018 a73ae9 94077 a7a6c3 94018->94077 94021 a73ada 94020->94021 94073 a737a0 94021->94073 94024 a72da5 94025 ab1f50 __wsopen_s 94024->94025 94026 a72db2 GetLongPathNameW 94025->94026 94027 a76b57 22 API calls 94026->94027 94028 a72dda 94027->94028 94029 a73598 94028->94029 94030 a7a961 22 API calls 94029->94030 94031 a735aa 94030->94031 94032 a73aa2 23 API calls 94031->94032 94033 a735b5 94032->94033 94034 a735c0 94033->94034 94038 ab32eb 94033->94038 94083 a7515f 94034->94083 94040 ab330d 94038->94040 94095 a8ce60 41 API calls 94038->94095 94041 a735df 94041->94011 94096 a74ecb 94042->94096 94045 ab3833 94118 ae2cf9 94045->94118 94046 a74ecb 94 API calls 94048 a744e1 94046->94048 94048->94045 94050 a744e9 94048->94050 94049 ab3848 94051 ab3869 94049->94051 94052 ab384c 94049->94052 94054 a744f5 94050->94054 94055 ab3854 94050->94055 94053 a8fe0b 22 API calls 94051->94053 94145 a74f39 94052->94145 94061 ab38ae 94053->94061 94144 a7940c 136 API calls 2 library calls 94054->94144 94151 adda5a 82 API calls 94055->94151 94059 ab3862 94059->94051 94060 a72e31 94063 ab3a5f 94061->94063 94068 a79cb3 22 API calls 94061->94068 94152 ad967e 22 API calls __fread_nolock 94061->94152 94153 ad95ad 42 API calls _wcslen 94061->94153 94154 ae0b5a 22 API calls 94061->94154 94155 a7a4a1 22 API calls __fread_nolock 94061->94155 94156 a73ff7 22 API calls 94061->94156 94062 a74f39 68 API calls 94062->94063 94063->94062 94157 ad989b 82 API calls __wsopen_s 94063->94157 94068->94061 94072 a73aaf GetFullPathNameW 94071->94072 94072->94017 94072->94018 94074 a737ae 94073->94074 94075 a793b2 22 API calls 94074->94075 94076 a72e12 94075->94076 94076->94024 94078 a7a6d0 94077->94078 94079 a7a6dd 94077->94079 94078->94021 94080 a8fddb 22 API calls 94079->94080 94081 a7a6e7 94080->94081 94082 a8fe0b 22 API calls 94081->94082 94082->94078 94084 a7516e 94083->94084 94088 a7518f __fread_nolock 94083->94088 94086 a8fe0b 22 API calls 94084->94086 94085 a8fddb 22 API calls 94087 a735cc 94085->94087 94086->94088 94089 a735f3 94087->94089 94088->94085 94090 a73605 94089->94090 94094 a73624 __fread_nolock 94089->94094 94093 a8fe0b 22 API calls 94090->94093 94091 a8fddb 22 API calls 94092 a7363b 94091->94092 94092->94041 94093->94094 94094->94091 94095->94038 94158 a74e90 LoadLibraryA 94096->94158 94101 a74ef6 LoadLibraryExW 94166 a74e59 LoadLibraryA 94101->94166 94102 ab3ccf 94103 a74f39 68 API calls 94102->94103 94105 ab3cd6 94103->94105 94107 a74e59 3 API calls 94105->94107 94109 ab3cde 94107->94109 94188 a750f5 94109->94188 94110 a74f20 94110->94109 94111 a74f2c 94110->94111 94112 a74f39 68 API calls 94111->94112 94114 a744cd 94112->94114 94114->94045 94114->94046 94117 ab3d05 94119 ae2d15 94118->94119 94120 a7511f 64 API calls 94119->94120 94121 ae2d29 94120->94121 94459 ae2e66 94121->94459 94124 ae2d3f 94124->94049 94125 a750f5 40 API calls 94126 ae2d56 94125->94126 94127 a750f5 40 API calls 94126->94127 94128 ae2d66 94127->94128 94129 a750f5 40 API calls 94128->94129 94130 ae2d81 94129->94130 94131 a750f5 40 API calls 94130->94131 94132 ae2d9c 94131->94132 94133 a7511f 64 API calls 94132->94133 94134 ae2db3 94133->94134 94135 a9ea0c ___std_exception_copy 21 API calls 94134->94135 94136 ae2dba 94135->94136 94137 a9ea0c ___std_exception_copy 21 API calls 94136->94137 94138 ae2dc4 94137->94138 94139 a750f5 40 API calls 94138->94139 94140 ae2dd8 94139->94140 94141 ae28fe 27 API calls 94140->94141 94142 ae2dee 94141->94142 94142->94124 94465 ae22ce 94142->94465 94144->94060 94146 a74f43 94145->94146 94148 a74f4a 94145->94148 94147 a9e678 67 API calls 94146->94147 94147->94148 94149 a74f6a FreeLibrary 94148->94149 94150 a74f59 94148->94150 94149->94150 94150->94055 94151->94059 94152->94061 94153->94061 94154->94061 94155->94061 94156->94061 94157->94063 94159 a74ec6 94158->94159 94160 a74ea8 GetProcAddress 94158->94160 94163 a9e5eb 94159->94163 94161 a74eb8 94160->94161 94161->94159 94162 a74ebf FreeLibrary 94161->94162 94162->94159 94196 a9e52a 94163->94196 94165 a74eea 94165->94101 94165->94102 94167 a74e6e GetProcAddress 94166->94167 94168 a74e8d 94166->94168 94169 a74e7e 94167->94169 94171 a74f80 94168->94171 94169->94168 94170 a74e86 FreeLibrary 94169->94170 94170->94168 94172 a8fe0b 22 API calls 94171->94172 94173 a74f95 94172->94173 94264 a75722 94173->94264 94175 a74fa1 __fread_nolock 94176 a750a5 94175->94176 94177 ab3d1d 94175->94177 94187 a74fdc 94175->94187 94267 a742a2 CreateStreamOnHGlobal 94176->94267 94278 ae304d 74 API calls 94177->94278 94180 ab3d22 94182 a7511f 64 API calls 94180->94182 94181 a750f5 40 API calls 94181->94187 94183 ab3d45 94182->94183 94184 a750f5 40 API calls 94183->94184 94185 a7506e messages 94184->94185 94185->94110 94187->94180 94187->94181 94187->94185 94273 a7511f 94187->94273 94189 a75107 94188->94189 94190 ab3d70 94188->94190 94300 a9e8c4 94189->94300 94193 ae28fe 94442 ae274e 94193->94442 94195 ae2919 94195->94117 94198 a9e536 BuildCatchObjectHelperInternal 94196->94198 94197 a9e544 94221 a9f2d9 20 API calls __dosmaperr 94197->94221 94198->94197 94200 a9e574 94198->94200 94202 a9e579 94200->94202 94203 a9e586 94200->94203 94201 a9e549 94222 aa27ec 26 API calls __wsopen_s 94201->94222 94223 a9f2d9 20 API calls __dosmaperr 94202->94223 94213 aa8061 94203->94213 94207 a9e58f 94208 a9e5a2 94207->94208 94209 a9e595 94207->94209 94225 a9e5d4 LeaveCriticalSection __fread_nolock 94208->94225 94224 a9f2d9 20 API calls __dosmaperr 94209->94224 94210 a9e554 __wsopen_s 94210->94165 94214 aa806d BuildCatchObjectHelperInternal 94213->94214 94226 aa2f5e EnterCriticalSection 94214->94226 94216 aa807b 94227 aa80fb 94216->94227 94220 aa80ac __wsopen_s 94220->94207 94221->94201 94222->94210 94223->94210 94224->94210 94225->94210 94226->94216 94234 aa811e 94227->94234 94228 aa8177 94245 aa4c7d 94228->94245 94233 aa8189 94239 aa8088 94233->94239 94258 aa3405 11 API calls 2 library calls 94233->94258 94234->94228 94234->94234 94234->94239 94243 a9918d EnterCriticalSection 94234->94243 94244 a991a1 LeaveCriticalSection 94234->94244 94236 aa81a8 94259 a9918d EnterCriticalSection 94236->94259 94240 aa80b7 94239->94240 94263 aa2fa6 LeaveCriticalSection 94240->94263 94242 aa80be 94242->94220 94243->94234 94244->94234 94250 aa4c8a __dosmaperr 94245->94250 94246 aa4cca 94261 a9f2d9 20 API calls __dosmaperr 94246->94261 94247 aa4cb5 RtlAllocateHeap 94248 aa4cc8 94247->94248 94247->94250 94252 aa29c8 94248->94252 94250->94246 94250->94247 94260 a94ead 7 API calls 2 library calls 94250->94260 94253 aa29d3 RtlFreeHeap 94252->94253 94257 aa29fc __dosmaperr 94252->94257 94254 aa29e8 94253->94254 94253->94257 94262 a9f2d9 20 API calls __dosmaperr 94254->94262 94256 aa29ee GetLastError 94256->94257 94257->94233 94258->94236 94259->94239 94260->94250 94261->94248 94262->94256 94263->94242 94265 a8fddb 22 API calls 94264->94265 94266 a75734 94265->94266 94266->94175 94268 a742bc FindResourceExW 94267->94268 94270 a742d9 94267->94270 94269 ab35ba LoadResource 94268->94269 94268->94270 94269->94270 94271 ab35cf SizeofResource 94269->94271 94270->94187 94271->94270 94272 ab35e3 LockResource 94271->94272 94272->94270 94274 a7512e 94273->94274 94277 ab3d90 94273->94277 94279 a9ece3 94274->94279 94278->94180 94282 a9eaaa 94279->94282 94281 a7513c 94281->94187 94286 a9eab6 BuildCatchObjectHelperInternal 94282->94286 94283 a9eac2 94295 a9f2d9 20 API calls __dosmaperr 94283->94295 94285 a9eae8 94297 a9918d EnterCriticalSection 94285->94297 94286->94283 94286->94285 94288 a9eac7 94296 aa27ec 26 API calls __wsopen_s 94288->94296 94289 a9eaf4 94298 a9ec0a 62 API calls 2 library calls 94289->94298 94292 a9ead2 __wsopen_s 94292->94281 94293 a9eb08 94299 a9eb27 LeaveCriticalSection __fread_nolock 94293->94299 94295->94288 94296->94292 94297->94289 94298->94293 94299->94292 94303 a9e8e1 94300->94303 94302 a75118 94302->94193 94304 a9e8ed BuildCatchObjectHelperInternal 94303->94304 94305 a9e92d 94304->94305 94306 a9e900 ___scrt_fastfail 94304->94306 94315 a9e925 __wsopen_s 94304->94315 94316 a9918d EnterCriticalSection 94305->94316 94330 a9f2d9 20 API calls __dosmaperr 94306->94330 94309 a9e937 94317 a9e6f8 94309->94317 94310 a9e91a 94331 aa27ec 26 API calls __wsopen_s 94310->94331 94315->94302 94316->94309 94321 a9e70a ___scrt_fastfail 94317->94321 94323 a9e727 94317->94323 94318 a9e717 94405 a9f2d9 20 API calls __dosmaperr 94318->94405 94320 a9e71c 94406 aa27ec 26 API calls __wsopen_s 94320->94406 94321->94318 94321->94323 94326 a9e76a __fread_nolock 94321->94326 94332 a9e96c LeaveCriticalSection __fread_nolock 94323->94332 94324 a9e886 ___scrt_fastfail 94408 a9f2d9 20 API calls __dosmaperr 94324->94408 94326->94323 94326->94324 94333 a9d955 94326->94333 94340 aa8d45 94326->94340 94407 a9cf78 26 API calls 4 library calls 94326->94407 94330->94310 94331->94315 94332->94315 94334 a9d961 94333->94334 94335 a9d976 94333->94335 94409 a9f2d9 20 API calls __dosmaperr 94334->94409 94335->94326 94337 a9d966 94410 aa27ec 26 API calls __wsopen_s 94337->94410 94339 a9d971 94339->94326 94341 aa8d6f 94340->94341 94342 aa8d57 94340->94342 94343 aa90d9 94341->94343 94349 aa8db4 94341->94349 94420 a9f2c6 20 API calls __dosmaperr 94342->94420 94436 a9f2c6 20 API calls __dosmaperr 94343->94436 94346 aa8d5c 94421 a9f2d9 20 API calls __dosmaperr 94346->94421 94348 aa90de 94437 a9f2d9 20 API calls __dosmaperr 94348->94437 94351 aa8dbf 94349->94351 94354 aa8d64 94349->94354 94358 aa8def 94349->94358 94422 a9f2c6 20 API calls __dosmaperr 94351->94422 94352 aa8dcc 94438 aa27ec 26 API calls __wsopen_s 94352->94438 94354->94326 94355 aa8dc4 94423 a9f2d9 20 API calls __dosmaperr 94355->94423 94359 aa8e08 94358->94359 94360 aa8e4a 94358->94360 94361 aa8e2e 94358->94361 94359->94361 94367 aa8e15 94359->94367 94427 aa3820 21 API calls __dosmaperr 94360->94427 94424 a9f2c6 20 API calls __dosmaperr 94361->94424 94363 aa8e33 94425 a9f2d9 20 API calls __dosmaperr 94363->94425 94411 aaf89b 94367->94411 94368 aa8e61 94371 aa29c8 _free 20 API calls 94368->94371 94369 aa8e3a 94426 aa27ec 26 API calls __wsopen_s 94369->94426 94370 aa8fb3 94374 aa9029 94370->94374 94377 aa8fcc GetConsoleMode 94370->94377 94372 aa8e6a 94371->94372 94375 aa29c8 _free 20 API calls 94372->94375 94376 aa902d ReadFile 94374->94376 94378 aa8e71 94375->94378 94379 aa90a1 GetLastError 94376->94379 94380 aa9047 94376->94380 94377->94374 94381 aa8fdd 94377->94381 94382 aa8e7b 94378->94382 94383 aa8e96 94378->94383 94384 aa90ae 94379->94384 94385 aa9005 94379->94385 94380->94379 94386 aa901e 94380->94386 94381->94376 94387 aa8fe3 ReadConsoleW 94381->94387 94428 a9f2d9 20 API calls __dosmaperr 94382->94428 94430 aa9424 28 API calls __fread_nolock 94383->94430 94434 a9f2d9 20 API calls __dosmaperr 94384->94434 94393 aa8e45 __fread_nolock 94385->94393 94431 a9f2a3 20 API calls __dosmaperr 94385->94431 94386->94393 94399 aa906c 94386->94399 94400 aa9083 94386->94400 94387->94386 94392 aa8fff GetLastError 94387->94392 94388 aa29c8 _free 20 API calls 94388->94354 94392->94385 94393->94388 94394 aa8e80 94429 a9f2c6 20 API calls __dosmaperr 94394->94429 94395 aa90b3 94435 a9f2c6 20 API calls __dosmaperr 94395->94435 94432 aa8a61 31 API calls 2 library calls 94399->94432 94400->94393 94401 aa909a 94400->94401 94433 aa88a1 29 API calls __fread_nolock 94401->94433 94404 aa909f 94404->94393 94405->94320 94406->94323 94407->94326 94408->94320 94409->94337 94410->94339 94412 aaf8a8 94411->94412 94413 aaf8b5 94411->94413 94439 a9f2d9 20 API calls __dosmaperr 94412->94439 94415 aaf8c1 94413->94415 94440 a9f2d9 20 API calls __dosmaperr 94413->94440 94415->94370 94417 aaf8ad 94417->94370 94418 aaf8e2 94441 aa27ec 26 API calls __wsopen_s 94418->94441 94420->94346 94421->94354 94422->94355 94423->94352 94424->94363 94425->94369 94426->94393 94427->94368 94428->94394 94429->94393 94430->94367 94431->94393 94432->94393 94433->94404 94434->94395 94435->94393 94436->94348 94437->94352 94438->94354 94439->94417 94440->94418 94441->94417 94445 a9e4e8 94442->94445 94444 ae275d 94444->94195 94448 a9e469 94445->94448 94447 a9e505 94447->94444 94449 a9e478 94448->94449 94450 a9e48c 94448->94450 94456 a9f2d9 20 API calls __dosmaperr 94449->94456 94455 a9e488 __alldvrm 94450->94455 94458 aa333f 11 API calls 2 library calls 94450->94458 94452 a9e47d 94457 aa27ec 26 API calls __wsopen_s 94452->94457 94455->94447 94456->94452 94457->94455 94458->94455 94461 ae2e7a 94459->94461 94460 ae28fe 27 API calls 94460->94461 94461->94460 94462 a750f5 40 API calls 94461->94462 94463 ae2d3b 94461->94463 94464 a7511f 64 API calls 94461->94464 94462->94461 94463->94124 94463->94125 94464->94461 94466 ae22e7 94465->94466 94467 ae22d9 94465->94467 94469 ae232c 94466->94469 94470 a9e5eb 29 API calls 94466->94470 94480 ae22f0 94466->94480 94468 a9e5eb 29 API calls 94467->94468 94468->94466 94494 ae2557 94469->94494 94471 ae2311 94470->94471 94471->94469 94473 ae231a 94471->94473 94477 a9e678 67 API calls 94473->94477 94473->94480 94474 ae2370 94475 ae2374 94474->94475 94476 ae2395 94474->94476 94479 ae2381 94475->94479 94482 a9e678 67 API calls 94475->94482 94498 ae2171 94476->94498 94477->94480 94479->94480 94483 a9e678 67 API calls 94479->94483 94480->94124 94481 ae239d 94484 ae23c3 94481->94484 94485 ae23a3 94481->94485 94482->94479 94483->94480 94505 ae23f3 94484->94505 94487 ae23b0 94485->94487 94488 a9e678 67 API calls 94485->94488 94487->94480 94489 a9e678 67 API calls 94487->94489 94488->94487 94489->94480 94490 ae23ca 94492 ae23de 94490->94492 94513 a9e678 94490->94513 94492->94480 94493 a9e678 67 API calls 94492->94493 94493->94480 94495 ae257c 94494->94495 94496 ae2565 __fread_nolock 94494->94496 94497 a9e8c4 __fread_nolock 40 API calls 94495->94497 94496->94474 94497->94496 94499 a9ea0c ___std_exception_copy 21 API calls 94498->94499 94500 ae217f 94499->94500 94501 a9ea0c ___std_exception_copy 21 API calls 94500->94501 94502 ae2190 94501->94502 94503 a9ea0c ___std_exception_copy 21 API calls 94502->94503 94504 ae219c 94503->94504 94504->94481 94512 ae2408 94505->94512 94506 ae24c0 94530 ae2724 94506->94530 94508 ae21cc 40 API calls 94508->94512 94509 ae24c7 94509->94490 94512->94506 94512->94508 94512->94509 94526 ae2606 94512->94526 94534 ae2269 40 API calls 94512->94534 94514 a9e684 BuildCatchObjectHelperInternal 94513->94514 94515 a9e695 94514->94515 94517 a9e6aa 94514->94517 94587 a9f2d9 20 API calls __dosmaperr 94515->94587 94525 a9e6a5 __wsopen_s 94517->94525 94570 a9918d EnterCriticalSection 94517->94570 94519 a9e69a 94588 aa27ec 26 API calls __wsopen_s 94519->94588 94520 a9e6c6 94571 a9e602 94520->94571 94523 a9e6d1 94589 a9e6ee LeaveCriticalSection __fread_nolock 94523->94589 94525->94492 94527 ae2617 94526->94527 94528 ae261d 94526->94528 94527->94528 94535 ae26d7 94527->94535 94528->94512 94531 ae2742 94530->94531 94532 ae2731 94530->94532 94531->94509 94533 a9dbb3 65 API calls 94532->94533 94533->94531 94534->94512 94536 ae2714 94535->94536 94537 ae2703 94535->94537 94536->94527 94539 a9dbb3 94537->94539 94540 a9dbc1 94539->94540 94545 a9dbdd 94539->94545 94541 a9dbcd 94540->94541 94542 a9dbe3 94540->94542 94540->94545 94551 a9f2d9 20 API calls __dosmaperr 94541->94551 94548 a9d9cc 94542->94548 94545->94536 94546 a9dbd2 94552 aa27ec 26 API calls __wsopen_s 94546->94552 94553 a9d97b 94548->94553 94550 a9d9f0 94550->94545 94551->94546 94552->94545 94554 a9d987 BuildCatchObjectHelperInternal 94553->94554 94561 a9918d EnterCriticalSection 94554->94561 94556 a9d995 94562 a9d9f4 94556->94562 94560 a9d9b3 __wsopen_s 94560->94550 94561->94556 94563 aa49a1 27 API calls 94562->94563 94564 a9da09 94563->94564 94565 a9da3a 62 API calls 94564->94565 94566 a9da24 94565->94566 94567 aa4a56 62 API calls 94566->94567 94568 a9d9a2 94567->94568 94569 a9d9c0 LeaveCriticalSection __fread_nolock 94568->94569 94569->94560 94570->94520 94572 a9e60f 94571->94572 94574 a9e624 94571->94574 94615 a9f2d9 20 API calls __dosmaperr 94572->94615 94579 a9e61f 94574->94579 94590 a9dc0b 94574->94590 94575 a9e614 94616 aa27ec 26 API calls __wsopen_s 94575->94616 94579->94523 94582 a9d955 __fread_nolock 26 API calls 94583 a9e646 94582->94583 94600 aa862f 94583->94600 94586 aa29c8 _free 20 API calls 94586->94579 94587->94519 94588->94525 94589->94525 94591 a9dc23 94590->94591 94593 a9dc1f 94590->94593 94592 a9d955 __fread_nolock 26 API calls 94591->94592 94591->94593 94594 a9dc43 94592->94594 94596 aa4d7a 94593->94596 94617 aa59be 94594->94617 94597 aa4d90 94596->94597 94599 a9e640 94596->94599 94598 aa29c8 _free 20 API calls 94597->94598 94597->94599 94598->94599 94599->94582 94601 aa863e 94600->94601 94602 aa8653 94600->94602 94740 a9f2c6 20 API calls __dosmaperr 94601->94740 94603 aa868e 94602->94603 94608 aa867a 94602->94608 94742 a9f2c6 20 API calls __dosmaperr 94603->94742 94605 aa8643 94741 a9f2d9 20 API calls __dosmaperr 94605->94741 94737 aa8607 94608->94737 94609 aa8693 94743 a9f2d9 20 API calls __dosmaperr 94609->94743 94612 a9e64c 94612->94579 94612->94586 94613 aa869b 94744 aa27ec 26 API calls __wsopen_s 94613->94744 94615->94575 94616->94579 94618 aa59ca BuildCatchObjectHelperInternal 94617->94618 94619 aa59ea 94618->94619 94620 aa59d2 94618->94620 94622 aa5a88 94619->94622 94627 aa5a1f 94619->94627 94696 a9f2c6 20 API calls __dosmaperr 94620->94696 94701 a9f2c6 20 API calls __dosmaperr 94622->94701 94623 aa59d7 94697 a9f2d9 20 API calls __dosmaperr 94623->94697 94626 aa5a8d 94702 a9f2d9 20 API calls __dosmaperr 94626->94702 94642 aa5147 EnterCriticalSection 94627->94642 94630 aa5a95 94703 aa27ec 26 API calls __wsopen_s 94630->94703 94631 aa5a25 94633 aa5a41 94631->94633 94634 aa5a56 94631->94634 94698 a9f2d9 20 API calls __dosmaperr 94633->94698 94643 aa5aa9 94634->94643 94637 aa59df __wsopen_s 94637->94593 94638 aa5a51 94700 aa5a80 LeaveCriticalSection __wsopen_s 94638->94700 94639 aa5a46 94699 a9f2c6 20 API calls __dosmaperr 94639->94699 94642->94631 94644 aa5ad7 94643->94644 94692 aa5ad0 94643->94692 94645 aa5afa 94644->94645 94646 aa5adb 94644->94646 94649 aa5b4b 94645->94649 94650 aa5b2e 94645->94650 94711 a9f2c6 20 API calls __dosmaperr 94646->94711 94654 aa5b61 94649->94654 94717 aa9424 28 API calls __fread_nolock 94649->94717 94714 a9f2c6 20 API calls __dosmaperr 94650->94714 94651 aa5cb1 94651->94638 94652 aa5ae0 94712 a9f2d9 20 API calls __dosmaperr 94652->94712 94656 aa5b33 94728 a90a8c 94692->94728 94696->94623 94697->94637 94698->94639 94699->94638 94700->94637 94701->94626 94702->94630 94703->94637 94711->94652 94714->94656 94717->94654 94729 a90a95 94728->94729 94730 a90a97 IsProcessorFeaturePresent 94728->94730 94729->94651 94732 a90c5d 94730->94732 94745 aa8585 94737->94745 94740->94605 94741->94612 94742->94609 94743->94613 94744->94612 94746 aa8591 BuildCatchObjectHelperInternal 94745->94746 94756 aa5147 EnterCriticalSection 94746->94756 94748 aa859f 94749 aa85d1 94748->94749 94750 aa85c6 94748->94750 94772 a9f2d9 20 API calls __dosmaperr 94749->94772 94757 aa86ae 94750->94757 94753 aa85cc 94756->94748 94774 aa53c4 94757->94774 94772->94753 94789 aa8402 94794 aa81be 94789->94794 94793 aa842a 94799 aa81ef try_get_first_available_module 94794->94799 94796 aa83ee 94813 aa27ec 26 API calls __wsopen_s 94796->94813 94798 aa8343 94798->94793 94806 ab0984 94798->94806 94805 aa8338 94799->94805 94809 a98e0b 40 API calls 2 library calls 94799->94809 94801 aa838c 94801->94805 94810 a98e0b 40 API calls 2 library calls 94801->94810 94803 aa83ab 94803->94805 94811 a98e0b 40 API calls 2 library calls 94803->94811 94805->94798 94812 a9f2d9 20 API calls __dosmaperr 94805->94812 94814 ab0081 94806->94814 94808 ab099f 94808->94793 94809->94801 94810->94803 94811->94805 94812->94796 94813->94798 94816 ab008d BuildCatchObjectHelperInternal 94814->94816 94815 ab009b 94872 a9f2d9 20 API calls __dosmaperr 94815->94872 94816->94815 94818 ab00d4 94816->94818 94825 ab065b 94818->94825 94819 ab00a0 94873 aa27ec 26 API calls __wsopen_s 94819->94873 94822 ab00aa __wsopen_s 94822->94808 94875 ab042f 94825->94875 94828 ab068d 94907 a9f2c6 20 API calls __dosmaperr 94828->94907 94829 ab06a6 94893 aa5221 94829->94893 94832 ab0692 94908 a9f2d9 20 API calls __dosmaperr 94832->94908 94833 ab06ab 94834 ab06cb 94833->94834 94835 ab06b4 94833->94835 94906 ab039a CreateFileW 94834->94906 94909 a9f2c6 20 API calls __dosmaperr 94835->94909 94839 ab06b9 94910 a9f2d9 20 API calls __dosmaperr 94839->94910 94841 ab0781 GetFileType 94843 ab078c GetLastError 94841->94843 94844 ab07d3 94841->94844 94842 ab0756 GetLastError 94912 a9f2a3 20 API calls __dosmaperr 94842->94912 94913 a9f2a3 20 API calls __dosmaperr 94843->94913 94915 aa516a 21 API calls 2 library calls 94844->94915 94845 ab0704 94845->94841 94845->94842 94911 ab039a CreateFileW 94845->94911 94848 ab079a CloseHandle 94848->94832 94850 ab07c3 94848->94850 94914 a9f2d9 20 API calls __dosmaperr 94850->94914 94852 ab0749 94852->94841 94852->94842 94854 ab07f4 94856 ab0840 94854->94856 94916 ab05ab 72 API calls 3 library calls 94854->94916 94855 ab07c8 94855->94832 94861 ab086d 94856->94861 94917 ab014d 72 API calls 4 library calls 94856->94917 94859 ab0866 94860 ab087e 94859->94860 94859->94861 94863 ab00f8 94860->94863 94864 ab08fc CloseHandle 94860->94864 94862 aa86ae __wsopen_s 29 API calls 94861->94862 94862->94863 94874 ab0121 LeaveCriticalSection __wsopen_s 94863->94874 94918 ab039a CreateFileW 94864->94918 94866 ab0927 94867 ab095d 94866->94867 94868 ab0931 GetLastError 94866->94868 94867->94863 94919 a9f2a3 20 API calls __dosmaperr 94868->94919 94870 ab093d 94920 aa5333 21 API calls 2 library calls 94870->94920 94872->94819 94873->94822 94874->94822 94876 ab0450 94875->94876 94877 ab046a 94875->94877 94876->94877 94928 a9f2d9 20 API calls __dosmaperr 94876->94928 94921 ab03bf 94877->94921 94880 ab045f 94929 aa27ec 26 API calls __wsopen_s 94880->94929 94882 ab04a2 94883 ab04d1 94882->94883 94930 a9f2d9 20 API calls __dosmaperr 94882->94930 94884 ab0524 94883->94884 94932 a9d70d 26 API calls 2 library calls 94883->94932 94884->94828 94884->94829 94887 ab051f 94887->94884 94889 ab059e 94887->94889 94888 ab04c6 94931 aa27ec 26 API calls __wsopen_s 94888->94931 94933 aa27fc 11 API calls _abort 94889->94933 94892 ab05aa 94894 aa522d BuildCatchObjectHelperInternal 94893->94894 94936 aa2f5e EnterCriticalSection 94894->94936 94896 aa527b 94937 aa532a 94896->94937 94897 aa5259 94940 aa5000 94897->94940 94898 aa5234 94898->94896 94898->94897 94903 aa52c7 EnterCriticalSection 94898->94903 94901 aa52a4 __wsopen_s 94901->94833 94903->94896 94904 aa52d4 LeaveCriticalSection 94903->94904 94904->94898 94906->94845 94907->94832 94908->94863 94909->94839 94910->94832 94911->94852 94912->94832 94913->94848 94914->94855 94915->94854 94916->94856 94917->94859 94918->94866 94919->94870 94920->94867 94922 ab03d7 94921->94922 94925 ab03f2 94922->94925 94934 a9f2d9 20 API calls __dosmaperr 94922->94934 94924 ab0416 94935 aa27ec 26 API calls __wsopen_s 94924->94935 94925->94882 94927 ab0421 94927->94882 94928->94880 94929->94877 94930->94888 94931->94883 94932->94887 94933->94892 94934->94924 94935->94927 94936->94898 94948 aa2fa6 LeaveCriticalSection 94937->94948 94939 aa5331 94939->94901 94941 aa4c7d __dosmaperr 20 API calls 94940->94941 94942 aa5012 94941->94942 94946 aa501f 94942->94946 94949 aa3405 11 API calls 2 library calls 94942->94949 94943 aa29c8 _free 20 API calls 94945 aa5071 94943->94945 94945->94896 94947 aa5147 EnterCriticalSection 94945->94947 94946->94943 94947->94896 94948->94939 94949->94942 94950 a71cad SystemParametersInfoW 94951 ac2a00 94957 a7d7b0 messages 94951->94957 94952 a7d9d5 94953 a7db11 PeekMessageW 94953->94957 94954 a7d807 GetInputState 94954->94953 94954->94957 94955 ac1cbe TranslateAcceleratorW 94955->94957 94957->94952 94957->94953 94957->94954 94957->94955 94958 a7db73 TranslateMessage DispatchMessageW 94957->94958 94959 a7db8f PeekMessageW 94957->94959 94960 a7da04 timeGetTime 94957->94960 94961 a7dbaf Sleep 94957->94961 94962 ac2b74 Sleep 94957->94962 94964 ac1dda timeGetTime 94957->94964 94983 a7dd50 94957->94983 94990 a7dfd0 94957->94990 95018 a81310 94957->95018 95075 a7bf40 256 API calls 2 library calls 94957->95075 95076 a8edf6 IsDialogMessageW GetClassLongW 94957->95076 95078 ae3a2a 23 API calls 94957->95078 95079 a7ec40 94957->95079 95103 ae359c 82 API calls __wsopen_s 94957->95103 94958->94959 94959->94957 94960->94957 94963 a7dbc0 94961->94963 94962->94963 94963->94952 94963->94957 94965 a8e551 timeGetTime 94963->94965 94968 ac2c0b GetExitCodeProcess 94963->94968 94969 b029bf GetForegroundWindow 94963->94969 94973 ac2a31 94963->94973 94974 ac2ca9 Sleep 94963->94974 95104 af5658 23 API calls 94963->95104 95105 ade97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 94963->95105 95106 add4dc 47 API calls 94963->95106 95077 a8e300 23 API calls 94964->95077 94965->94963 94971 ac2c37 CloseHandle 94968->94971 94972 ac2c21 WaitForSingleObject 94968->94972 94969->94963 94971->94963 94972->94957 94972->94971 94973->94952 94974->94957 94984 a7dd83 94983->94984 94985 a7dd6f 94983->94985 95108 ae359c 82 API calls __wsopen_s 94984->95108 95107 a7d260 256 API calls 2 library calls 94985->95107 94987 a7dd7a 94987->94957 94989 ac2f75 94989->94989 94991 a7e010 94990->94991 94992 ac2f7a 94991->94992 94995 a7e075 94991->94995 94993 a7ec40 256 API calls 94992->94993 94994 ac2f8c 94993->94994 95007 a7e0dc messages 94994->95007 95115 ae359c 82 API calls __wsopen_s 94994->95115 94995->95007 95116 a90242 5 API calls __Init_thread_wait 94995->95116 94999 a7e3e1 94999->94957 95000 ac2fca 95002 a7a961 22 API calls 95000->95002 95000->95007 95001 a7a961 22 API calls 95001->95007 95005 ac2fe4 95002->95005 95117 a900a3 29 API calls __onexit 95005->95117 95007->94999 95007->95001 95010 ae359c 82 API calls 95007->95010 95014 a804f0 22 API calls 95007->95014 95015 a7ec40 256 API calls 95007->95015 95109 a7a8c7 95007->95109 95113 a7a81b 41 API calls 95007->95113 95114 a8a308 256 API calls 95007->95114 95119 a90242 5 API calls __Init_thread_wait 95007->95119 95120 a900a3 29 API calls __onexit 95007->95120 95121 a901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95007->95121 95122 af47d4 256 API calls 95007->95122 95123 af68c1 256 API calls 95007->95123 95008 ac2fee 95118 a901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95008->95118 95010->95007 95014->95007 95015->95007 95019 a817b0 95018->95019 95020 a81376 95018->95020 95361 a90242 5 API calls __Init_thread_wait 95019->95361 95021 a81390 95020->95021 95022 ac6331 95020->95022 95024 a81940 9 API calls 95021->95024 95372 af709c 256 API calls 95022->95372 95027 a813a0 95024->95027 95026 a817ba 95029 a817fb 95026->95029 95362 a79cb3 95026->95362 95030 a81940 9 API calls 95027->95030 95028 ac633d 95028->94957 95033 ac6346 95029->95033 95035 a8182c 95029->95035 95032 a813b6 95030->95032 95032->95029 95034 a813ec 95032->95034 95373 ae359c 82 API calls __wsopen_s 95033->95373 95034->95033 95058 a81408 __fread_nolock 95034->95058 95369 a7aceb 23 API calls messages 95035->95369 95038 a817d4 95368 a901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95038->95368 95039 a81839 95370 a8d217 256 API calls 95039->95370 95042 ac636e 95374 ae359c 82 API calls __wsopen_s 95042->95374 95043 a8152f 95045 a8153c 95043->95045 95046 ac63d1 95043->95046 95048 a81940 9 API calls 95045->95048 95376 af5745 54 API calls _wcslen 95046->95376 95049 a81549 95048->95049 95053 ac64fa 95049->95053 95055 a81940 9 API calls 95049->95055 95050 a8fddb 22 API calls 95050->95058 95051 a81872 95371 a8faeb 23 API calls 95051->95371 95052 a8fe0b 22 API calls 95052->95058 95062 ac6369 95053->95062 95377 ae359c 82 API calls __wsopen_s 95053->95377 95060 a81563 95055->95060 95057 a7ec40 256 API calls 95057->95058 95058->95039 95058->95042 95058->95043 95058->95050 95058->95052 95058->95057 95059 ac63b2 95058->95059 95058->95062 95375 ae359c 82 API calls __wsopen_s 95059->95375 95060->95053 95063 a7a8c7 22 API calls 95060->95063 95065 a815c7 messages 95060->95065 95062->94957 95063->95065 95064 a81940 9 API calls 95064->95065 95065->95051 95065->95053 95065->95062 95065->95064 95067 a8167b messages 95065->95067 95124 af958b 95065->95124 95127 add4ce 95065->95127 95130 afe204 95065->95130 95166 ae744a 95065->95166 95223 ae6ef1 95065->95223 95303 a8effa 95065->95303 95066 a8171d 95066->94957 95067->95066 95360 a8ce17 22 API calls messages 95067->95360 95075->94957 95076->94957 95077->94957 95078->94957 95097 a7ec76 messages 95079->95097 95080 a900a3 29 API calls pre_c_initialization 95080->95097 95081 a7fef7 95088 a7a8c7 22 API calls 95081->95088 95096 a7ed9d messages 95081->95096 95083 a8fddb 22 API calls 95083->95097 95085 ac4600 95091 a7a8c7 22 API calls 95085->95091 95085->95096 95086 ac4b0b 95857 ae359c 82 API calls __wsopen_s 95086->95857 95087 a7a8c7 22 API calls 95087->95097 95088->95096 95091->95096 95093 a90242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95093->95097 95094 a7fbe3 95094->95096 95098 ac4bdc 95094->95098 95102 a7f3ae messages 95094->95102 95095 a7a961 22 API calls 95095->95097 95096->94957 95097->95080 95097->95081 95097->95083 95097->95085 95097->95086 95097->95087 95097->95093 95097->95094 95097->95095 95097->95096 95100 ac4beb 95097->95100 95101 a901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95097->95101 95097->95102 95854 a801e0 256 API calls 2 library calls 95097->95854 95855 a806a0 41 API calls messages 95097->95855 95858 ae359c 82 API calls __wsopen_s 95098->95858 95859 ae359c 82 API calls __wsopen_s 95100->95859 95101->95097 95102->95096 95856 ae359c 82 API calls __wsopen_s 95102->95856 95103->94957 95104->94963 95105->94963 95106->94963 95107->94987 95108->94989 95110 a7a8ea __fread_nolock 95109->95110 95111 a7a8db 95109->95111 95110->95007 95111->95110 95112 a8fe0b 22 API calls 95111->95112 95112->95110 95113->95007 95114->95007 95115->95007 95116->95000 95117->95008 95118->95007 95119->95007 95120->95007 95121->95007 95122->95007 95123->95007 95378 af7f59 95124->95378 95126 af959b 95126->95065 95511 addbbe lstrlenW 95127->95511 95131 a7a961 22 API calls 95130->95131 95132 afe21b 95131->95132 95133 a77510 53 API calls 95132->95133 95134 afe22a 95133->95134 95516 a76270 95134->95516 95137 a77510 53 API calls 95138 afe24a 95137->95138 95139 afe2c7 95138->95139 95140 afe262 95138->95140 95141 a77510 53 API calls 95139->95141 95521 a7b567 95140->95521 95143 afe2cc 95141->95143 95145 afe2d9 95143->95145 95146 afe314 95143->95146 95144 afe267 95144->95145 95149 afe280 95144->95149 95535 a79c6e 95145->95535 95147 afe32c 95146->95147 95150 a7b567 39 API calls 95146->95150 95151 afe345 95147->95151 95154 a7b567 39 API calls 95147->95154 95152 a76d25 22 API calls 95149->95152 95150->95147 95155 a7a8c7 22 API calls 95151->95155 95153 afe28d 95152->95153 95526 a76350 95153->95526 95154->95151 95157 afe35f 95155->95157 95549 ad92c8 43 API calls 95157->95549 95160 a76d25 22 API calls 95161 afe2b4 95160->95161 95162 a76350 22 API calls 95161->95162 95165 afe2c2 95162->95165 95163 afe2e6 95163->95065 95550 a762b5 22 API calls 95165->95550 95167 ae7474 95166->95167 95168 ae7469 95166->95168 95170 ae7554 95167->95170 95173 a7a961 22 API calls 95167->95173 95169 a7b567 39 API calls 95168->95169 95169->95167 95171 a8fddb 22 API calls 95170->95171 95212 ae76a4 95170->95212 95172 ae7587 95171->95172 95175 a8fe0b 22 API calls 95172->95175 95174 ae7495 95173->95174 95176 a7a961 22 API calls 95174->95176 95177 ae7598 95175->95177 95178 ae749e 95176->95178 95568 a76246 95177->95568 95180 a77510 53 API calls 95178->95180 95182 ae74aa 95180->95182 95595 a7525f 95182->95595 95183 a7a961 22 API calls 95185 ae75ab 95183->95185 95187 a76246 CloseHandle 95185->95187 95186 ae74bf 95188 a76350 22 API calls 95186->95188 95189 ae75b2 95187->95189 95190 ae74f2 95188->95190 95191 a77510 53 API calls 95189->95191 95192 ae754a 95190->95192 95194 add4ce 4 API calls 95190->95194 95193 ae75be 95191->95193 95197 a7b567 39 API calls 95192->95197 95195 a76246 CloseHandle 95193->95195 95198 ae7502 95194->95198 95196 ae75c8 95195->95196 95572 a75745 95196->95572 95197->95170 95198->95192 95199 ae7506 95198->95199 95201 a79cb3 22 API calls 95199->95201 95203 ae7513 95201->95203 95637 add2c1 26 API calls 95203->95637 95204 ae76de GetLastError 95207 ae76f7 95204->95207 95205 ae75ea 95580 a753de 95205->95580 95641 a76216 CloseHandle messages 95207->95641 95210 ae751c 95210->95192 95211 ae75f8 95638 a753c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 95211->95638 95212->95065 95214 ae75ff 95216 ae7619 95214->95216 95217 ae7645 95214->95217 95215 a8fddb 22 API calls 95218 ae7679 95215->95218 95639 adccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 95216->95639 95217->95215 95220 a7a961 22 API calls 95218->95220 95221 ae7686 95220->95221 95221->95212 95640 ad417d 22 API calls __fread_nolock 95221->95640 95224 a7a961 22 API calls 95223->95224 95225 ae6f1d 95224->95225 95226 a7a961 22 API calls 95225->95226 95227 ae6f26 95226->95227 95228 ae6f3a 95227->95228 95229 a7b567 39 API calls 95227->95229 95230 a77510 53 API calls 95228->95230 95229->95228 95231 ae6f57 _wcslen 95230->95231 95232 ae70bf 95231->95232 95233 ae6fbc 95231->95233 95302 ae70e9 95231->95302 95234 a74ecb 94 API calls 95232->95234 95235 a77510 53 API calls 95233->95235 95237 ae70d0 95234->95237 95236 ae6fc8 95235->95236 95240 a7a8c7 22 API calls 95236->95240 95244 ae6fdb 95236->95244 95238 ae70e5 95237->95238 95241 a74ecb 94 API calls 95237->95241 95239 a7a961 22 API calls 95238->95239 95238->95302 95242 ae711a 95239->95242 95240->95244 95241->95238 95243 a7a961 22 API calls 95242->95243 95247 ae7126 95243->95247 95245 ae7027 95244->95245 95248 ae7005 95244->95248 95251 a7a8c7 22 API calls 95244->95251 95246 a77510 53 API calls 95245->95246 95249 ae7034 95246->95249 95250 a7a961 22 API calls 95247->95250 95773 a733c6 95248->95773 95253 ae703d 95249->95253 95254 ae7047 95249->95254 95255 ae712f 95250->95255 95251->95248 95257 a7a8c7 22 API calls 95253->95257 95782 ade199 GetFileAttributesW 95254->95782 95259 a7a961 22 API calls 95255->95259 95256 ae700f 95260 a77510 53 API calls 95256->95260 95257->95254 95262 ae7138 95259->95262 95263 ae701b 95260->95263 95261 ae7050 95264 ae7063 95261->95264 95267 a74c6d 22 API calls 95261->95267 95265 a77510 53 API calls 95262->95265 95266 a76350 22 API calls 95263->95266 95269 a77510 53 API calls 95264->95269 95274 ae7069 95264->95274 95268 ae7145 95265->95268 95266->95245 95267->95264 95271 a7525f 22 API calls 95268->95271 95270 ae70a0 95269->95270 95783 add076 57 API calls 95270->95783 95273 ae7166 95271->95273 95275 a74c6d 22 API calls 95273->95275 95274->95302 95276 ae7175 95275->95276 95277 ae71a9 95276->95277 95279 a74c6d 22 API calls 95276->95279 95278 a7a8c7 22 API calls 95277->95278 95281 ae71ba 95278->95281 95280 ae7186 95279->95280 95280->95277 95283 a76b57 22 API calls 95280->95283 95282 a76350 22 API calls 95281->95282 95284 ae71c8 95282->95284 95285 ae719b 95283->95285 95286 a76350 22 API calls 95284->95286 95287 a76b57 22 API calls 95285->95287 95288 ae71d6 95286->95288 95287->95277 95289 a76350 22 API calls 95288->95289 95290 ae71e4 95289->95290 95291 a77510 53 API calls 95290->95291 95292 ae71f0 95291->95292 95664 add7bc 95292->95664 95294 ae7201 95295 add4ce 4 API calls 95294->95295 95296 ae720b 95295->95296 95297 a77510 53 API calls 95296->95297 95301 ae7239 95296->95301 95298 ae7229 95297->95298 95718 ae2947 95298->95718 95300 a74f39 68 API calls 95300->95302 95301->95300 95302->95065 95304 a79c6e 22 API calls 95303->95304 95305 a8f012 95304->95305 95307 a8fddb 22 API calls 95305->95307 95309 acf0a8 95305->95309 95308 a8f02b 95307->95308 95311 a8fe0b 22 API calls 95308->95311 95310 a8f0a4 95309->95310 95821 ae9caa 39 API calls 95309->95821 95315 a7b567 39 API calls 95310->95315 95319 a8f0b1 95310->95319 95312 a8f03c 95311->95312 95313 a76246 CloseHandle 95312->95313 95314 a8f047 95313->95314 95316 a7a961 22 API calls 95314->95316 95317 acf10a 95315->95317 95318 a8f04f 95316->95318 95317->95319 95320 acf112 95317->95320 95321 a76246 CloseHandle 95318->95321 95322 a8fa5b 3 API calls 95319->95322 95323 a7b567 39 API calls 95320->95323 95324 a8f056 95321->95324 95328 a8f0b8 95322->95328 95323->95328 95325 a77510 53 API calls 95324->95325 95326 a8f062 95325->95326 95327 a76246 CloseHandle 95326->95327 95329 a8f06c 95327->95329 95330 acf127 95328->95330 95331 a8f0d3 95328->95331 95332 a75745 5 API calls 95329->95332 95334 a8fe0b 22 API calls 95330->95334 95333 a76270 22 API calls 95331->95333 95335 a8f07d 95332->95335 95336 a8f0db 95333->95336 95337 acf12c 95334->95337 95338 acf0a0 95335->95338 95339 a8f085 95335->95339 95802 a8f141 95336->95802 95341 acf140 95337->95341 95822 a8f866 ReadFile SetFilePointerEx 95337->95822 95820 a76216 CloseHandle messages 95338->95820 95346 a753de 27 API calls 95339->95346 95348 acf144 __fread_nolock 95341->95348 95823 ae0e85 22 API calls ___scrt_fastfail 95341->95823 95345 a8f0ea 95345->95348 95817 a762b5 22 API calls 95345->95817 95349 a8f093 95346->95349 95816 a753c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 95349->95816 95350 a8f0fe 95352 a8f138 95350->95352 95354 a76246 CloseHandle 95350->95354 95352->95065 95353 a8f09a 95353->95310 95356 acf069 95353->95356 95357 a8f12c 95354->95357 95819 adccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 95356->95819 95357->95352 95818 a76216 CloseHandle messages 95357->95818 95358 acf080 95358->95310 95360->95067 95361->95026 95363 a79cc2 _wcslen 95362->95363 95364 a8fe0b 22 API calls 95363->95364 95365 a79cea __fread_nolock 95364->95365 95366 a8fddb 22 API calls 95365->95366 95367 a79d00 95366->95367 95367->95038 95368->95029 95369->95039 95370->95051 95371->95051 95372->95028 95373->95062 95374->95062 95375->95062 95376->95060 95377->95062 95416 a77510 95378->95416 95382 af8281 95383 af844f 95382->95383 95388 af828f 95382->95388 95480 af8ee4 60 API calls 95383->95480 95386 af845e 95387 af846a 95386->95387 95386->95388 95404 af7fd5 messages 95387->95404 95452 af7e86 95388->95452 95389 a77510 53 API calls 95407 af8049 95389->95407 95394 af82c8 95467 a8fc70 95394->95467 95397 af82e8 95473 ae359c 82 API calls __wsopen_s 95397->95473 95398 af8302 95474 a763eb 22 API calls 95398->95474 95401 af82f3 GetCurrentProcess TerminateProcess 95401->95398 95402 af8311 95475 a76a50 22 API calls 95402->95475 95404->95126 95405 af832a 95415 af8352 95405->95415 95476 a804f0 22 API calls 95405->95476 95407->95382 95407->95389 95407->95404 95471 ad417d 22 API calls __fread_nolock 95407->95471 95472 af851d 42 API calls _strftime 95407->95472 95408 af84c5 95408->95404 95410 af84d9 FreeLibrary 95408->95410 95409 af8341 95477 af8b7b 75 API calls 95409->95477 95410->95404 95415->95408 95478 a804f0 22 API calls 95415->95478 95479 a7aceb 23 API calls messages 95415->95479 95481 af8b7b 75 API calls 95415->95481 95417 a77525 95416->95417 95418 a77522 95416->95418 95419 a7752d 95417->95419 95420 a7755b 95417->95420 95418->95404 95439 af8cd3 95418->95439 95482 a951c6 26 API calls 95419->95482 95422 ab50f6 95420->95422 95423 a7756d 95420->95423 95430 ab500f 95420->95430 95485 a95183 26 API calls 95422->95485 95483 a8fb21 51 API calls 95423->95483 95424 a7753d 95429 a8fddb 22 API calls 95424->95429 95427 ab510e 95427->95427 95431 a77547 95429->95431 95433 a8fe0b 22 API calls 95430->95433 95438 ab5088 95430->95438 95432 a79cb3 22 API calls 95431->95432 95432->95418 95435 ab5058 95433->95435 95434 a8fddb 22 API calls 95436 ab507f 95434->95436 95435->95434 95437 a79cb3 22 API calls 95436->95437 95437->95438 95484 a8fb21 51 API calls 95438->95484 95440 a7aec9 22 API calls 95439->95440 95441 af8cee CharLowerBuffW 95440->95441 95486 ad8e54 95441->95486 95445 a7a961 22 API calls 95446 af8d2a 95445->95446 95493 a76d25 95446->95493 95448 af8d3e 95449 a793b2 22 API calls 95448->95449 95451 af8d48 _wcslen 95449->95451 95450 af8e5e _wcslen 95450->95407 95451->95450 95506 af851d 42 API calls _strftime 95451->95506 95453 af7ea1 95452->95453 95457 af7eec 95452->95457 95454 a8fe0b 22 API calls 95453->95454 95455 af7ec3 95454->95455 95456 a8fddb 22 API calls 95455->95456 95455->95457 95456->95455 95458 af9096 95457->95458 95459 af92ab messages 95458->95459 95466 af90ba _strcat _wcslen 95458->95466 95459->95394 95460 a7b6b5 39 API calls 95460->95466 95461 a7b567 39 API calls 95461->95466 95462 a7b38f 39 API calls 95462->95466 95463 a9ea0c 21 API calls ___std_exception_copy 95463->95466 95464 a77510 53 API calls 95464->95466 95466->95459 95466->95460 95466->95461 95466->95462 95466->95463 95466->95464 95510 adefae 24 API calls _wcslen 95466->95510 95468 a8fc85 95467->95468 95469 a8fd1d VirtualAlloc 95468->95469 95470 a8fceb 95468->95470 95469->95470 95470->95397 95470->95398 95471->95407 95472->95407 95473->95401 95474->95402 95475->95405 95476->95409 95477->95415 95478->95415 95479->95415 95480->95386 95481->95415 95482->95424 95483->95424 95484->95422 95485->95427 95487 ad8e74 _wcslen 95486->95487 95488 ad8f63 95487->95488 95489 ad8ea9 95487->95489 95491 ad8f68 95487->95491 95488->95445 95488->95451 95489->95488 95507 a8ce60 41 API calls 95489->95507 95491->95488 95508 a8ce60 41 API calls 95491->95508 95494 a76d34 95493->95494 95495 a76d91 95493->95495 95494->95495 95497 a76d3f 95494->95497 95496 a793b2 22 API calls 95495->95496 95503 a76d62 __fread_nolock 95496->95503 95498 ab4c9d 95497->95498 95499 a76d5a 95497->95499 95500 a8fddb 22 API calls 95498->95500 95509 a76f34 22 API calls 95499->95509 95502 ab4ca7 95500->95502 95504 a8fe0b 22 API calls 95502->95504 95503->95448 95505 ab4cda 95504->95505 95506->95450 95507->95489 95508->95491 95509->95503 95510->95466 95512 addbdc GetFileAttributesW 95511->95512 95513 add4d5 95511->95513 95512->95513 95514 addbe8 FindFirstFileW 95512->95514 95513->95065 95514->95513 95515 addbf9 FindClose 95514->95515 95515->95513 95517 a8fe0b 22 API calls 95516->95517 95518 a76295 95517->95518 95519 a8fddb 22 API calls 95518->95519 95520 a762a3 95519->95520 95520->95137 95522 a7b578 95521->95522 95523 a7b57f 95521->95523 95522->95523 95551 a962d1 39 API calls _strftime 95522->95551 95523->95144 95525 a7b5c2 95525->95144 95527 a76362 95526->95527 95528 ab4a51 95526->95528 95552 a76373 95527->95552 95562 a74a88 22 API calls __fread_nolock 95528->95562 95531 a7636e 95531->95160 95532 ab4a5b 95533 ab4a67 95532->95533 95534 a7a8c7 22 API calls 95532->95534 95534->95533 95536 a79c7e 95535->95536 95537 abf545 95535->95537 95542 a8fddb 22 API calls 95536->95542 95538 abf556 95537->95538 95539 a76b57 22 API calls 95537->95539 95540 a7a6c3 22 API calls 95538->95540 95539->95538 95541 abf560 95540->95541 95541->95541 95543 a79c91 95542->95543 95544 a79cac 95543->95544 95545 a79c9a 95543->95545 95546 a7a961 22 API calls 95544->95546 95547 a79cb3 22 API calls 95545->95547 95548 a79ca2 95546->95548 95547->95548 95548->95163 95549->95165 95550->95163 95551->95525 95553 a763b6 __fread_nolock 95552->95553 95554 a76382 95552->95554 95553->95531 95554->95553 95555 ab4a82 95554->95555 95556 a763a9 95554->95556 95558 a8fddb 22 API calls 95555->95558 95563 a7a587 95556->95563 95559 ab4a91 95558->95559 95560 a8fe0b 22 API calls 95559->95560 95561 ab4ac5 __fread_nolock 95560->95561 95562->95532 95564 a7a59d 95563->95564 95567 a7a598 __fread_nolock 95563->95567 95565 a8fe0b 22 API calls 95564->95565 95566 abf80f 95564->95566 95565->95567 95566->95566 95567->95553 95569 a76250 95568->95569 95570 a7625f 95568->95570 95569->95183 95570->95569 95571 a76264 CloseHandle 95570->95571 95571->95569 95573 a7575c CreateFileW 95572->95573 95574 ab4035 95572->95574 95575 a7577b 95573->95575 95574->95575 95576 ab403b CreateFileW 95574->95576 95575->95204 95575->95205 95576->95575 95577 ab4063 95576->95577 95642 a754c6 95577->95642 95581 a753f3 95580->95581 95594 a753f0 messages 95580->95594 95582 a754c6 3 API calls 95581->95582 95581->95594 95583 a75410 95582->95583 95584 ab3f4b 95583->95584 95585 a7541d 95583->95585 95654 a8fa5b 95584->95654 95587 a8fe0b 22 API calls 95585->95587 95588 a75429 95587->95588 95589 a75722 22 API calls 95588->95589 95590 a75433 95589->95590 95648 a79a40 95590->95648 95593 a754c6 3 API calls 95593->95594 95594->95211 95596 a7a961 22 API calls 95595->95596 95597 a75275 95596->95597 95598 a7a961 22 API calls 95597->95598 95599 a7527d 95598->95599 95600 a7a961 22 API calls 95599->95600 95601 a75285 95600->95601 95602 a7a961 22 API calls 95601->95602 95603 a7528d 95602->95603 95604 a752c1 95603->95604 95605 ab3df5 95603->95605 95607 a76d25 22 API calls 95604->95607 95606 a7a8c7 22 API calls 95605->95606 95608 ab3dfe 95606->95608 95609 a752cf 95607->95609 95610 a7a6c3 22 API calls 95608->95610 95611 a793b2 22 API calls 95609->95611 95614 a75304 95610->95614 95612 a752d9 95611->95612 95612->95614 95615 a76d25 22 API calls 95612->95615 95613 a75349 95617 a76d25 22 API calls 95613->95617 95614->95613 95616 a75325 95614->95616 95633 ab3e20 95614->95633 95618 a752fa 95615->95618 95616->95613 95660 a74c6d 95616->95660 95619 a7535a 95617->95619 95620 a793b2 22 API calls 95618->95620 95622 a75370 95619->95622 95626 a7a8c7 22 API calls 95619->95626 95620->95614 95623 a75384 95622->95623 95628 a7a8c7 22 API calls 95622->95628 95627 a7538f 95623->95627 95630 a7a8c7 22 API calls 95623->95630 95625 a76b57 22 API calls 95634 ab3ee0 95625->95634 95626->95622 95631 a7a8c7 22 API calls 95627->95631 95635 a7539a 95627->95635 95628->95623 95629 a76d25 22 API calls 95629->95613 95630->95627 95631->95635 95632 a74c6d 22 API calls 95632->95634 95633->95625 95634->95613 95634->95632 95663 a749bd 22 API calls __fread_nolock 95634->95663 95635->95186 95637->95210 95638->95214 95639->95217 95640->95212 95641->95212 95643 a754dd 95642->95643 95644 a75564 SetFilePointerEx SetFilePointerEx 95643->95644 95645 ab3f9c SetFilePointerEx 95643->95645 95646 ab3f8b 95643->95646 95647 a75530 95643->95647 95644->95647 95646->95645 95647->95575 95649 a79abb 95648->95649 95653 a79a4e 95648->95653 95659 a8e40f SetFilePointerEx 95649->95659 95651 a7543f 95651->95593 95652 a79a8c ReadFile 95652->95651 95652->95653 95653->95651 95653->95652 95655 a754c6 3 API calls 95654->95655 95656 a8fa79 95655->95656 95657 a754c6 3 API calls 95656->95657 95658 a8fa9a 95657->95658 95658->95594 95659->95653 95661 a7aec9 22 API calls 95660->95661 95662 a74c78 95661->95662 95662->95613 95662->95629 95663->95634 95665 add7d8 95664->95665 95666 add7dd 95665->95666 95667 add7f3 95665->95667 95669 a7a8c7 22 API calls 95666->95669 95717 add7ee 95666->95717 95668 a7a961 22 API calls 95667->95668 95670 add7fb 95668->95670 95669->95717 95671 a7a961 22 API calls 95670->95671 95672 add803 95671->95672 95673 a7a961 22 API calls 95672->95673 95674 add80e 95673->95674 95675 a7a961 22 API calls 95674->95675 95676 add816 95675->95676 95677 a7a961 22 API calls 95676->95677 95678 add81e 95677->95678 95679 a7a961 22 API calls 95678->95679 95680 add826 95679->95680 95681 a7a961 22 API calls 95680->95681 95682 add82e 95681->95682 95683 a7a961 22 API calls 95682->95683 95684 add836 95683->95684 95685 a7525f 22 API calls 95684->95685 95686 add84d 95685->95686 95687 a7525f 22 API calls 95686->95687 95688 add866 95687->95688 95689 a74c6d 22 API calls 95688->95689 95690 add872 95689->95690 95691 add885 95690->95691 95692 a793b2 22 API calls 95690->95692 95693 a74c6d 22 API calls 95691->95693 95692->95691 95694 add88e 95693->95694 95695 add89e 95694->95695 95696 a793b2 22 API calls 95694->95696 95697 add8b0 95695->95697 95698 a7a8c7 22 API calls 95695->95698 95696->95695 95699 a76350 22 API calls 95697->95699 95698->95697 95700 add8bb 95699->95700 95784 add978 22 API calls 95700->95784 95702 add8ca 95785 add978 22 API calls 95702->95785 95704 add8dd 95705 a74c6d 22 API calls 95704->95705 95706 add8e7 95705->95706 95707 add8ec 95706->95707 95708 add8fe 95706->95708 95710 a733c6 22 API calls 95707->95710 95709 a74c6d 22 API calls 95708->95709 95711 add907 95709->95711 95712 add8f9 95710->95712 95713 add925 95711->95713 95714 a733c6 22 API calls 95711->95714 95715 a76350 22 API calls 95712->95715 95716 a76350 22 API calls 95713->95716 95714->95712 95715->95713 95716->95717 95717->95294 95719 ae2954 __wsopen_s 95718->95719 95720 a8fe0b 22 API calls 95719->95720 95721 ae2971 95720->95721 95722 a75722 22 API calls 95721->95722 95723 ae297b 95722->95723 95724 ae274e 27 API calls 95723->95724 95725 ae2986 95724->95725 95726 a7511f 64 API calls 95725->95726 95727 ae299b 95726->95727 95728 ae29bf 95727->95728 95729 ae2a6c 95727->95729 95730 ae2e66 75 API calls 95728->95730 95731 ae2e66 75 API calls 95729->95731 95732 ae29c4 95730->95732 95746 ae2a38 95731->95746 95739 ae2a75 messages 95732->95739 95790 a9d583 26 API calls 95732->95790 95734 a750f5 40 API calls 95735 ae2a91 95734->95735 95736 a750f5 40 API calls 95735->95736 95738 ae2aa1 95736->95738 95737 ae29ed 95791 a9d583 26 API calls 95737->95791 95740 a750f5 40 API calls 95738->95740 95739->95301 95742 ae2abc 95740->95742 95743 a750f5 40 API calls 95742->95743 95744 ae2acc 95743->95744 95745 a750f5 40 API calls 95744->95745 95747 ae2ae7 95745->95747 95746->95734 95746->95739 95748 a750f5 40 API calls 95747->95748 95749 ae2af7 95748->95749 95750 a750f5 40 API calls 95749->95750 95751 ae2b07 95750->95751 95752 a750f5 40 API calls 95751->95752 95753 ae2b17 95752->95753 95786 ae3017 GetTempPathW GetTempFileNameW 95753->95786 95755 ae2b22 95756 a9e5eb 29 API calls 95755->95756 95766 ae2b33 95756->95766 95757 ae2bed 95758 a9e678 67 API calls 95757->95758 95759 ae2bf8 95758->95759 95761 ae2bfe DeleteFileW 95759->95761 95762 ae2c12 95759->95762 95760 a750f5 40 API calls 95760->95766 95761->95739 95763 ae2c91 CopyFileW 95762->95763 95769 ae2c18 95762->95769 95764 ae2cb9 DeleteFileW 95763->95764 95765 ae2ca7 DeleteFileW 95763->95765 95787 ae2fd8 CreateFileW 95764->95787 95765->95739 95766->95739 95766->95757 95766->95760 95768 a9dbb3 65 API calls 95766->95768 95768->95766 95770 ae22ce 79 API calls 95769->95770 95771 ae2c7c 95770->95771 95771->95764 95772 ae2c80 DeleteFileW 95771->95772 95772->95739 95774 ab30bb 95773->95774 95775 a733dd 95773->95775 95777 a8fddb 22 API calls 95774->95777 95792 a733ee 95775->95792 95779 ab30c5 _wcslen 95777->95779 95778 a733e8 95778->95256 95780 a8fe0b 22 API calls 95779->95780 95781 ab30fe __fread_nolock 95780->95781 95782->95261 95783->95274 95784->95702 95785->95704 95786->95755 95788 ae2fff SetFileTime CloseHandle 95787->95788 95789 ae3013 95787->95789 95788->95789 95789->95739 95790->95737 95791->95746 95793 a733fe _wcslen 95792->95793 95794 ab311d 95793->95794 95795 a73411 95793->95795 95796 a8fddb 22 API calls 95794->95796 95797 a7a587 22 API calls 95795->95797 95799 ab3127 95796->95799 95798 a7341e __fread_nolock 95797->95798 95798->95778 95800 a8fe0b 22 API calls 95799->95800 95801 ab3157 __fread_nolock 95800->95801 95803 a8f188 95802->95803 95804 a8f14c 95802->95804 95805 a7a6c3 22 API calls 95803->95805 95804->95803 95807 a8f15b 95804->95807 95806 adcaeb 95805->95806 95815 adcb1a 95806->95815 95832 adca89 ReadFile SetFilePointerEx 95806->95832 95833 a749bd 22 API calls __fread_nolock 95806->95833 95808 a8f170 95807->95808 95810 a8f17d 95807->95810 95824 a8f18e 95808->95824 95831 adcbf2 26 API calls 95810->95831 95813 a8f179 95813->95345 95815->95345 95816->95353 95817->95350 95818->95352 95819->95358 95820->95309 95821->95309 95822->95341 95823->95348 95834 a8f1d8 95824->95834 95830 a8f1c1 95830->95813 95831->95813 95832->95806 95833->95806 95835 a8fe0b 22 API calls 95834->95835 95836 a8f1ef 95835->95836 95837 a8fddb 22 API calls 95836->95837 95838 a8f1a6 95837->95838 95839 a797b6 95838->95839 95846 a79a1e 95839->95846 95841 a79a40 2 API calls 95843 a797c7 95841->95843 95842 a797fc 95842->95830 95845 a76e14 24 API calls 95842->95845 95843->95841 95843->95842 95853 a79b01 22 API calls __fread_nolock 95843->95853 95845->95830 95847 abf378 95846->95847 95848 a79a2f 95846->95848 95849 a8fddb 22 API calls 95847->95849 95848->95843 95850 abf382 95849->95850 95851 a8fe0b 22 API calls 95850->95851 95852 abf397 95851->95852 95853->95843 95854->95097 95855->95097 95856->95096 95857->95096 95858->95100 95859->95096 95860 ab2ba5 95861 a72b25 95860->95861 95862 ab2baf 95860->95862 95888 a72b83 7 API calls 95861->95888 95903 a73a5a 95862->95903 95866 ab2bb8 95868 a79cb3 22 API calls 95866->95868 95869 ab2bc6 95868->95869 95871 ab2bce 95869->95871 95872 ab2bf5 95869->95872 95870 a72b2f 95880 a72b44 95870->95880 95892 a73837 95870->95892 95875 a733c6 22 API calls 95871->95875 95873 a733c6 22 API calls 95872->95873 95876 ab2bf1 GetForegroundWindow ShellExecuteW 95873->95876 95877 ab2bd9 95875->95877 95884 ab2c26 95876->95884 95881 a76350 22 API calls 95877->95881 95879 a72b5f 95886 a72b66 SetCurrentDirectoryW 95879->95886 95880->95879 95902 a730f2 Shell_NotifyIconW ___scrt_fastfail 95880->95902 95883 ab2be7 95881->95883 95885 a733c6 22 API calls 95883->95885 95884->95879 95885->95876 95887 a72b7a 95886->95887 95910 a72cd4 7 API calls 95888->95910 95890 a72b2a 95891 a72c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 95890->95891 95891->95870 95893 a73862 ___scrt_fastfail 95892->95893 95911 a74212 95893->95911 95897 a738e8 95898 a73906 Shell_NotifyIconW 95897->95898 95899 ab3386 Shell_NotifyIconW 95897->95899 95915 a73923 95898->95915 95901 a7391c 95901->95880 95902->95879 95904 ab1f50 __wsopen_s 95903->95904 95905 a73a67 GetModuleFileNameW 95904->95905 95906 a79cb3 22 API calls 95905->95906 95907 a73a8d 95906->95907 95908 a73aa2 23 API calls 95907->95908 95909 a73a97 95908->95909 95909->95866 95910->95890 95912 a738b7 95911->95912 95913 ab35a4 95911->95913 95912->95897 95937 adc874 42 API calls _strftime 95912->95937 95913->95912 95914 ab35ad DestroyIcon 95913->95914 95914->95912 95916 a73a13 95915->95916 95917 a7393f 95915->95917 95916->95901 95918 a76270 22 API calls 95917->95918 95919 a7394d 95918->95919 95920 ab3393 LoadStringW 95919->95920 95921 a7395a 95919->95921 95923 ab33ad 95920->95923 95922 a76b57 22 API calls 95921->95922 95924 a7396f 95922->95924 95927 a7a8c7 22 API calls 95923->95927 95932 a73994 ___scrt_fastfail 95923->95932 95925 ab33c9 95924->95925 95926 a7397c 95924->95926 95929 a76350 22 API calls 95925->95929 95926->95923 95928 a73986 95926->95928 95927->95932 95930 a76350 22 API calls 95928->95930 95931 ab33d7 95929->95931 95930->95932 95931->95932 95933 a733c6 22 API calls 95931->95933 95934 a739f9 Shell_NotifyIconW 95932->95934 95935 ab33f9 95933->95935 95934->95916 95936 a733c6 22 API calls 95935->95936 95936->95932 95937->95897 95938 aa90fa 95939 aa9107 95938->95939 95942 aa911f 95938->95942 95988 a9f2d9 20 API calls __dosmaperr 95939->95988 95941 aa910c 95989 aa27ec 26 API calls __wsopen_s 95941->95989 95944 aa917a 95942->95944 95950 aa9117 95942->95950 95990 aafdc4 21 API calls 2 library calls 95942->95990 95946 a9d955 __fread_nolock 26 API calls 95944->95946 95947 aa9192 95946->95947 95958 aa8c32 95947->95958 95949 aa9199 95949->95950 95951 a9d955 __fread_nolock 26 API calls 95949->95951 95952 aa91c5 95951->95952 95952->95950 95953 a9d955 __fread_nolock 26 API calls 95952->95953 95954 aa91d3 95953->95954 95954->95950 95955 a9d955 __fread_nolock 26 API calls 95954->95955 95956 aa91e3 95955->95956 95957 a9d955 __fread_nolock 26 API calls 95956->95957 95957->95950 95959 aa8c3e BuildCatchObjectHelperInternal 95958->95959 95960 aa8c5e 95959->95960 95961 aa8c46 95959->95961 95963 aa8d24 95960->95963 95966 aa8c97 95960->95966 95992 a9f2c6 20 API calls __dosmaperr 95961->95992 95999 a9f2c6 20 API calls __dosmaperr 95963->95999 95965 aa8c4b 95993 a9f2d9 20 API calls __dosmaperr 95965->95993 95969 aa8cbb 95966->95969 95970 aa8ca6 95966->95970 95967 aa8d29 96000 a9f2d9 20 API calls __dosmaperr 95967->96000 95991 aa5147 EnterCriticalSection 95969->95991 95994 a9f2c6 20 API calls __dosmaperr 95970->95994 95972 aa8c53 __wsopen_s 95972->95949 95975 aa8cb3 96001 aa27ec 26 API calls __wsopen_s 95975->96001 95976 aa8cab 95995 a9f2d9 20 API calls __dosmaperr 95976->95995 95977 aa8cc1 95979 aa8cdd 95977->95979 95980 aa8cf2 95977->95980 95996 a9f2d9 20 API calls __dosmaperr 95979->95996 95983 aa8d45 __fread_nolock 38 API calls 95980->95983 95984 aa8ced 95983->95984 95998 aa8d1c LeaveCriticalSection __wsopen_s 95984->95998 95985 aa8ce2 95997 a9f2c6 20 API calls __dosmaperr 95985->95997 95988->95941 95989->95950 95990->95944 95991->95977 95992->95965 95993->95972 95994->95976 95995->95975 95996->95985 95997->95984 95998->95972 95999->95967 96000->95975 96001->95972 96002 a72e37 96003 a7a961 22 API calls 96002->96003 96004 a72e4d 96003->96004 96081 a74ae3 96004->96081 96006 a72e6b 96007 a73a5a 24 API calls 96006->96007 96008 a72e7f 96007->96008 96009 a79cb3 22 API calls 96008->96009 96010 a72e8c 96009->96010 96011 a74ecb 94 API calls 96010->96011 96012 a72ea5 96011->96012 96013 a72ead 96012->96013 96014 ab2cb0 96012->96014 96018 a7a8c7 22 API calls 96013->96018 96015 ae2cf9 80 API calls 96014->96015 96016 ab2cc3 96015->96016 96017 ab2ccf 96016->96017 96019 a74f39 68 API calls 96016->96019 96023 a74f39 68 API calls 96017->96023 96020 a72ec3 96018->96020 96019->96017 96095 a76f88 22 API calls 96020->96095 96022 a72ecf 96024 a79cb3 22 API calls 96022->96024 96025 ab2ce5 96023->96025 96026 a72edc 96024->96026 96111 a73084 22 API calls 96025->96111 96096 a7a81b 41 API calls 96026->96096 96029 a72eec 96031 a79cb3 22 API calls 96029->96031 96030 ab2d02 96112 a73084 22 API calls 96030->96112 96033 a72f12 96031->96033 96097 a7a81b 41 API calls 96033->96097 96034 ab2d1e 96036 a73a5a 24 API calls 96034->96036 96037 ab2d44 96036->96037 96113 a73084 22 API calls 96037->96113 96038 a72f21 96040 a7a961 22 API calls 96038->96040 96042 a72f3f 96040->96042 96041 ab2d50 96043 a7a8c7 22 API calls 96041->96043 96098 a73084 22 API calls 96042->96098 96045 ab2d5e 96043->96045 96114 a73084 22 API calls 96045->96114 96046 a72f4b 96099 a94a28 40 API calls 3 library calls 96046->96099 96049 ab2d6d 96052 a7a8c7 22 API calls 96049->96052 96050 a72f59 96050->96025 96051 a72f63 96050->96051 96100 a94a28 40 API calls 3 library calls 96051->96100 96054 ab2d83 96052->96054 96115 a73084 22 API calls 96054->96115 96055 a72f6e 96055->96030 96057 a72f78 96055->96057 96101 a94a28 40 API calls 3 library calls 96057->96101 96058 ab2d90 96060 a72f83 96060->96034 96061 a72f8d 96060->96061 96102 a94a28 40 API calls 3 library calls 96061->96102 96063 a72f98 96064 a72fdc 96063->96064 96103 a73084 22 API calls 96063->96103 96064->96049 96065 a72fe8 96064->96065 96065->96058 96105 a763eb 22 API calls 96065->96105 96067 a72fbf 96069 a7a8c7 22 API calls 96067->96069 96071 a72fcd 96069->96071 96070 a72ff8 96106 a76a50 22 API calls 96070->96106 96104 a73084 22 API calls 96071->96104 96074 a73006 96107 a770b0 23 API calls 96074->96107 96078 a73021 96079 a73065 96078->96079 96108 a76f88 22 API calls 96078->96108 96109 a770b0 23 API calls 96078->96109 96110 a73084 22 API calls 96078->96110 96082 a74af0 __wsopen_s 96081->96082 96083 a76b57 22 API calls 96082->96083 96084 a74b22 96082->96084 96083->96084 96085 a74c6d 22 API calls 96084->96085 96091 a74b58 96084->96091 96085->96084 96086 a74c6d 22 API calls 96086->96091 96087 a79cb3 22 API calls 96089 a74c52 96087->96089 96088 a79cb3 22 API calls 96088->96091 96090 a7515f 22 API calls 96089->96090 96093 a74c5e 96090->96093 96091->96086 96091->96088 96092 a7515f 22 API calls 96091->96092 96094 a74c29 96091->96094 96092->96091 96093->96006 96094->96087 96094->96093 96095->96022 96096->96029 96097->96038 96098->96046 96099->96050 96100->96055 96101->96060 96102->96063 96103->96067 96104->96064 96105->96070 96106->96074 96107->96078 96108->96078 96109->96078 96110->96078 96111->96030 96112->96034 96113->96041 96114->96049 96115->96058 96116 a73156 96119 a73170 96116->96119 96120 a73187 96119->96120 96121 a7318c 96120->96121 96122 a731eb 96120->96122 96159 a731e9 96120->96159 96126 a73265 PostQuitMessage 96121->96126 96127 a73199 96121->96127 96124 ab2dfb 96122->96124 96125 a731f1 96122->96125 96123 a731d0 DefWindowProcW 96161 a7316a 96123->96161 96168 a718e2 10 API calls 96124->96168 96128 a7321d SetTimer RegisterWindowMessageW 96125->96128 96129 a731f8 96125->96129 96126->96161 96131 a731a4 96127->96131 96132 ab2e7c 96127->96132 96137 a73246 CreatePopupMenu 96128->96137 96128->96161 96134 a73201 KillTimer 96129->96134 96135 ab2d9c 96129->96135 96138 ab2e68 96131->96138 96139 a731ae 96131->96139 96173 adbf30 34 API calls ___scrt_fastfail 96132->96173 96164 a730f2 Shell_NotifyIconW ___scrt_fastfail 96134->96164 96143 ab2da1 96135->96143 96144 ab2dd7 MoveWindow 96135->96144 96136 ab2e1c 96169 a8e499 42 API calls 96136->96169 96137->96161 96172 adc161 27 API calls ___scrt_fastfail 96138->96172 96140 ab2e4d 96139->96140 96141 a731b9 96139->96141 96140->96123 96171 ad0ad7 22 API calls 96140->96171 96148 a73253 96141->96148 96157 a731c4 96141->96157 96142 ab2e8e 96142->96123 96142->96161 96149 ab2da7 96143->96149 96150 ab2dc6 SetFocus 96143->96150 96144->96161 96166 a7326f 44 API calls ___scrt_fastfail 96148->96166 96153 ab2db0 96149->96153 96149->96157 96150->96161 96151 a73214 96165 a73c50 DeleteObject DestroyWindow 96151->96165 96167 a718e2 10 API calls 96153->96167 96156 a73263 96156->96161 96157->96123 96170 a730f2 Shell_NotifyIconW ___scrt_fastfail 96157->96170 96159->96123 96162 ab2e41 96163 a73837 49 API calls 96162->96163 96163->96159 96164->96151 96165->96161 96166->96156 96167->96161 96168->96136 96169->96157 96170->96162 96171->96159 96172->96156 96173->96142 96174 a903fb 96175 a90407 BuildCatchObjectHelperInternal 96174->96175 96203 a8feb1 96175->96203 96177 a9040e 96178 a90561 96177->96178 96181 a90438 96177->96181 96230 a9083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96178->96230 96180 a90568 96231 a94e52 28 API calls _abort 96180->96231 96192 a90477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96181->96192 96214 aa247d 96181->96214 96183 a9056e 96232 a94e04 28 API calls _abort 96183->96232 96187 a90576 96188 a90457 96190 a904d8 96222 a90959 96190->96222 96192->96190 96226 a94e1a 38 API calls 2 library calls 96192->96226 96194 a904de 96195 a904f3 96194->96195 96227 a90992 GetModuleHandleW 96195->96227 96197 a904fa 96197->96180 96198 a904fe 96197->96198 96199 a90507 96198->96199 96228 a94df5 28 API calls _abort 96198->96228 96229 a90040 13 API calls 2 library calls 96199->96229 96202 a9050f 96202->96188 96204 a8feba 96203->96204 96233 a90698 IsProcessorFeaturePresent 96204->96233 96206 a8fec6 96234 a92c94 10 API calls 3 library calls 96206->96234 96208 a8fecb 96209 a8fecf 96208->96209 96235 aa2317 96208->96235 96209->96177 96212 a8fee6 96212->96177 96215 aa2494 96214->96215 96216 a90a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 96215->96216 96217 a90451 96216->96217 96217->96188 96218 aa2421 96217->96218 96221 aa2450 96218->96221 96219 a90a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 96220 aa2479 96219->96220 96220->96192 96221->96219 96278 a92340 96222->96278 96225 a9097f 96225->96194 96226->96190 96227->96197 96228->96199 96229->96202 96230->96180 96231->96183 96232->96187 96233->96206 96234->96208 96239 aad1f6 96235->96239 96238 a92cbd 8 API calls 3 library calls 96238->96209 96242 aad213 96239->96242 96243 aad20f 96239->96243 96240 a90a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 96241 a8fed8 96240->96241 96241->96212 96241->96238 96242->96243 96245 aa4bfb 96242->96245 96243->96240 96246 aa4c07 BuildCatchObjectHelperInternal 96245->96246 96257 aa2f5e EnterCriticalSection 96246->96257 96248 aa4c0e 96258 aa50af 96248->96258 96250 aa4c1d 96251 aa4c2c 96250->96251 96271 aa4a8f 29 API calls 96250->96271 96273 aa4c48 LeaveCriticalSection _abort 96251->96273 96254 aa4c3d __wsopen_s 96254->96242 96255 aa4c27 96272 aa4b45 GetStdHandle GetFileType 96255->96272 96257->96248 96259 aa50bb BuildCatchObjectHelperInternal 96258->96259 96260 aa50c8 96259->96260 96261 aa50df 96259->96261 96275 a9f2d9 20 API calls __dosmaperr 96260->96275 96274 aa2f5e EnterCriticalSection 96261->96274 96264 aa50cd 96276 aa27ec 26 API calls __wsopen_s 96264->96276 96265 aa50eb 96268 aa5000 __wsopen_s 21 API calls 96265->96268 96270 aa5117 96265->96270 96268->96265 96269 aa50d7 __wsopen_s 96269->96250 96277 aa513e LeaveCriticalSection _abort 96270->96277 96271->96255 96272->96251 96273->96254 96274->96265 96275->96264 96276->96269 96277->96269 96279 a9096c GetStartupInfoW 96278->96279 96279->96225 96280 a71033 96285 a74c91 96280->96285 96284 a71042 96286 a7a961 22 API calls 96285->96286 96287 a74cff 96286->96287 96293 a73af0 96287->96293 96290 a74d9c 96291 a71038 96290->96291 96296 a751f7 22 API calls __fread_nolock 96290->96296 96292 a900a3 29 API calls __onexit 96291->96292 96292->96284 96297 a73b1c 96293->96297 96296->96290 96298 a73b0f 96297->96298 96299 a73b29 96297->96299 96298->96290 96299->96298 96300 a73b30 RegOpenKeyExW 96299->96300 96300->96298 96301 a73b4a RegQueryValueExW 96300->96301 96302 a73b80 RegCloseKey 96301->96302 96303 a73b6b 96301->96303 96302->96298 96303->96302 96304 a7f7bf 96305 a7fcb6 96304->96305 96306 a7f7d3 96304->96306 96341 a7aceb 23 API calls messages 96305->96341 96308 a7fcc2 96306->96308 96310 a8fddb 22 API calls 96306->96310 96342 a7aceb 23 API calls messages 96308->96342 96311 a7f7e5 96310->96311 96311->96308 96312 a7f83e 96311->96312 96313 a7fd3d 96311->96313 96315 a81310 256 API calls 96312->96315 96330 a7ed9d messages 96312->96330 96343 ae1155 22 API calls 96313->96343 96336 a7ec76 messages 96315->96336 96316 a7fef7 96323 a7a8c7 22 API calls 96316->96323 96316->96330 96318 a8fddb 22 API calls 96318->96336 96320 ac4600 96326 a7a8c7 22 API calls 96320->96326 96320->96330 96321 ac4b0b 96345 ae359c 82 API calls __wsopen_s 96321->96345 96322 a7a8c7 22 API calls 96322->96336 96323->96330 96326->96330 96328 a7fbe3 96328->96330 96331 ac4bdc 96328->96331 96338 a7f3ae messages 96328->96338 96329 a7a961 22 API calls 96329->96336 96346 ae359c 82 API calls __wsopen_s 96331->96346 96333 a90242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96333->96336 96334 ac4beb 96347 ae359c 82 API calls __wsopen_s 96334->96347 96335 a900a3 29 API calls pre_c_initialization 96335->96336 96336->96316 96336->96318 96336->96320 96336->96321 96336->96322 96336->96328 96336->96329 96336->96330 96336->96333 96336->96334 96336->96335 96337 a901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96336->96337 96336->96338 96339 a801e0 256 API calls 2 library calls 96336->96339 96340 a806a0 41 API calls messages 96336->96340 96337->96336 96338->96330 96344 ae359c 82 API calls __wsopen_s 96338->96344 96339->96336 96340->96336 96341->96308 96342->96313 96343->96330 96344->96330 96345->96330 96346->96334 96347->96330 96348 a7dddc 96351 a7b710 96348->96351 96352 a7b72b 96351->96352 96353 ac00f8 96352->96353 96354 ac0146 96352->96354 96381 a7b750 96352->96381 96357 ac0102 96353->96357 96360 ac010f 96353->96360 96353->96381 96393 af58a2 256 API calls 2 library calls 96354->96393 96391 af5d33 256 API calls 96357->96391 96373 a7ba20 96360->96373 96392 af61d0 256 API calls 2 library calls 96360->96392 96364 ac03d9 96364->96364 96365 a8d336 40 API calls 96365->96381 96368 a7ba4e 96369 ac0322 96396 af5c0c 82 API calls 96369->96396 96373->96368 96397 ae359c 82 API calls __wsopen_s 96373->96397 96377 a7bbe0 40 API calls 96377->96381 96378 a7ec40 256 API calls 96378->96381 96379 a7a8c7 22 API calls 96379->96381 96381->96365 96381->96368 96381->96369 96381->96373 96381->96377 96381->96378 96381->96379 96382 a7a81b 41 API calls 96381->96382 96383 a8d2f0 40 API calls 96381->96383 96384 a8a01b 256 API calls 96381->96384 96385 a90242 5 API calls __Init_thread_wait 96381->96385 96386 a8edcd 22 API calls 96381->96386 96387 a900a3 29 API calls __onexit 96381->96387 96388 a901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96381->96388 96389 a8ee53 82 API calls 96381->96389 96390 a8e5ca 256 API calls 96381->96390 96394 a7aceb 23 API calls messages 96381->96394 96395 acf6bf 23 API calls 96381->96395 96382->96381 96383->96381 96384->96381 96385->96381 96386->96381 96387->96381 96388->96381 96389->96381 96390->96381 96391->96360 96392->96373 96393->96381 96394->96381 96395->96381 96396->96373 96397->96364 96398 a7105b 96403 a7344d 96398->96403 96400 a7106a 96434 a900a3 29 API calls __onexit 96400->96434 96402 a71074 96404 a7345d __wsopen_s 96403->96404 96405 a7a961 22 API calls 96404->96405 96406 a73513 96405->96406 96407 a73a5a 24 API calls 96406->96407 96408 a7351c 96407->96408 96435 a73357 96408->96435 96411 a733c6 22 API calls 96412 a73535 96411->96412 96413 a7515f 22 API calls 96412->96413 96414 a73544 96413->96414 96415 a7a961 22 API calls 96414->96415 96416 a7354d 96415->96416 96417 a7a6c3 22 API calls 96416->96417 96418 a73556 RegOpenKeyExW 96417->96418 96419 ab3176 RegQueryValueExW 96418->96419 96424 a73578 96418->96424 96420 ab320c RegCloseKey 96419->96420 96421 ab3193 96419->96421 96420->96424 96432 ab321e _wcslen 96420->96432 96422 a8fe0b 22 API calls 96421->96422 96423 ab31ac 96422->96423 96425 a75722 22 API calls 96423->96425 96424->96400 96426 ab31b7 RegQueryValueExW 96425->96426 96427 ab31d4 96426->96427 96429 ab31ee messages 96426->96429 96428 a76b57 22 API calls 96427->96428 96428->96429 96429->96420 96430 a79cb3 22 API calls 96430->96432 96431 a7515f 22 API calls 96431->96432 96432->96424 96432->96430 96432->96431 96433 a74c6d 22 API calls 96432->96433 96433->96432 96434->96402 96436 ab1f50 __wsopen_s 96435->96436 96437 a73364 GetFullPathNameW 96436->96437 96438 a73386 96437->96438 96439 a76b57 22 API calls 96438->96439 96440 a733a4 96439->96440 96440->96411 96441 a71098 96446 a742de 96441->96446 96445 a710a7 96447 a7a961 22 API calls 96446->96447 96448 a742f5 GetVersionExW 96447->96448 96449 a76b57 22 API calls 96448->96449 96450 a74342 96449->96450 96451 a793b2 22 API calls 96450->96451 96453 a74378 96450->96453 96452 a7436c 96451->96452 96455 a737a0 22 API calls 96452->96455 96454 a7441b GetCurrentProcess IsWow64Process 96453->96454 96461 ab37df 96453->96461 96456 a74437 96454->96456 96455->96453 96457 a7444f LoadLibraryA 96456->96457 96458 ab3824 GetSystemInfo 96456->96458 96459 a74460 GetProcAddress 96457->96459 96460 a7449c GetSystemInfo 96457->96460 96459->96460 96462 a74470 GetNativeSystemInfo 96459->96462 96463 a74476 96460->96463 96462->96463 96464 a7109d 96463->96464 96465 a7447a FreeLibrary 96463->96465 96466 a900a3 29 API calls __onexit 96464->96466 96465->96464 96466->96445

                        Executed Functions

                        Function 00A742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 237 a742de-a7434d call a7a961 GetVersionExW call a76b57 242 a74353 237->242 243 ab3617-ab362a 237->243 244 a74355-a74357 242->244 245 ab362b-ab362f 243->245 246 a7435d-a743bc call a793b2 call a737a0 244->246 247 ab3656 244->247 248 ab3632-ab363e 245->248 249 ab3631 245->249 266 ab37df-ab37e6 246->266 267 a743c2-a743c4 246->267 253 ab365d-ab3660 247->253 248->245 250 ab3640-ab3642 248->250 249->248 250->244 252 ab3648-ab364f 250->252 252->243 255 ab3651 252->255 256 a7441b-a74435 GetCurrentProcess IsWow64Process 253->256 257 ab3666-ab36a8 253->257 255->247 259 a74437 256->259 260 a74494-a7449a 256->260 257->256 261 ab36ae-ab36b1 257->261 263 a7443d-a74449 259->263 260->263 264 ab36db-ab36e5 261->264 265 ab36b3-ab36bd 261->265 268 a7444f-a7445e LoadLibraryA 263->268 269 ab3824-ab3828 GetSystemInfo 263->269 273 ab36f8-ab3702 264->273 274 ab36e7-ab36f3 264->274 270 ab36ca-ab36d6 265->270 271 ab36bf-ab36c5 265->271 275 ab37e8 266->275 276 ab3806-ab3809 266->276 267->253 272 a743ca-a743dd 267->272 281 a74460-a7446e GetProcAddress 268->281 282 a7449c-a744a6 GetSystemInfo 268->282 270->256 271->256 283 a743e3-a743e5 272->283 284 ab3726-ab372f 272->284 277 ab3715-ab3721 273->277 278 ab3704-ab3710 273->278 274->256 285 ab37ee 275->285 279 ab380b-ab381a 276->279 280 ab37f4-ab37fc 276->280 277->256 278->256 279->285 288 ab381c-ab3822 279->288 280->276 281->282 289 a74470-a74474 GetNativeSystemInfo 281->289 290 a74476-a74478 282->290 291 ab374d-ab3762 283->291 292 a743eb-a743ee 283->292 286 ab373c-ab3748 284->286 287 ab3731-ab3737 284->287 285->280 286->256 287->256 288->280 289->290 297 a74481-a74493 290->297 298 a7447a-a7447b FreeLibrary 290->298 295 ab376f-ab377b 291->295 296 ab3764-ab376a 291->296 293 a743f4-a7440f 292->293 294 ab3791-ab3794 292->294 299 a74415 293->299 300 ab3780-ab378c 293->300 294->256 301 ab379a-ab37c1 294->301 295->256 296->256 298->297 299->256 300->256 302 ab37ce-ab37da 301->302 303 ab37c3-ab37c9 301->303 302->256 303->256
                        APIs
                        • GetVersionExW.KERNEL32(?), ref: 00A7430D
                          • Part of subcall function 00A76B57: _wcslen.LIBCMT ref: 00A76B6A
                        • GetCurrentProcess.KERNEL32(?,00B0CB64,00000000,?,?), ref: 00A74422
                        • IsWow64Process.KERNEL32(00000000,?,?), ref: 00A74429
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00A74454
                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A74466
                        • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00A74474
                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 00A7447B
                        • GetSystemInfo.KERNEL32(?,?,?), ref: 00A744A0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                        • String ID: GetNativeSystemInfo$kernel32.dll$|O
                        • API String ID: 3290436268-3101561225
                        • Opcode ID: 098bb9e3294197b7ecd5e6fc056a7874f82c52751a9d74f007057acbb81dbe76
                        • Instruction ID: 0b0646f58dedcaede03f3f2491a34586cb37381bbc34750811ef40638f50cf39
                        • Opcode Fuzzy Hash: 098bb9e3294197b7ecd5e6fc056a7874f82c52751a9d74f007057acbb81dbe76
                        • Instruction Fuzzy Hash: 92A14F7BD0A2C0EFCB11CF6DAC451A57FA87B27740B14CC99D04597A62EF204B88DB69
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 610 a742a2-a742ba CreateStreamOnHGlobal 611 a742bc-a742d3 FindResourceExW 610->611 612 a742da-a742dd 610->612 613 ab35ba-ab35c9 LoadResource 611->613 614 a742d9 611->614 613->614 615 ab35cf-ab35dd SizeofResource 613->615 614->612 615->614 616 ab35e3-ab35ee LockResource 615->616 616->614 617 ab35f4-ab3612 616->617 617->614
                        APIs
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00A750AA,?,?,00000000,00000000), ref: 00A742B2
                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A750AA,?,?,00000000,00000000), ref: 00A742C9
                        • LoadResource.KERNEL32(?,00000000,?,?,00A750AA,?,?,00000000,00000000,?,?,?,?,?,?,00A74F20), ref: 00AB35BE
                        • SizeofResource.KERNEL32(?,00000000,?,?,00A750AA,?,?,00000000,00000000,?,?,?,?,?,?,00A74F20), ref: 00AB35D3
                        • LockResource.KERNEL32(00A750AA,?,?,00A750AA,?,?,00000000,00000000,?,?,?,?,?,?,00A74F20,?), ref: 00AB35E6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                        • String ID: SCRIPT
                        • API String ID: 3051347437-3967369404
                        • Opcode ID: 8632e501d747b61e295d942d1de4b837621c9bfaa11f821a7374626726c57ee8
                        • Instruction ID: 12d6a5bfc0c66798f12746ff7da17b9015a0aee9809f150247679af75db215ca
                        • Opcode Fuzzy Hash: 8632e501d747b61e295d942d1de4b837621c9bfaa11f821a7374626726c57ee8
                        • Instruction Fuzzy Hash: 10113C71200701BFDB218B65DC49F677FBDEBD9B51F24C269B406966A0DB71D8108A60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AB2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00A72B6B
                          • Part of subcall function 00A73A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B41418,?,00A72E7F,?,?,?,00000000), ref: 00A73A78
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                        • GetForegroundWindow.USER32(runas,?,?,?,?,?,00B32224), ref: 00AB2C10
                        • ShellExecuteW.SHELL32(00000000,?,?,00B32224), ref: 00AB2C17
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                        • String ID: runas
                        • API String ID: 448630720-4000483414
                        • Opcode ID: 6185f424a2440eb3f09b652958677fdd97a682b408c25ea0701f6da83e9a3673
                        • Instruction ID: c6b4a6046e5d6c7afecc9d9d9735405f1f0d46d27f09381048b3712bd551ddad
                        • Opcode Fuzzy Hash: 6185f424a2440eb3f09b652958677fdd97a682b408c25ea0701f6da83e9a3673
                        • Instruction Fuzzy Hash: 7011B7326043055ACB14FF64DD52AAE7BE8ABA1340F04C82DF14A571A3CF318A4AA712
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1398 addbbe-addbda lstrlenW 1399 addbdc-addbe6 GetFileAttributesW 1398->1399 1400 addc06 1398->1400 1401 addc09-addc0d 1399->1401 1402 addbe8-addbf7 FindFirstFileW 1399->1402 1400->1401 1402->1400 1403 addbf9-addc04 FindClose 1402->1403 1403->1401
                        APIs
                        • lstrlenW.KERNEL32(?,00AB5222), ref: 00ADDBCE
                        • GetFileAttributesW.KERNELBASE(?), ref: 00ADDBDD
                        • FindFirstFileW.KERNELBASE(?,?), ref: 00ADDBEE
                        • FindClose.KERNEL32(00000000), ref: 00ADDBFA
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: FileFind$AttributesCloseFirstlstrlen
                        • String ID:
                        • API String ID: 2695905019-0
                        • Opcode ID: d059a8bf804dad302581f32e1e3e55b3e2dd0b9d702b555a2fe91306423fdee8
                        • Instruction ID: 2b6db06ee683ced3090e2e1fbfec4a7f8c0cd02e04713501760c48ab24cebab4
                        • Opcode Fuzzy Hash: d059a8bf804dad302581f32e1e3e55b3e2dd0b9d702b555a2fe91306423fdee8
                        • Instruction Fuzzy Hash: 6FF0A93082091067C2206F78AC0E8BA3BAC9E02334F204703F836C22E1EFB099948696
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A7D730 Relevance: 21.6, APIs: 14, Instructions: 617windowsleeptimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetInputState.USER32 ref: 00A7D807
                        • timeGetTime.WINMM ref: 00A7DA07
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A7DB28
                        • TranslateMessage.USER32(?), ref: 00A7DB7B
                        • DispatchMessageW.USER32(?), ref: 00A7DB89
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A7DB9F
                        • Sleep.KERNEL32(0000000A), ref: 00A7DBB1
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                        • String ID:
                        • API String ID: 2189390790-0
                        • Opcode ID: 32a9a3d7049e491699e03c250a14ef4193ed639eef2cf5f1d6a2594841d74a5d
                        • Instruction ID: 2baac63229fed37c5f3b6a66f53b94e3954bbe42d2c64733fd4556a9dcc99152
                        • Opcode Fuzzy Hash: 32a9a3d7049e491699e03c250a14ef4193ed639eef2cf5f1d6a2594841d74a5d
                        • Instruction Fuzzy Hash: 5542AE706082419FD729DB24CC84F6ABBF0BF96304F15CA5DE56A87291DB71E884CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A72CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetSysColorBrush.USER32(0000000F), ref: 00A72D07
                        • RegisterClassExW.USER32(00000030), ref: 00A72D31
                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A72D42
                        • InitCommonControlsEx.COMCTL32(?), ref: 00A72D5F
                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A72D6F
                        • LoadIconW.USER32(000000A9), ref: 00A72D85
                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A72D94
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                        • API String ID: 2914291525-1005189915
                        • Opcode ID: fc379f817601dfccab4ae02b47906151ed039fe4281f1f0cab3bd5ee6e5612a9
                        • Instruction ID: 56e27743bba23240c4b9535e34d7c0758c03b08bcf67da40f8aee4b889c89a37
                        • Opcode Fuzzy Hash: fc379f817601dfccab4ae02b47906151ed039fe4281f1f0cab3bd5ee6e5612a9
                        • Instruction Fuzzy Hash: CC21B2B5D51218AFDB00DFA8EC49A9DBFB8FB09700F00861AE511A72A0DBB14684CF95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AB065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 305 ab065b-ab068b call ab042f 308 ab068d-ab0698 call a9f2c6 305->308 309 ab06a6-ab06b2 call aa5221 305->309 314 ab069a-ab06a1 call a9f2d9 308->314 315 ab06cb-ab0714 call ab039a 309->315 316 ab06b4-ab06c9 call a9f2c6 call a9f2d9 309->316 326 ab097d-ab0983 314->326 324 ab0781-ab078a GetFileType 315->324 325 ab0716-ab071f 315->325 316->314 330 ab078c-ab07bd GetLastError call a9f2a3 CloseHandle 324->330 331 ab07d3-ab07d6 324->331 328 ab0721-ab0725 325->328 329 ab0756-ab077c GetLastError call a9f2a3 325->329 328->329 334 ab0727-ab0754 call ab039a 328->334 329->314 330->314 342 ab07c3-ab07ce call a9f2d9 330->342 332 ab07d8-ab07dd 331->332 333 ab07df-ab07e5 331->333 338 ab07e9-ab0837 call aa516a 332->338 333->338 339 ab07e7 333->339 334->324 334->329 348 ab0839-ab0845 call ab05ab 338->348 349 ab0847-ab086b call ab014d 338->349 339->338 342->314 348->349 356 ab086f-ab0879 call aa86ae 348->356 354 ab087e-ab08c1 349->354 355 ab086d 349->355 358 ab08c3-ab08c7 354->358 359 ab08e2-ab08f0 354->359 355->356 356->326 358->359 361 ab08c9-ab08dd 358->361 362 ab097b 359->362 363 ab08f6-ab08fa 359->363 361->359 362->326 363->362 364 ab08fc-ab092f CloseHandle call ab039a 363->364 367 ab0963-ab0977 364->367 368 ab0931-ab095d GetLastError call a9f2a3 call aa5333 364->368 367->362 368->367
                        APIs
                          • Part of subcall function 00AB039A: CreateFileW.KERNELBASE(00000000,00000000,?,00AB0704,?,?,00000000,?,00AB0704,00000000,0000000C), ref: 00AB03B7
                        • GetLastError.KERNEL32 ref: 00AB076F
                        • __dosmaperr.LIBCMT ref: 00AB0776
                        • GetFileType.KERNELBASE(00000000), ref: 00AB0782
                        • GetLastError.KERNEL32 ref: 00AB078C
                        • __dosmaperr.LIBCMT ref: 00AB0795
                        • CloseHandle.KERNEL32(00000000), ref: 00AB07B5
                        • CloseHandle.KERNEL32(?), ref: 00AB08FF
                        • GetLastError.KERNEL32 ref: 00AB0931
                        • __dosmaperr.LIBCMT ref: 00AB0938
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                        • String ID: H
                        • API String ID: 4237864984-2852464175
                        • Opcode ID: c3b81282a3cbfc00d0610097daa03905fdb3027794a23ef01e4f400128490a3b
                        • Instruction ID: bc5fb391b0e8f399dbc699d82458fcce6c4029fc95896a7c36de20e544c7d63d
                        • Opcode Fuzzy Hash: c3b81282a3cbfc00d0610097daa03905fdb3027794a23ef01e4f400128490a3b
                        • Instruction Fuzzy Hash: 67A12236A141089FDF19AF68D851BEE7BE4AB0A320F140299F815DF2D2DB319916CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A7344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00A73A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B41418,?,00A72E7F,?,?,?,00000000), ref: 00A73A78
                          • Part of subcall function 00A73357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A73379
                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A7356A
                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00AB318D
                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00AB31CE
                        • RegCloseKey.ADVAPI32(?), ref: 00AB3210
                        • _wcslen.LIBCMT ref: 00AB3277
                        • _wcslen.LIBCMT ref: 00AB3286
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                        • API String ID: 98802146-2727554177
                        • Opcode ID: ee1e8b22e4ba77110a5409c0c05be1a9e687b380a5606df3c2bc6f18d7fda494
                        • Instruction ID: f640d7ad9b06508e033b3ae2a2edade2a1a675ff3c2d6508e6b0ddd7ac9cf2b6
                        • Opcode Fuzzy Hash: ee1e8b22e4ba77110a5409c0c05be1a9e687b380a5606df3c2bc6f18d7fda494
                        • Instruction Fuzzy Hash: 0E71C2725043019ED714EF25DD828ABBBF8FF9A740F80852EF549831A1EF309A48DB56
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A72B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetSysColorBrush.USER32(0000000F), ref: 00A72B8E
                        • LoadCursorW.USER32(00000000,00007F00), ref: 00A72B9D
                        • LoadIconW.USER32(00000063), ref: 00A72BB3
                        • LoadIconW.USER32(000000A4), ref: 00A72BC5
                        • LoadIconW.USER32(000000A2), ref: 00A72BD7
                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A72BEF
                        • RegisterClassExW.USER32(?), ref: 00A72C40
                          • Part of subcall function 00A72CD4: GetSysColorBrush.USER32(0000000F), ref: 00A72D07
                          • Part of subcall function 00A72CD4: RegisterClassExW.USER32(00000030), ref: 00A72D31
                          • Part of subcall function 00A72CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A72D42
                          • Part of subcall function 00A72CD4: InitCommonControlsEx.COMCTL32(?), ref: 00A72D5F
                          • Part of subcall function 00A72CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A72D6F
                          • Part of subcall function 00A72CD4: LoadIconW.USER32(000000A9), ref: 00A72D85
                          • Part of subcall function 00A72CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A72D94
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                        • String ID: #$0$AutoIt v3
                        • API String ID: 423443420-4155596026
                        • Opcode ID: bf4caf79fca62128704e4e4f9c442daa81679557067069aa4127a5e46839cd1b
                        • Instruction ID: 8090f4cfd86504743c6a2bc75d0b35808a1fb1b697622ba6f72e0ca1dbf068ab
                        • Opcode Fuzzy Hash: bf4caf79fca62128704e4e4f9c442daa81679557067069aa4127a5e46839cd1b
                        • Instruction Fuzzy Hash: 98212C79E40314BBDB10DFA9EC55B997FB4FB49B50F00495AF504A76A0DBB10A80CF98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A73170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 446 a73170-a73185 447 a73187-a7318a 446->447 448 a731e5-a731e7 446->448 450 a7318c-a73193 447->450 451 a731eb 447->451 448->447 449 a731e9 448->449 452 a731d0-a731d8 DefWindowProcW 449->452 455 a73265-a7326d PostQuitMessage 450->455 456 a73199-a7319e 450->456 453 ab2dfb-ab2e23 call a718e2 call a8e499 451->453 454 a731f1-a731f6 451->454 457 a731de-a731e4 452->457 489 ab2e28-ab2e2f 453->489 459 a7321d-a73244 SetTimer RegisterWindowMessageW 454->459 460 a731f8-a731fb 454->460 458 a73219-a7321b 455->458 462 a731a4-a731a8 456->462 463 ab2e7c-ab2e90 call adbf30 456->463 458->457 459->458 468 a73246-a73251 CreatePopupMenu 459->468 465 a73201-a73214 KillTimer call a730f2 call a73c50 460->465 466 ab2d9c-ab2d9f 460->466 469 ab2e68-ab2e77 call adc161 462->469 470 a731ae-a731b3 462->470 463->458 482 ab2e96 463->482 465->458 474 ab2da1-ab2da5 466->474 475 ab2dd7-ab2df6 MoveWindow 466->475 468->458 469->458 471 ab2e4d-ab2e54 470->471 472 a731b9-a731be 470->472 471->452 485 ab2e5a-ab2e63 call ad0ad7 471->485 480 a731c4-a731ca 472->480 481 a73253-a73263 call a7326f 472->481 483 ab2da7-ab2daa 474->483 484 ab2dc6-ab2dd2 SetFocus 474->484 475->458 480->452 480->489 481->458 482->452 483->480 490 ab2db0-ab2dc1 call a718e2 483->490 484->458 485->452 489->452 494 ab2e35-ab2e48 call a730f2 call a73837 489->494 490->458 494->452
                        APIs
                        • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00A7316A,?,?), ref: 00A731D8
                        • KillTimer.USER32(?,00000001,?,?,?,?,?,00A7316A,?,?), ref: 00A73204
                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A73227
                        • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00A7316A,?,?), ref: 00A73232
                        • CreatePopupMenu.USER32 ref: 00A73246
                        • PostQuitMessage.USER32(00000000), ref: 00A73267
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                        • String ID: TaskbarCreated
                        • API String ID: 129472671-2362178303
                        • Opcode ID: ed85e333ee843eaac06256975b7bc4972970f38cc18f76f403965ba5a56096ab
                        • Instruction ID: 35945bed36f06975f235d996beca5cde14f78678b9fff054d9576aea58343ecf
                        • Opcode Fuzzy Hash: ed85e333ee843eaac06256975b7bc4972970f38cc18f76f403965ba5a56096ab
                        • Instruction Fuzzy Hash: C5412637650204B6DF145F3C9D09BB93B69E716340F15C626FA0A872A2CB61CF81B7A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 502 aa8d45-aa8d55 503 aa8d6f-aa8d71 502->503 504 aa8d57-aa8d6a call a9f2c6 call a9f2d9 502->504 505 aa90d9-aa90e6 call a9f2c6 call a9f2d9 503->505 506 aa8d77-aa8d7d 503->506 518 aa90f1 504->518 523 aa90ec call aa27ec 505->523 506->505 509 aa8d83-aa8dae 506->509 509->505 513 aa8db4-aa8dbd 509->513 516 aa8dbf-aa8dd2 call a9f2c6 call a9f2d9 513->516 517 aa8dd7-aa8dd9 513->517 516->523 521 aa8ddf-aa8de3 517->521 522 aa90d5-aa90d7 517->522 524 aa90f4-aa90f9 518->524 521->522 526 aa8de9-aa8ded 521->526 522->524 523->518 526->516 529 aa8def-aa8e06 526->529 531 aa8e08-aa8e0b 529->531 532 aa8e23-aa8e2c 529->532 533 aa8e0d-aa8e13 531->533 534 aa8e15-aa8e1e 531->534 535 aa8e4a-aa8e54 532->535 536 aa8e2e-aa8e45 call a9f2c6 call a9f2d9 call aa27ec 532->536 533->534 533->536 537 aa8ebf-aa8ed9 534->537 539 aa8e5b-aa8e79 call aa3820 call aa29c8 * 2 535->539 540 aa8e56-aa8e58 535->540 567 aa900c 536->567 542 aa8edf-aa8eef 537->542 543 aa8fad-aa8fb6 call aaf89b 537->543 571 aa8e7b-aa8e91 call a9f2d9 call a9f2c6 539->571 572 aa8e96-aa8ebc call aa9424 539->572 540->539 542->543 547 aa8ef5-aa8ef7 542->547 555 aa8fb8-aa8fca 543->555 556 aa9029 543->556 547->543 551 aa8efd-aa8f23 547->551 551->543 557 aa8f29-aa8f3c 551->557 555->556 562 aa8fcc-aa8fdb GetConsoleMode 555->562 560 aa902d-aa9045 ReadFile 556->560 557->543 558 aa8f3e-aa8f40 557->558 558->543 563 aa8f42-aa8f6d 558->563 565 aa90a1-aa90ac GetLastError 560->565 566 aa9047-aa904d 560->566 562->556 568 aa8fdd-aa8fe1 562->568 563->543 570 aa8f6f-aa8f82 563->570 573 aa90ae-aa90c0 call a9f2d9 call a9f2c6 565->573 574 aa90c5-aa90c8 565->574 566->565 575 aa904f 566->575 569 aa900f-aa9019 call aa29c8 567->569 568->560 576 aa8fe3-aa8ffd ReadConsoleW 568->576 569->524 570->543 578 aa8f84-aa8f86 570->578 571->567 572->537 573->567 585 aa90ce-aa90d0 574->585 586 aa9005-aa900b call a9f2a3 574->586 582 aa9052-aa9064 575->582 583 aa901e-aa9027 576->583 584 aa8fff GetLastError 576->584 578->543 588 aa8f88-aa8fa8 578->588 582->569 592 aa9066-aa906a 582->592 583->582 584->586 585->569 586->567 588->543 596 aa906c-aa907c call aa8a61 592->596 597 aa9083-aa908e 592->597 609 aa907f-aa9081 596->609 599 aa909a-aa909f call aa88a1 597->599 600 aa9090 call aa8bb1 597->600 607 aa9095-aa9098 599->607 600->607 607->609 609->569
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 31645906124aae296c271f1c4dd17255b13e2b126f8ae5c789db7fbb4b42fbe2
                        • Instruction ID: f27a99c8e51d89540ac908bf32669f616bdf1804e407c6398133a24a0319a37e
                        • Opcode Fuzzy Hash: 31645906124aae296c271f1c4dd17255b13e2b126f8ae5c789db7fbb4b42fbe2
                        • Instruction Fuzzy Hash: DAC1C174A04249AFDF11EFA8D845BAEBFB0BF1B310F144199E915A73D2CB349A41CB61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A72C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 620 a72c63-a72cd3 CreateWindowExW * 2 ShowWindow * 2
                        APIs
                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A72C91
                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A72CB2
                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00A71CAD,?), ref: 00A72CC6
                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00A71CAD,?), ref: 00A72CCF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$CreateShow
                        • String ID: AutoIt v3$edit
                        • API String ID: 1584632944-3779509399
                        • Opcode ID: 8c630dffabc0a87c30c41eb158044294c1738283789d1f503eacc69d34935704
                        • Instruction ID: 8cba347824bb7b7fb62d88f7e8c99fe0b66967758f8313480a249edae2242c08
                        • Opcode Fuzzy Hash: 8c630dffabc0a87c30c41eb158044294c1738283789d1f503eacc69d34935704
                        • Instruction Fuzzy Hash: 9BF0DA799402907AEB311F1BAC48E772EBDE7C7F50B00045AF904A35A0CA611994DAB8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AE2C05
                        • DeleteFileW.KERNEL32(?), ref: 00AE2C87
                        • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AE2C9D
                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AE2CAE
                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AE2CC0
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: File$Delete$Copy
                        • String ID:
                        • API String ID: 3226157194-0
                        • Opcode ID: 8a4a574596d3096784ff8db43642fa625828cdd7a6d811222323711c11a7029a
                        • Instruction ID: c0c5fe3d382ca542c8b866201e937927362af33778bcce61c865b85fe575c586
                        • Opcode Fuzzy Hash: 8a4a574596d3096784ff8db43642fa625828cdd7a6d811222323711c11a7029a
                        • Instruction Fuzzy Hash: 76B14E71E00119ABDF21EBA5CD85EDEBBBDEF48350F1080A6F609E7151EB709A448F61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A73B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 877 a73b1c-a73b27 878 a73b99-a73b9b 877->878 879 a73b29-a73b2e 877->879 880 a73b8c-a73b8f 878->880 879->878 881 a73b30-a73b48 RegOpenKeyExW 879->881 881->878 882 a73b4a-a73b69 RegQueryValueExW 881->882 883 a73b80-a73b8b RegCloseKey 882->883 884 a73b6b-a73b76 882->884 883->880 885 a73b90-a73b97 884->885 886 a73b78-a73b7a 884->886 887 a73b7e 885->887 886->887 887->883
                        APIs
                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00A73B0F,SwapMouseButtons,00000004,?), ref: 00A73B40
                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00A73B0F,SwapMouseButtons,00000004,?), ref: 00A73B61
                        • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00A73B0F,SwapMouseButtons,00000004,?), ref: 00A73B83
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID: Control Panel\Mouse
                        • API String ID: 3677997916-824357125
                        • Opcode ID: 5502ff92546578ec4c9d1f933294578540d34120a3efc41c23c054aec341805e
                        • Instruction ID: a3229d935df3ae9fd189f1e1c72bfab80f3b89bbcf722d072e52146d2222da8d
                        • Opcode Fuzzy Hash: 5502ff92546578ec4c9d1f933294578540d34120a3efc41c23c054aec341805e
                        • Instruction Fuzzy Hash: 6F112AB6610208FFDF218FA5DC44AEEBBBCEF44745B11C55AA80AD7110E6719E40A7A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A7DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                        Download Yara Rule
                        Strings
                        • Variable must be of type 'Object'., xrefs: 00AC32B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID: Variable must be of type 'Object'.
                        • API String ID: 0-109567571
                        • Opcode ID: b8ada2e90d3f7b12a482991fd4c24973ce2b2098e052213eb960afd9ecddf341
                        • Instruction ID: dfb399b7c5db806f878f45d58129cf477746d47f96e4e54d37f56bc1e2ec39e7
                        • Opcode Fuzzy Hash: b8ada2e90d3f7b12a482991fd4c24973ce2b2098e052213eb960afd9ecddf341
                        • Instruction Fuzzy Hash: EFC29B76A00205CFCF24DF58C881AADB7B1BF19304F24C5A9E95AAB3A1D335ED41CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A73923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1404 a73923-a73939 1405 a73a13-a73a17 1404->1405 1406 a7393f-a73954 call a76270 1404->1406 1409 ab3393-ab33a2 LoadStringW 1406->1409 1410 a7395a-a73976 call a76b57 1406->1410 1412 ab33ad-ab33b6 1409->1412 1416 ab33c9-ab33e5 call a76350 call a73fcf 1410->1416 1417 a7397c-a73980 1410->1417 1414 a73994-a73a0e call a92340 call a73a18 call a94983 Shell_NotifyIconW call a7988f 1412->1414 1415 ab33bc-ab33c4 call a7a8c7 1412->1415 1414->1405 1415->1414 1416->1414 1430 ab33eb-ab3409 call a733c6 call a73fcf call a733c6 1416->1430 1417->1412 1419 a73986-a7398f call a76350 1417->1419 1419->1414 1430->1414
                        APIs
                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00AB33A2
                          • Part of subcall function 00A76B57: _wcslen.LIBCMT ref: 00A76B6A
                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A73A04
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: IconLoadNotifyShell_String_wcslen
                        • String ID: Line:
                        • API String ID: 2289894680-1585850449
                        • Opcode ID: 43554b36af57f260bf64044c48a4d979127aaea48dedfbfc393774efc8b8d099
                        • Instruction ID: c6a40338b00271d3c246d82ca88ad98a43f6d4d2d1a41b7ed1aa63e927ce3881
                        • Opcode Fuzzy Hash: 43554b36af57f260bf64044c48a4d979127aaea48dedfbfc393774efc8b8d099
                        • Instruction Fuzzy Hash: 8131C572908300AACB21EB24DC55BEFB7E8AB81710F00C92AF59D87191DF709B48D7C6
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A8FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                        Download Yara Rule
                        APIs
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00A90668
                          • Part of subcall function 00A932A4: RaiseException.KERNEL32(?,?,?,00A9068A,?,00B41444,?,?,?,?,?,?,00A9068A,00A71129,00B38738,00A71129), ref: 00A93304
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00A90685
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Exception@8Throw$ExceptionRaise
                        • String ID: Unknown exception
                        • API String ID: 3476068407-410509341
                        • Opcode ID: fa9365b0776d59b26c009a9660f1de545abf1257def3bb80c035452184117100
                        • Instruction ID: 1b9d2775a66ca227c700302fcdae3e1141363371d93665a01279e719b0287781
                        • Opcode Fuzzy Hash: fa9365b0776d59b26c009a9660f1de545abf1257def3bb80c035452184117100
                        • Instruction Fuzzy Hash: 01F0AF34B0030AAB8F00B764D946C9E7BFC5E00394B604171BA24D65E2EFB1EA66C681
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                        Download Yara Rule
                        APIs
                        • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00AE302F
                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00AE3044
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Temp$FileNamePath
                        • String ID: aut
                        • API String ID: 3285503233-3010740371
                        • Opcode ID: e88869035d822706db0b9e3b2d163f6c6f13227edb92dbccb01e819e51f61c29
                        • Instruction ID: 00a90e0f580639679dedce75a8b63cad15088c83bfd12b6d8be7faa981dc1c9a
                        • Opcode Fuzzy Hash: e88869035d822706db0b9e3b2d163f6c6f13227edb92dbccb01e819e51f61c29
                        • Instruction Fuzzy Hash: 45D05E7250032877DA20A7A4AC0EFCB3FACDB05750F0002A1B655E30E1DFB0A984CAD0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00AF82F5
                        • TerminateProcess.KERNEL32(00000000), ref: 00AF82FC
                        • FreeLibrary.KERNEL32(?,?,?,?), ref: 00AF84DD
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Process$CurrentFreeLibraryTerminate
                        • String ID:
                        • API String ID: 146820519-0
                        • Opcode ID: 342d4d8d09981b96f242cd79cfd13b4624a897fa8788e798a6a853134d92de76
                        • Instruction ID: 564bf4bdb6086450714a29b353276613ea6083365f2e36147f10868283793a8c
                        • Opcode Fuzzy Hash: 342d4d8d09981b96f242cd79cfd13b4624a897fa8788e798a6a853134d92de76
                        • Instruction Fuzzy Hash: 13128A71A083059FC724DF68C584B6ABBE1BF89314F04895DF9998B392CB34ED45CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 39b0ada99f53d4f534364aa7d0c8ca3b0a35cbcb8701c0196d6a0b54a66b4211
                        • Instruction ID: d1df3de13ec3a95d96eef40bdd4460929b3526545296fbb9d275489752392a97
                        • Opcode Fuzzy Hash: 39b0ada99f53d4f534364aa7d0c8ca3b0a35cbcb8701c0196d6a0b54a66b4211
                        • Instruction Fuzzy Hash: 2A519075E00609AFDF11AFB8C945FEEBBB8AF16320F140059F505A72D2D7359A01CB69
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A71BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A71BF4
                          • Part of subcall function 00A71BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A71BFC
                          • Part of subcall function 00A71BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A71C07
                          • Part of subcall function 00A71BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A71C12
                          • Part of subcall function 00A71BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A71C1A
                          • Part of subcall function 00A71BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A71C22
                          • Part of subcall function 00A71B4A: RegisterWindowMessageW.USER32(00000004,?,00A712C4), ref: 00A71BA2
                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A7136A
                        • OleInitialize.OLE32 ref: 00A71388
                        • CloseHandle.KERNEL32(00000000,00000000), ref: 00AB24AB
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                        • String ID:
                        • API String ID: 1986988660-0
                        • Opcode ID: 5c7ee0884afa71df048715e063855f8a8250d36a608a182f33647729a2934c84
                        • Instruction ID: dda868fb98784022be7a483bc66c4e53b957713255ff0d80c624f599d6b8c886
                        • Opcode Fuzzy Hash: 5c7ee0884afa71df048715e063855f8a8250d36a608a182f33647729a2934c84
                        • Instruction Fuzzy Hash: 077198B9D113048EC384EF7DED456A93BE4BBAA3447148A6AD55AC7361EF3086C0CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A754C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                        Download Yara Rule
                        APIs
                        • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00A7556D
                        • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00A7557D
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: FilePointer
                        • String ID:
                        • API String ID: 973152223-0
                        • Opcode ID: 7220571c4e8b59277e20eecc103390eb421f60377f0867f9f5c269008542d84e
                        • Instruction ID: f107af0b9836373fbb525b98ca19e71832cec0dab4eddaeaff2b77caefb90d12
                        • Opcode Fuzzy Hash: 7220571c4e8b59277e20eecc103390eb421f60377f0867f9f5c269008542d84e
                        • Instruction Fuzzy Hash: 4C311A71A00A09EFDB14CF68CC80B99B7B6FB48715F15C629E91997240D7B1FE94CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00AA85CC,?,00B38CC8,0000000C), ref: 00AA8704
                        • GetLastError.KERNEL32(?,00AA85CC,?,00B38CC8,0000000C), ref: 00AA870E
                        • __dosmaperr.LIBCMT ref: 00AA8739
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                        • String ID:
                        • API String ID: 490808831-0
                        • Opcode ID: 5b3996c9361a8652a4a6b1ead30262b56aedd157bc05ac1ca124190937b05b9d
                        • Instruction ID: f071ffcb1584f24277b7b7a106a263436387cd894b6059872def278de698a883
                        • Opcode Fuzzy Hash: 5b3996c9361a8652a4a6b1ead30262b56aedd157bc05ac1ca124190937b05b9d
                        • Instruction Fuzzy Hash: D7018932A056203AEA226334A945B7E2B495BD3B74F380219F8048F0D2DFB8CC81C1A4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00AE2CD4,?,?,?,00000004,00000001), ref: 00AE2FF2
                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00AE2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AE3006
                        • CloseHandle.KERNEL32(00000000,?,00AE2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AE300D
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: File$CloseCreateHandleTime
                        • String ID:
                        • API String ID: 3397143404-0
                        • Opcode ID: 9d03fc042c663ef9657d973c4993f9156ad9d1037694aee2067ed0f2364f9d85
                        • Instruction ID: 53787b4e30445f507184115be48289aa4a6d160f83ad5821ec8ceb750dfb17d9
                        • Opcode Fuzzy Hash: 9d03fc042c663ef9657d973c4993f9156ad9d1037694aee2067ed0f2364f9d85
                        • Instruction Fuzzy Hash: A8E0863228021477D6301755BC0DF8B3E1CD786B71F104310F719770D04BB0190142A8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A81310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 00A817F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Init_thread_footer
                        • String ID: CALL
                        • API String ID: 1385522511-4196123274
                        • Opcode ID: 52a1f6d6612d10d515e32b991d9e4245ad8ac229c024f741f508bf1231164960
                        • Instruction ID: a1d49d5c09b17db984a852ce71e5179afa66001624e5faba068880d1a091cbbc
                        • Opcode Fuzzy Hash: 52a1f6d6612d10d515e32b991d9e4245ad8ac229c024f741f508bf1231164960
                        • Instruction Fuzzy Hash: F0227B706082419FC714EF14C985F2ABBF5BF89314F24896DF49A8B3A1D731E946CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 00AE6F6B
                          • Part of subcall function 00A74ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00B41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A74EFD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: LibraryLoad_wcslen
                        • String ID: >>>AUTOIT SCRIPT<<<
                        • API String ID: 3312870042-2806939583
                        • Opcode ID: 20a87e4fb05e6f1746f3e1fb0f02cf73bea38150993d65bb104630172189579e
                        • Instruction ID: 5f4bf0e62b23fb7e16e1a3af61a3ed656e106b75a7c5a53785e9d249da144b68
                        • Opcode Fuzzy Hash: 20a87e4fb05e6f1746f3e1fb0f02cf73bea38150993d65bb104630172189579e
                        • Instruction Fuzzy Hash: 6AB183311083419FCB14EF24C9919AFB7E5AF94310F14C96DF59A972A2EB30ED49CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A72DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                        Download Yara Rule
                        APIs
                        • GetOpenFileNameW.COMDLG32(?), ref: 00AB2C8C
                          • Part of subcall function 00A73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A73A97,?,?,00A72E7F,?,?,?,00000000), ref: 00A73AC2
                          • Part of subcall function 00A72DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A72DC4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Name$Path$FileFullLongOpen
                        • String ID: X
                        • API String ID: 779396738-3081909835
                        • Opcode ID: 318db41347cf79f5f8862492471c1a3a44e9bb9588b086923a13ae524e2a5110
                        • Instruction ID: 08e692849f50aed0036a2303647c3fca05871129c32bf2d6896a848dbbfecd98
                        • Opcode Fuzzy Hash: 318db41347cf79f5f8862492471c1a3a44e9bb9588b086923a13ae524e2a5110
                        • Instruction Fuzzy Hash: A4216371A10258AFDF11DF94CD45BEE7BFCAF49314F10C05AE409A7242DBB45A898B61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: __fread_nolock
                        • String ID: EA06
                        • API String ID: 2638373210-3962188686
                        • Opcode ID: 5ebfe68c0e48ade005439074b58607d23fe3e137c9eb79ee500b7c356144bcea
                        • Instruction ID: a30cb47648a81eceb0ca6dded1503f9d3d2b80b4adc0ff6afe547f8ba321b634
                        • Opcode Fuzzy Hash: 5ebfe68c0e48ade005439074b58607d23fe3e137c9eb79ee500b7c356144bcea
                        • Instruction Fuzzy Hash: BE01B5729042587EDF18C7A8C956FAEBBF89B05301F00459AE152D6181E5B8E6088B60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A73837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                        Download Yara Rule
                        APIs
                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A73908
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: IconNotifyShell_
                        • String ID:
                        • API String ID: 1144537725-0
                        • Opcode ID: bfbc6170ffcaaf6f5c72e0c897d2300446adedb0ea9cbf64d17e32f406246b7f
                        • Instruction ID: c38066f9e919df7b13eaca9e27474b0fbde1d8f4cc1d56eeca6ef42f3271aec9
                        • Opcode Fuzzy Hash: bfbc6170ffcaaf6f5c72e0c897d2300446adedb0ea9cbf64d17e32f406246b7f
                        • Instruction Fuzzy Hash: 7C319375904301AFDB20DF28D88479BBBE8FB49708F00492EF59A87240EB71AA44DB52
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A75745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00A7949C,?,00008000), ref: 00A75773
                        • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00A7949C,?,00008000), ref: 00AB4052
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: a3858d4ce086f946e8035aa3dd82550d7f692e12a3a7545b66c2fd1de067c340
                        • Instruction ID: 95b750ac114d247f6b013fd2fe1d45fcfddf0679f5908c85df8f26db797432b1
                        • Opcode Fuzzy Hash: a3858d4ce086f946e8035aa3dd82550d7f692e12a3a7545b66c2fd1de067c340
                        • Instruction Fuzzy Hash: B9015E31645225B6E3345B2ADC0EF977F98EF167B0F14C710BAAC6A1E1CBB45854CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A7B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 00A7BB4E
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Init_thread_footer
                        • String ID:
                        • API String ID: 1385522511-0
                        • Opcode ID: 3fe46c8908611adc0856baecd9f59ae5cc34d1b83d97426b65806b252774a188
                        • Instruction ID: 8c76e664d55cbd6cc1a4c846576cd6f22082c4a844b5359dd8f6f7e402ae5e7d
                        • Opcode Fuzzy Hash: 3fe46c8908611adc0856baecd9f59ae5cc34d1b83d97426b65806b252774a188
                        • Instruction Fuzzy Hash: 1C32BBB5A00209DFDB24CF58C994FBEB7B9EF44304F15C059EA19AB261C774AE41CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A74ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A74E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A74EDD,?,00B41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A74E9C
                          • Part of subcall function 00A74E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A74EAE
                          • Part of subcall function 00A74E90: FreeLibrary.KERNEL32(00000000,?,?,00A74EDD,?,00B41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A74EC0
                        • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00B41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A74EFD
                          • Part of subcall function 00A74E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AB3CDE,?,00B41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A74E62
                          • Part of subcall function 00A74E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A74E74
                          • Part of subcall function 00A74E59: FreeLibrary.KERNEL32(00000000,?,?,00AB3CDE,?,00B41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A74E87
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Library$Load$AddressFreeProc
                        • String ID:
                        • API String ID: 2632591731-0
                        • Opcode ID: 4562a3cf31aa686ec3a38f13f53a70f3c76f7fb3ec5b4909c5c3d10a0fd1f05a
                        • Instruction ID: 98b2fefd2fc1b7ea2d86a491b99d35dc5b1fb3b83f2597a4858352ba4ed0538d
                        • Opcode Fuzzy Hash: 4562a3cf31aa686ec3a38f13f53a70f3c76f7fb3ec5b4909c5c3d10a0fd1f05a
                        • Instruction Fuzzy Hash: D711E732600205ABDF14FB70DE02FED77A99F44B11F10C42DF546A61D2DF709A059750
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: __wsopen_s
                        • String ID:
                        • API String ID: 3347428461-0
                        • Opcode ID: 6db76b84b996a54060b4d018b534f9a44671a15acaecf8d4713d9714463baccf
                        • Instruction ID: 9f2a75efd97b3cc4c6b17c974388a4c7d1d31fc308ecb3b3b1777d3d69aac027
                        • Opcode Fuzzy Hash: 6db76b84b996a54060b4d018b534f9a44671a15acaecf8d4713d9714463baccf
                        • Instruction Fuzzy Hash: 3711187590420AAFCB05DF58E94199B7BF9EF49314F104059F808AB352DB31DA11CBA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A79A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                        Download Yara Rule
                        APIs
                        • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00A7543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00A79A9C
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: FileRead
                        • String ID:
                        • API String ID: 2738559852-0
                        • Opcode ID: b77c722b12eca4677abdfd1a3e11bca8de54b3d640cd9ba14dcf34942cea6455
                        • Instruction ID: 4ab588551ddd28821aba39c0ee3acfcfeabc9afd1f153ba0c957dfca247f3955
                        • Opcode Fuzzy Hash: b77c722b12eca4677abdfd1a3e11bca8de54b3d640cd9ba14dcf34942cea6455
                        • Instruction Fuzzy Hash: F21106312057059FDB20CF1AC881B67B7F9EB447A4F14C42EE99B8BA51C771A946CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00AA4C7D: RtlAllocateHeap.NTDLL(00000008,00A71129,00000000,?,00AA2E29,00000001,00000364,?,?,?,00A9F2DE,00AA3863,00B41444,?,00A8FDF5,?), ref: 00AA4CBE
                        • _free.LIBCMT ref: 00AA506C
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: AllocateHeap_free
                        • String ID:
                        • API String ID: 614378929-0
                        • Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
                        • Instruction ID: 62c1199548c272458df04545a54abf6e45bc27dbd90b28816d870cffdc8fbc71
                        • Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
                        • Instruction Fuzzy Hash: 770126726047046FE3218F69D881A5AFBE8FB8A370F25052DE184832C0EB70A905C7B8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A9E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
                        • Instruction ID: 896b8a9382db8fb0f7f38e0e1472405da67d4ac43b931d2e22ba4d2238ed3b94
                        • Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
                        • Instruction Fuzzy Hash: 84F0F432711E10AADE32BB698E05B5A33D89FA3330F100715FA20972D3DB74D80186A5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(00000008,00A71129,00000000,?,00AA2E29,00000001,00000364,?,?,?,00A9F2DE,00AA3863,00B41444,?,00A8FDF5,?), ref: 00AA4CBE
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: 5b271b544b9aa7cb30f26f89fafa4eee76f6cb3a30be7cc4186f46f0579f7450
                        • Instruction ID: 7efa202b0c745fc29367a858090e1c82f26fb1d5b7e14525f4574023f51cf47e
                        • Opcode Fuzzy Hash: 5b271b544b9aa7cb30f26f89fafa4eee76f6cb3a30be7cc4186f46f0579f7450
                        • Instruction Fuzzy Hash: 7AF0B43160622466DB215F629D05F5A3798BFCBBB0B144221B81DA71C1CBF0D80146A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000,?,00B41444,?,00A8FDF5,?,?,00A7A976,00000010,00B41440,00A713FC,?,00A713C6,?,00A71129), ref: 00AA3852
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: dae453e0cb7e928e9a3800dac3bba426aaabad6f7c5eebfd4eb799528e3954ff
                        • Instruction ID: 5613e08ac9fd633a8df4e7e5d489bb06ef611f9b9164445b4f00a1ed708fc79b
                        • Opcode Fuzzy Hash: dae453e0cb7e928e9a3800dac3bba426aaabad6f7c5eebfd4eb799528e3954ff
                        • Instruction Fuzzy Hash: F3E0E53360222466DE212B779D04F9A3A98AF4B7B0F150124BC04934C0DB18DE0182E0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA4D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00AA4D9C
                          • Part of subcall function 00AA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AAD7D1,00000000,00000000,00000000,00000000,?,00AAD7F8,00000000,00000007,00000000,?,00AADBF5,00000000), ref: 00AA29DE
                          • Part of subcall function 00AA29C8: GetLastError.KERNEL32(00000000,?,00AAD7D1,00000000,00000000,00000000,00000000,?,00AAD7F8,00000000,00000007,00000000,?,00AADBF5,00000000,00000000), ref: 00AA29F0
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ErrorFreeHeapLast_free
                        • String ID:
                        • API String ID: 1353095263-0
                        • Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
                        • Instruction ID: 4029b8106315d28b39c7b2f52ecd9b344d92c0b1935033db8e0611d150f58883
                        • Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
                        • Instruction Fuzzy Hash: 58E092361003059F8721CF6CD400A82BBF4EFC93207208529F89DD3350D331E812CB80
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A74F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                        Download Yara Rule
                        APIs
                        • FreeLibrary.KERNEL32(?,?,00B41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A74F6D
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: FreeLibrary
                        • String ID:
                        • API String ID: 3664257935-0
                        • Opcode ID: 5d46a905497f7e6ff600f08109a29afb8ccb9c611ed501b260cdecdac9771f79
                        • Instruction ID: b388b889a1dd1a00845d69ab7d115cd81ccd8253610d3200556a9aef87f555a3
                        • Opcode Fuzzy Hash: 5d46a905497f7e6ff600f08109a29afb8ccb9c611ed501b260cdecdac9771f79
                        • Instruction Fuzzy Hash: 7CF01571105752CFDB349F64D990822BBF4AF19729320CA7EE2EE82621CB329844DB10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A72DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                        Download Yara Rule
                        APIs
                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A72DC4
                          • Part of subcall function 00A76B57: _wcslen.LIBCMT ref: 00A76B6A
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: LongNamePath_wcslen
                        • String ID:
                        • API String ID: 541455249-0
                        • Opcode ID: e077717faf4cbbe495427c3cdeb490652254126f452186a4b3e31738cb674ea6
                        • Instruction ID: 93a1152786314eca95fd98eeda72453a7350e4e52eb9ca896e1d9cb4f82552c8
                        • Opcode Fuzzy Hash: e077717faf4cbbe495427c3cdeb490652254126f452186a4b3e31738cb674ea6
                        • Instruction Fuzzy Hash: D8E0C272A002245BCB20A7A89C06FEA77EDDFC8790F0441B2FD09E7249DA60ED80C690
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: __fread_nolock
                        • String ID:
                        • API String ID: 2638373210-0
                        • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                        • Instruction ID: 0248bf500c71b5410d3ed7f851860e97eca1276e34aad1132052c6a4710cc7f5
                        • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                        • Instruction Fuzzy Hash: 3DE04FB1609B005FDF399B28A9517B677E8DF49300F00096EF69B82252E57268458B4D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A72B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A73837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A73908
                          • Part of subcall function 00A7D730: GetInputState.USER32 ref: 00A7D807
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00A72B6B
                          • Part of subcall function 00A730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A7314E
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: IconNotifyShell_$CurrentDirectoryInputState
                        • String ID:
                        • API String ID: 3667716007-0
                        • Opcode ID: 466cbed7ba9af02ad0d34dcdb17a7f471a5e177f42bedaf51154a02f659f81a3
                        • Instruction ID: e85537dc91c0dcece8044be2bbe3eefa26764c0310b3670d619f59d9c3a2fe0e
                        • Opcode Fuzzy Hash: 466cbed7ba9af02ad0d34dcdb17a7f471a5e177f42bedaf51154a02f659f81a3
                        • Instruction Fuzzy Hash: 3AE0862370424806CA08BB759D5256DA7599BE2351F41D97EF14A432A3CF2446865752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AB039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(00000000,00000000,?,00AB0704,?,?,00000000,?,00AB0704,00000000,0000000C), ref: 00AB03B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 8a3d6af5818015f554337591e155436e1160a7f7a2033d3778f3da9e2d577be0
                        • Instruction ID: bdda0f82eeacbcf94427481deb32892dc18259d204ca6bbd4b3ddff6d360b898
                        • Opcode Fuzzy Hash: 8a3d6af5818015f554337591e155436e1160a7f7a2033d3778f3da9e2d577be0
                        • Instruction Fuzzy Hash: 47D06C3204010DBBDF028F84DD06EDA3FAAFB48714F014100BE1866020C732E821AB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A71CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                        Download Yara Rule
                        APIs
                        • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00A71CBC
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: InfoParametersSystem
                        • String ID:
                        • API String ID: 3098949447-0
                        • Opcode ID: 4c7f7b68c6d9a5acd25efc7c03c69361a2a7ec4357ef864da681acaaacdb4d41
                        • Instruction ID: f8f7786c58e5b3a9830c0fededeeaeecbb5301ff2c56a95f1b897f10544cf7fc
                        • Opcode Fuzzy Hash: 4c7f7b68c6d9a5acd25efc7c03c69361a2a7ec4357ef864da681acaaacdb4d41
                        • Instruction Fuzzy Hash: 89C0923E280304AFF2148B84BC4BF107BA4B369F00F448401FA09AB5E3CBA22960EA54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A75745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00A7949C,?,00008000), ref: 00A75773
                        • GetLastError.KERNEL32(00000002,00000000), ref: 00AE76DE
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CreateErrorFileLast
                        • String ID:
                        • API String ID: 1214770103-0
                        • Opcode ID: 352606b89136b0a18091614a5145cce37024d0a01ea5eb9b9cb42642777f63f0
                        • Instruction ID: 4f4328e0a54df367839f713ee14d3f683e43d30d5a54738a0c10b10f1983c49e
                        • Opcode Fuzzy Hash: 352606b89136b0a18091614a5145cce37024d0a01ea5eb9b9cb42642777f63f0
                        • Instruction Fuzzy Hash: DD81A0306087419FC714EF29C991B6EB7E1BF89314F04856DF88A5B2A2DB30ED45CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A8FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                        • Instruction ID: 7ad1f0347b21e0c1f6b962b7a8376772fea337d6f7cfbb4eb9c7c6f4b53d8ef4
                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                        • Instruction Fuzzy Hash: 2331D2B5A0010A9FC718EF59D480969FBB6FF59304B2486A5E909CF656D731EEC1CBC0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 00B09576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A89BB2
                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B0961A
                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B0965B
                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B0969F
                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B096C9
                        • SendMessageW.USER32 ref: 00B096F2
                        • GetKeyState.USER32(00000011), ref: 00B0978B
                        • GetKeyState.USER32(00000009), ref: 00B09798
                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B097AE
                        • GetKeyState.USER32(00000010), ref: 00B097B8
                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B097E9
                        • SendMessageW.USER32 ref: 00B09810
                        • SendMessageW.USER32(?,00001030,?,00B07E95), ref: 00B09918
                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B0992E
                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B09941
                        • SetCapture.USER32(?), ref: 00B0994A
                        • ClientToScreen.USER32(?,?), ref: 00B099AF
                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B099BC
                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B099D6
                        • ReleaseCapture.USER32 ref: 00B099E1
                        • GetCursorPos.USER32(?), ref: 00B09A19
                        • ScreenToClient.USER32(?,?), ref: 00B09A26
                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B09A80
                        • SendMessageW.USER32 ref: 00B09AAE
                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B09AEB
                        • SendMessageW.USER32 ref: 00B09B1A
                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B09B3B
                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B09B4A
                        • GetCursorPos.USER32(?), ref: 00B09B68
                        • ScreenToClient.USER32(?,?), ref: 00B09B75
                        • GetParent.USER32(?), ref: 00B09B93
                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B09BFA
                        • SendMessageW.USER32 ref: 00B09C2B
                        • ClientToScreen.USER32(?,?), ref: 00B09C84
                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B09CB4
                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B09CDE
                        • SendMessageW.USER32 ref: 00B09D01
                        • ClientToScreen.USER32(?,?), ref: 00B09D4E
                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B09D82
                          • Part of subcall function 00A89944: GetWindowLongW.USER32(?,000000EB), ref: 00A89952
                        • GetWindowLongW.USER32(?,000000F0), ref: 00B09E05
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                        • String ID: @GUI_DRAGID$F
                        • API String ID: 3429851547-4164748364
                        • Opcode ID: a9cb04cc6cf8792a48ece2e2c5e25f9dad0cb595049f367c3b084b329ec36b62
                        • Instruction ID: ba60a77603ac94ddea06fd24870d76f6123ace1c0d0f371af445ebc53fb0af21
                        • Opcode Fuzzy Hash: a9cb04cc6cf8792a48ece2e2c5e25f9dad0cb595049f367c3b084b329ec36b62
                        • Instruction Fuzzy Hash: 3B428F35608201AFD724CF28CC84AAABFE5FF49310F144A99F659872F2DB32E951CB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B04873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00B048F3
                        • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00B04908
                        • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00B04927
                        • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00B0494B
                        • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00B0495C
                        • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00B0497B
                        • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00B049AE
                        • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00B049D4
                        • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00B04A0F
                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00B04A56
                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00B04A7E
                        • IsMenu.USER32(?), ref: 00B04A97
                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B04AF2
                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B04B20
                        • GetWindowLongW.USER32(?,000000F0), ref: 00B04B94
                        • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00B04BE3
                        • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00B04C82
                        • wsprintfW.USER32 ref: 00B04CAE
                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B04CC9
                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 00B04CF1
                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B04D13
                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B04D33
                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 00B04D5A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                        • String ID: %d/%02d/%02d
                        • API String ID: 4054740463-328681919
                        • Opcode ID: 9d5ffad5a227b820de641d5e14cb915cfcd89a4fef6085a1327c449f377fe51c
                        • Instruction ID: 879c40c0bdbdbd468bc3722da3e7d2ae0eb1cfab1e48f15592368536cc788274
                        • Opcode Fuzzy Hash: 9d5ffad5a227b820de641d5e14cb915cfcd89a4fef6085a1327c449f377fe51c
                        • Instruction Fuzzy Hash: 3A12C0B1600215AFEB249F24CD49FAE7FE8EF45710F1082A9F619DB1E1DB749941CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A8F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00A8F998
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ACF474
                        • IsIconic.USER32(00000000), ref: 00ACF47D
                        • ShowWindow.USER32(00000000,00000009), ref: 00ACF48A
                        • SetForegroundWindow.USER32(00000000), ref: 00ACF494
                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ACF4AA
                        • GetCurrentThreadId.KERNEL32 ref: 00ACF4B1
                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ACF4BD
                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 00ACF4CE
                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 00ACF4D6
                        • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00ACF4DE
                        • SetForegroundWindow.USER32(00000000), ref: 00ACF4E1
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00ACF4F6
                        • keybd_event.USER32(00000012,00000000), ref: 00ACF501
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00ACF50B
                        • keybd_event.USER32(00000012,00000000), ref: 00ACF510
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00ACF519
                        • keybd_event.USER32(00000012,00000000), ref: 00ACF51E
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00ACF528
                        • keybd_event.USER32(00000012,00000000), ref: 00ACF52D
                        • SetForegroundWindow.USER32(00000000), ref: 00ACF530
                        • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00ACF557
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                        • String ID: Shell_TrayWnd
                        • API String ID: 4125248594-2988720461
                        • Opcode ID: 1c597a6436eac8637be03d532cd687f385cfa7d2454f8a3dfdc4bd1e6ecb7727
                        • Instruction ID: f488b383145472b5f1feeb286e47f7ef0c7add4faafab42dc3c519c7c752c298
                        • Opcode Fuzzy Hash: 1c597a6436eac8637be03d532cd687f385cfa7d2454f8a3dfdc4bd1e6ecb7727
                        • Instruction Fuzzy Hash: C5317471A40218BFEB206BB55C4AFBF7E6DEB54B50F110169FA01E71D1CBB15D00AA60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00AD16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AD170D
                          • Part of subcall function 00AD16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AD173A
                          • Part of subcall function 00AD16C3: GetLastError.KERNEL32 ref: 00AD174A
                        • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00AD1286
                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00AD12A8
                        • CloseHandle.KERNEL32(?), ref: 00AD12B9
                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00AD12D1
                        • GetProcessWindowStation.USER32 ref: 00AD12EA
                        • SetProcessWindowStation.USER32(00000000), ref: 00AD12F4
                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00AD1310
                          • Part of subcall function 00AD10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AD11FC), ref: 00AD10D4
                          • Part of subcall function 00AD10BF: CloseHandle.KERNEL32(?,?,00AD11FC), ref: 00AD10E9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                        • String ID: $default$winsta0
                        • API String ID: 22674027-1027155976
                        • Opcode ID: 08b2815e1b36b4fd7008cbad2a9485d45c1c62dca58921444acf5b9109ba7b6d
                        • Instruction ID: 00e3a0389be4edea598c2e89933d867af830a4ce9d8933bed207395cac56b485
                        • Opcode Fuzzy Hash: 08b2815e1b36b4fd7008cbad2a9485d45c1c62dca58921444acf5b9109ba7b6d
                        • Instruction Fuzzy Hash: 82817EB1A00209BFDF219FA4DD49FEE7FB9EF04704F14412AF912A62A0DB758945CB61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00AD10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AD1114
                          • Part of subcall function 00AD10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00AD0B9B,?,?,?), ref: 00AD1120
                          • Part of subcall function 00AD10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AD0B9B,?,?,?), ref: 00AD112F
                          • Part of subcall function 00AD10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AD0B9B,?,?,?), ref: 00AD1136
                          • Part of subcall function 00AD10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AD114D
                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AD0BCC
                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AD0C00
                        • GetLengthSid.ADVAPI32(?), ref: 00AD0C17
                        • GetAce.ADVAPI32(?,00000000,?), ref: 00AD0C51
                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AD0C6D
                        • GetLengthSid.ADVAPI32(?), ref: 00AD0C84
                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00AD0C8C
                        • HeapAlloc.KERNEL32(00000000), ref: 00AD0C93
                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AD0CB4
                        • CopySid.ADVAPI32(00000000), ref: 00AD0CBB
                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AD0CEA
                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AD0D0C
                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AD0D1E
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AD0D45
                        • HeapFree.KERNEL32(00000000), ref: 00AD0D4C
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AD0D55
                        • HeapFree.KERNEL32(00000000), ref: 00AD0D5C
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AD0D65
                        • HeapFree.KERNEL32(00000000), ref: 00AD0D6C
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00AD0D78
                        • HeapFree.KERNEL32(00000000), ref: 00AD0D7F
                          • Part of subcall function 00AD1193: GetProcessHeap.KERNEL32(00000008,00AD0BB1,?,00000000,?,00AD0BB1,?), ref: 00AD11A1
                          • Part of subcall function 00AD1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00AD0BB1,?), ref: 00AD11A8
                          • Part of subcall function 00AD1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00AD0BB1,?), ref: 00AD11B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                        • String ID:
                        • API String ID: 4175595110-0
                        • Opcode ID: 7110d5c0b06425d100cadbb1828e0a9a5750965575e95c6b5a9910a5397f9bfe
                        • Instruction ID: 70a0cb2b4983dffa15016adf77e755c05f86c28d62051aee904194537223611a
                        • Opcode Fuzzy Hash: 7110d5c0b06425d100cadbb1828e0a9a5750965575e95c6b5a9910a5397f9bfe
                        • Instruction Fuzzy Hash: 98715C7290020AAFDF10DFA4DC48FEEBBB9BF15310F148616F956A7291DB71A905CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AEEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                        Download Yara Rule
                        APIs
                        • OpenClipboard.USER32(00B0CC08), ref: 00AEEB29
                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 00AEEB37
                        • GetClipboardData.USER32(0000000D), ref: 00AEEB43
                        • CloseClipboard.USER32 ref: 00AEEB4F
                        • GlobalLock.KERNEL32(00000000), ref: 00AEEB87
                        • CloseClipboard.USER32 ref: 00AEEB91
                        • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00AEEBBC
                        • IsClipboardFormatAvailable.USER32(00000001), ref: 00AEEBC9
                        • GetClipboardData.USER32(00000001), ref: 00AEEBD1
                        • GlobalLock.KERNEL32(00000000), ref: 00AEEBE2
                        • GlobalUnlock.KERNEL32(00000000,?), ref: 00AEEC22
                        • IsClipboardFormatAvailable.USER32(0000000F), ref: 00AEEC38
                        • GetClipboardData.USER32(0000000F), ref: 00AEEC44
                        • GlobalLock.KERNEL32(00000000), ref: 00AEEC55
                        • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00AEEC77
                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00AEEC94
                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00AEECD2
                        • GlobalUnlock.KERNEL32(00000000,?,?), ref: 00AEECF3
                        • CountClipboardFormats.USER32 ref: 00AEED14
                        • CloseClipboard.USER32 ref: 00AEED59
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                        • String ID:
                        • API String ID: 420908878-0
                        • Opcode ID: bdbc3621376fda06da821af9673e1f3f3d7840c4155c750b53f9e1c7a791b54c
                        • Instruction ID: 6cb3b5f29a3e783b30e48b20e3508dd4aec7195b86e4f689a92450a1ab8f28b4
                        • Opcode Fuzzy Hash: bdbc3621376fda06da821af9673e1f3f3d7840c4155c750b53f9e1c7a791b54c
                        • Instruction Fuzzy Hash: 5D61FE35204241AFD310EF21DC99F2ABBE4AF94704F14865DF45A8B2A2DF31DD09CBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?), ref: 00AE69BE
                        • FindClose.KERNEL32(00000000), ref: 00AE6A12
                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AE6A4E
                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AE6A75
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00AE6AB2
                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00AE6ADF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                        • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                        • API String ID: 3830820486-3289030164
                        • Opcode ID: d20041c462c5f950a2e7191688f71743a671be8189b77e000b9a6c59acf8987b
                        • Instruction ID: b743e82061dc67a7c93ab28d9c758afab5a684fa5fcbdb03cb14d9f074616af6
                        • Opcode Fuzzy Hash: d20041c462c5f950a2e7191688f71743a671be8189b77e000b9a6c59acf8987b
                        • Instruction Fuzzy Hash: 40D14D72508340AEC710EBA5CD96EAFB7ECAF98704F04891DF589C7191EB74DA44CB62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00AE9663
                        • GetFileAttributesW.KERNEL32(?), ref: 00AE96A1
                        • SetFileAttributesW.KERNEL32(?,?), ref: 00AE96BB
                        • FindNextFileW.KERNEL32(00000000,?), ref: 00AE96D3
                        • FindClose.KERNEL32(00000000), ref: 00AE96DE
                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00AE96FA
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE974A
                        • SetCurrentDirectoryW.KERNEL32(00B36B7C), ref: 00AE9768
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AE9772
                        • FindClose.KERNEL32(00000000), ref: 00AE977F
                        • FindClose.KERNEL32(00000000), ref: 00AE978F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                        • String ID: *.*
                        • API String ID: 1409584000-438819550
                        • Opcode ID: 943ff42f695363ec6172ae93d227a16119c83c23163ae2f926ea965adf704604
                        • Instruction ID: e1c97df55e86590bd17e40c5c7a17f1f19afa8a48b04dd2ccc3b5fae2081e127
                        • Opcode Fuzzy Hash: 943ff42f695363ec6172ae93d227a16119c83c23163ae2f926ea965adf704604
                        • Instruction Fuzzy Hash: F331A2326403596ADF24AFB5DC49ADF7BACAF09360F2041A6F915E30A1EB30DD448A54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00AE97BE
                        • FindNextFileW.KERNEL32(00000000,?), ref: 00AE9819
                        • FindClose.KERNEL32(00000000), ref: 00AE9824
                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00AE9840
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE9890
                        • SetCurrentDirectoryW.KERNEL32(00B36B7C), ref: 00AE98AE
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AE98B8
                        • FindClose.KERNEL32(00000000), ref: 00AE98C5
                        • FindClose.KERNEL32(00000000), ref: 00AE98D5
                          • Part of subcall function 00ADDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00ADDB00
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                        • String ID: *.*
                        • API String ID: 2640511053-438819550
                        • Opcode ID: 43e43de360a14ead56a0b2f3653b8866da9dec3e4e9a5c6e8e4f96fc125fb8e6
                        • Instruction ID: 671f5e6822c5f85c8e1bc38cfb9ecb89e7119f92c817ce794fbaa8eacb4f3487
                        • Opcode Fuzzy Hash: 43e43de360a14ead56a0b2f3653b8866da9dec3e4e9a5c6e8e4f96fc125fb8e6
                        • Instruction Fuzzy Hash: 1631C3325003596ADF24AFB5DC49ADF7BAC9F06320F208195E814A31F1EB30DD458B64
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AFBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00AFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AFB6AE,?,?), ref: 00AFC9B5
                          • Part of subcall function 00AFC998: _wcslen.LIBCMT ref: 00AFC9F1
                          • Part of subcall function 00AFC998: _wcslen.LIBCMT ref: 00AFCA68
                          • Part of subcall function 00AFC998: _wcslen.LIBCMT ref: 00AFCA9E
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AFBF3E
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00AFBFA9
                        • RegCloseKey.ADVAPI32(00000000), ref: 00AFBFCD
                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00AFC02C
                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00AFC0E7
                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00AFC154
                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00AFC1E9
                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00AFC23A
                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00AFC2E3
                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00AFC382
                        • RegCloseKey.ADVAPI32(00000000), ref: 00AFC38F
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                        • String ID:
                        • API String ID: 3102970594-0
                        • Opcode ID: 7cc44ef9da464aeb944e747c0790e6bae1038fae04bf7aa9f01c2ce0f8bc94e4
                        • Instruction ID: 8f6f5454629322d828df7d3bf1c590506283b117f6e03cf6a3008356a6e3832d
                        • Opcode Fuzzy Hash: 7cc44ef9da464aeb944e747c0790e6bae1038fae04bf7aa9f01c2ce0f8bc94e4
                        • Instruction Fuzzy Hash: 5A025B70604204AFD714DF68C991E2ABBE5EF89318F18C59DF94ACB2A2DB31EC45CB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(?), ref: 00AE8257
                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00AE8267
                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00AE8273
                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AE8310
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE8324
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE8356
                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AE838C
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE8395
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CurrentDirectoryTime$File$Local$System
                        • String ID: *.*
                        • API String ID: 1464919966-438819550
                        • Opcode ID: 98eb6abdb3860f518dd213437e74716c638b29ad805e8714d372e921d7be5d0e
                        • Instruction ID: c5d862baf0d8c307c795323e421425f7cbc96872ec4e4ee681a54eddc17c89e0
                        • Opcode Fuzzy Hash: 98eb6abdb3860f518dd213437e74716c638b29ad805e8714d372e921d7be5d0e
                        • Instruction Fuzzy Hash: FD6198B21043459FCB10EF61C9419AFB3E8FF89314F04891EF99A97251EB35E905CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A73A97,?,?,00A72E7F,?,?,?,00000000), ref: 00A73AC2
                          • Part of subcall function 00ADE199: GetFileAttributesW.KERNEL32(?,00ADCF95), ref: 00ADE19A
                        • FindFirstFileW.KERNEL32(?,?), ref: 00ADD122
                        • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00ADD1DD
                        • MoveFileW.KERNEL32(?,?), ref: 00ADD1F0
                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 00ADD20D
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00ADD237
                          • Part of subcall function 00ADD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00ADD21C,?,?), ref: 00ADD2B2
                        • FindClose.KERNEL32(00000000,?,?,?), ref: 00ADD253
                        • FindClose.KERNEL32(00000000), ref: 00ADD264
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                        • String ID: \*.*
                        • API String ID: 1946585618-1173974218
                        • Opcode ID: 79d79ca40a2088899bcf789d5898ed4c32b114c2a1064f1659a44ed131539c78
                        • Instruction ID: 4dd6d2c1d0bab92b9d0790f2fb084ab1e12ae0b54df4b151c56793ca0ea9ee78
                        • Opcode Fuzzy Hash: 79d79ca40a2088899bcf789d5898ed4c32b114c2a1064f1659a44ed131539c78
                        • Instruction Fuzzy Hash: 72615E3190110DABCF05EBE0DE92DEEB775AF65300F248166E40677292EB319F09DB61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AEED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                        • String ID:
                        • API String ID: 1737998785-0
                        • Opcode ID: 611ccfe3709d97f059def0c2211d1dfcedfdbc0211e4bfc8f176ffb5bc5ad036
                        • Instruction ID: b13191a4a109412eacaa041fe73ee3d0b2d4874fb2c192b06f790b5153775f12
                        • Opcode Fuzzy Hash: 611ccfe3709d97f059def0c2211d1dfcedfdbc0211e4bfc8f176ffb5bc5ad036
                        • Instruction Fuzzy Hash: AE41AF35604651AFE720DF16D888F1ABBE5FF54328F14C199E41A8B7A2CB36ED41CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00AD16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AD170D
                          • Part of subcall function 00AD16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AD173A
                          • Part of subcall function 00AD16C3: GetLastError.KERNEL32 ref: 00AD174A
                        • ExitWindowsEx.USER32(?,00000000), ref: 00ADE932
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                        • String ID: $ $@$SeShutdownPrivilege
                        • API String ID: 2234035333-3163812486
                        • Opcode ID: 7503049f2490c89f699d7589a3aac8558b5c3716be719a9f32afc9ff7d4bb047
                        • Instruction ID: aca793359917f3b6a88d55f77872ae8f3e250b0a57b3683224dbba37c38ad43b
                        • Opcode Fuzzy Hash: 7503049f2490c89f699d7589a3aac8558b5c3716be719a9f32afc9ff7d4bb047
                        • Instruction Fuzzy Hash: DE014972611211BBEB14B7B49C9AFBFB3ACA714750F140923FC23E73D1DAA05C408190
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                        Download Yara Rule
                        APIs
                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00AF1276
                        • WSAGetLastError.WSOCK32 ref: 00AF1283
                        • bind.WSOCK32(00000000,?,00000010), ref: 00AF12BA
                        • WSAGetLastError.WSOCK32 ref: 00AF12C5
                        • closesocket.WSOCK32(00000000), ref: 00AF12F4
                        • listen.WSOCK32(00000000,00000005), ref: 00AF1303
                        • WSAGetLastError.WSOCK32 ref: 00AF130D
                        • closesocket.WSOCK32(00000000), ref: 00AF133C
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ErrorLast$closesocket$bindlistensocket
                        • String ID:
                        • API String ID: 540024437-0
                        • Opcode ID: 721ba6846010c3cbcfbd273ff11b2d1955d19b23f20abd946ba3a6d5eaa96ffa
                        • Instruction ID: 4c6bb0d8a0c489bd3df7be1059f0675326d992dc408c30f4a03c46b389150135
                        • Opcode Fuzzy Hash: 721ba6846010c3cbcfbd273ff11b2d1955d19b23f20abd946ba3a6d5eaa96ffa
                        • Instruction Fuzzy Hash: 59417E31A00244DFD710DFA4C588B7ABBE5AF46318F18C198E9569F2A2C771ED81CBE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AAB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00AAB9D4
                        • _free.LIBCMT ref: 00AAB9F8
                        • _free.LIBCMT ref: 00AABB7F
                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00B13700), ref: 00AABB91
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00B4121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00AABC09
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00B41270,000000FF,?,0000003F,00000000,?), ref: 00AABC36
                        • _free.LIBCMT ref: 00AABD4B
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                        • String ID:
                        • API String ID: 314583886-0
                        • Opcode ID: 1cf88298a6d2fefaab0a5309c2be45aecff3a1812eec45e8a552ded289c8c1a8
                        • Instruction ID: a5bc9e6cfe88e5fa2ad651767b0ae5e0c7a5c938ca6edf9ac0740c402e2eb57b
                        • Opcode Fuzzy Hash: 1cf88298a6d2fefaab0a5309c2be45aecff3a1812eec45e8a552ded289c8c1a8
                        • Instruction Fuzzy Hash: 89C10271A14244AFCB21DF68D941BAABBB8EF47360F14459AE495DB2D3EB308E41C770
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A73A97,?,?,00A72E7F,?,?,?,00000000), ref: 00A73AC2
                          • Part of subcall function 00ADE199: GetFileAttributesW.KERNEL32(?,00ADCF95), ref: 00ADE19A
                        • FindFirstFileW.KERNEL32(?,?), ref: 00ADD420
                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 00ADD470
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00ADD481
                        • FindClose.KERNEL32(00000000), ref: 00ADD498
                        • FindClose.KERNEL32(00000000), ref: 00ADD4A1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                        • String ID: \*.*
                        • API String ID: 2649000838-1173974218
                        • Opcode ID: d12d8dcf75f915f62641c3c6f3d5ad3d65d762695cde2a7cb5e0ea05111272d3
                        • Instruction ID: e2baaf7c8b2cb34f9f0af568cce242cf6ee308c4c33854f9e98015c330a9648b
                        • Opcode Fuzzy Hash: d12d8dcf75f915f62641c3c6f3d5ad3d65d762695cde2a7cb5e0ea05111272d3
                        • Instruction Fuzzy Hash: 8B316271018345ABC304EF64DD529AF77E8AEA5314F44CA1EF4DA532A1EB30EA09D763
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AAE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: __floor_pentium4
                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                        • API String ID: 4168288129-2761157908
                        • Opcode ID: a7333ced993625d096852d01c9d4e71ad0df3342f4d8ade422247072ca3913fc
                        • Instruction ID: 5816c870a07ccc55dc1714e2518fff73a0234710c23c97127835941fb64f0d34
                        • Opcode Fuzzy Hash: a7333ced993625d096852d01c9d4e71ad0df3342f4d8ade422247072ca3913fc
                        • Instruction Fuzzy Hash: 21C23A71E046298FDB29CF68DD407EAB7B5EB4A305F1441EAD44DE7280E779AE818F40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 00AE64DC
                        • CoInitialize.OLE32(00000000), ref: 00AE6639
                        • CoCreateInstance.OLE32(00B0FCF8,00000000,00000001,00B0FB68,?), ref: 00AE6650
                        • CoUninitialize.OLE32 ref: 00AE68D4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                        • String ID: .lnk
                        • API String ID: 886957087-24824748
                        • Opcode ID: 1a3237b97e5601cb2e9c5ea588ef5227f2f9842eeae9c0e68500023a500ee9c3
                        • Instruction ID: bad0c59d29a4b5de16e4d35cba98627945fba0d38f6b939276c555f66fa68eba
                        • Opcode Fuzzy Hash: 1a3237b97e5601cb2e9c5ea588ef5227f2f9842eeae9c0e68500023a500ee9c3
                        • Instruction Fuzzy Hash: DBD13971608341AFC314DF24C981E6BB7E8FF94744F10896DF5998B2A1EB70E905CBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32(?,?,00000000), ref: 00AF22E8
                          • Part of subcall function 00AEE4EC: GetWindowRect.USER32(?,?), ref: 00AEE504
                        • GetDesktopWindow.USER32 ref: 00AF2312
                        • GetWindowRect.USER32(00000000), ref: 00AF2319
                        • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00AF2355
                        • GetCursorPos.USER32(?), ref: 00AF2381
                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00AF23DF
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$Rectmouse_event$CursorDesktopForeground
                        • String ID:
                        • API String ID: 2387181109-0
                        • Opcode ID: a42d9a1fb161ab80364f80bf0dd02608f8d1af5518fc20300bf04c19c34697d1
                        • Instruction ID: 40003c87209cc047f5b3bd4bc27c408c7abf67c7e72ed6c6a9ca2c9e7790003d
                        • Opcode Fuzzy Hash: a42d9a1fb161ab80364f80bf0dd02608f8d1af5518fc20300bf04c19c34697d1
                        • Instruction Fuzzy Hash: 4031E3B2505319AFC720DF54CC45F6BBBA9FF94314F000A1AF9899B191DB34EA08CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                        • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00AE9B78
                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00AE9C8B
                          • Part of subcall function 00AE3874: GetInputState.USER32 ref: 00AE38CB
                          • Part of subcall function 00AE3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AE3966
                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00AE9BA8
                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00AE9C75
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                        • String ID: *.*
                        • API String ID: 1972594611-438819550
                        • Opcode ID: 7b59a98d67b2ee895caa5ff1d6fcc95e43555ad04b90ab2d323cd4f0e0defccd
                        • Instruction ID: e6e3dcaca25c4c021fa2e03d00bf2add84b30e1d0e0848a60d69a76bad3ba6b5
                        • Opcode Fuzzy Hash: 7b59a98d67b2ee895caa5ff1d6fcc95e43555ad04b90ab2d323cd4f0e0defccd
                        • Instruction Fuzzy Hash: 7B416D7190024AAFCF54EF65C986AEEBBF8EF55310F248156E805A3191EB309E84CF61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A8997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A89BB2
                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00A89A4E
                        • GetSysColor.USER32(0000000F), ref: 00A89B23
                        • SetBkColor.GDI32(?,00000000), ref: 00A89B36
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Color$LongProcWindow
                        • String ID:
                        • API String ID: 3131106179-0
                        • Opcode ID: 9d1d56a4628c83b829e4c14544823cb246c308a83124c35103350346fc3e4d4f
                        • Instruction ID: cb08d6d371234aa8a0ae1348ada3e93458276d5982dc6a20020f56de6d563c04
                        • Opcode Fuzzy Hash: 9d1d56a4628c83b829e4c14544823cb246c308a83124c35103350346fc3e4d4f
                        • Instruction Fuzzy Hash: 6AA11870208404BEE729BB2C8C49F7F7EADEB42380B19420DF512D6AD2CA259E42D775
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00AF304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00AF307A
                          • Part of subcall function 00AF304E: _wcslen.LIBCMT ref: 00AF309B
                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00AF185D
                        • WSAGetLastError.WSOCK32 ref: 00AF1884
                        • bind.WSOCK32(00000000,?,00000010), ref: 00AF18DB
                        • WSAGetLastError.WSOCK32 ref: 00AF18E6
                        • closesocket.WSOCK32(00000000), ref: 00AF1915
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                        • String ID:
                        • API String ID: 1601658205-0
                        • Opcode ID: c0b32d22c6b068d2fab8d406fc1d79dbce40340cab9cf6fbd469071879aab0b6
                        • Instruction ID: 482b6933cbdb90446cc93475794ece86a92902fb3dde778be6cc135f5423bb78
                        • Opcode Fuzzy Hash: c0b32d22c6b068d2fab8d406fc1d79dbce40340cab9cf6fbd469071879aab0b6
                        • Instruction Fuzzy Hash: 68519071A00200AFDB10AF64C986F7A77E5AB45718F14C558FA0A5F293DB71AD418BE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B01C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                        • String ID:
                        • API String ID: 292994002-0
                        • Opcode ID: b7837e408c2b42fca28f733668584c12501bfa6576dc7f766a79fec6c0dbcc21
                        • Instruction ID: 3c8182b41214970d65bd622bd6ea39654e101aeefe0d627ba84240100365214f
                        • Opcode Fuzzy Hash: b7837e408c2b42fca28f733668584c12501bfa6576dc7f766a79fec6c0dbcc21
                        • Instruction Fuzzy Hash: 312171317402115FE7348F2AD884B6A7FE5FF95325F1984A8E84A8B391CB71DC42CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A78060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                        • API String ID: 0-1546025612
                        • Opcode ID: 8c824131177e322c51d9cbfa8ec251956fae816e011cbdf0b4f941ac413ede50
                        • Instruction ID: adb0df9d693728f49b792740a6a156dcfdfc73e013db5231897092a519532d09
                        • Opcode Fuzzy Hash: 8c824131177e322c51d9cbfa8ec251956fae816e011cbdf0b4f941ac413ede50
                        • Instruction Fuzzy Hash: 93A26F71E4061ACBDF24CF68C9447EDB7B5BF54310F24C1A9D819AB286EB789D81CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AFA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00AFA6AC
                        • Process32FirstW.KERNEL32(00000000,?), ref: 00AFA6BA
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                        • Process32NextW.KERNEL32(00000000,?), ref: 00AFA79C
                        • CloseHandle.KERNEL32(00000000), ref: 00AFA7AB
                          • Part of subcall function 00A8CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00AB3303,?), ref: 00A8CE8A
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                        • String ID:
                        • API String ID: 1991900642-0
                        • Opcode ID: ca649f1d0bb44f25533f1d17e48ec43b4a1d2073d5a2ac4b6daa672d6d7d4c33
                        • Instruction ID: 37f4d448af795d42a1a43b35ddc8c2eb4dca16844d4409c7b4d3be23f449768d
                        • Opcode Fuzzy Hash: ca649f1d0bb44f25533f1d17e48ec43b4a1d2073d5a2ac4b6daa672d6d7d4c33
                        • Instruction Fuzzy Hash: AB514AB1508300AFD710EF64C986E6BBBE8FF99754F00892DF58997252EB70D904CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00ADAAAC
                        • SetKeyboardState.USER32(00000080), ref: 00ADAAC8
                        • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00ADAB36
                        • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00ADAB88
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: KeyboardState$InputMessagePostSend
                        • String ID:
                        • API String ID: 432972143-0
                        • Opcode ID: 1f297a5e7e9e34ed9eba12b6613169eca1a08febfcb6fe550e35a4d07bc43e5d
                        • Instruction ID: 27654cf06160810720a16b5a5d57d887be7fb00cef88ec0e8b8320633b99b04e
                        • Opcode Fuzzy Hash: 1f297a5e7e9e34ed9eba12b6613169eca1a08febfcb6fe550e35a4d07bc43e5d
                        • Instruction Fuzzy Hash: 9831F430A40248AEFB358B648C05BFA7BAAEB65310F14431BF593963E1D775CD82C762
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetReadFile.WININET(?,?,00000400,?), ref: 00AECE89
                        • GetLastError.KERNEL32(?,00000000), ref: 00AECEEA
                        • SetEvent.KERNEL32(?,?,00000000), ref: 00AECEFE
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ErrorEventFileInternetLastRead
                        • String ID:
                        • API String ID: 234945975-0
                        • Opcode ID: 597bc9614b9e7970775ed5cc54b0f4253000401f2b711fc52fe21d7c48ed2a13
                        • Instruction ID: 2aecaea25b493c096d8be3fc954ab1b275d8c862e4fbc30fa2aca91809f791ef
                        • Opcode Fuzzy Hash: 597bc9614b9e7970775ed5cc54b0f4253000401f2b711fc52fe21d7c48ed2a13
                        • Instruction Fuzzy Hash: 1E21AF71600345AFDB30DFA6C949BAB7BFCEB50364F10441EE546D2151EB74EE068B64
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00AD82AA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: lstrlen
                        • String ID: ($|
                        • API String ID: 1659193697-1631851259
                        • Opcode ID: c4ce4d3905aa7623f1b26e591f8728e6fb7da520fcefb3cf09f9b0f274ef1061
                        • Instruction ID: 127fd411bf28825c595e55c85b032d2ba39d77d16864dcb7cc7333e98d6ba913
                        • Opcode Fuzzy Hash: c4ce4d3905aa7623f1b26e591f8728e6fb7da520fcefb3cf09f9b0f274ef1061
                        • Instruction Fuzzy Hash: 2D322575A007059FCB28CF59C481AAAB7F0FF48720B15C56EE59ADB3A1EB74E941CB40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?), ref: 00AE5CC1
                        • FindNextFileW.KERNEL32(00000000,?), ref: 00AE5D17
                        • FindClose.KERNEL32(?), ref: 00AE5D5F
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Find$File$CloseFirstNext
                        • String ID:
                        • API String ID: 3541575487-0
                        • Opcode ID: 03ff2c08ad2890ac5a29434db48aa538f23426c94ddb01833f708501c94bd6ca
                        • Instruction ID: 9f7dd7a128e9a3cb73a08acbd36c0fa894a4239f6d3084cc86ef2f9aa2ef4a5b
                        • Opcode Fuzzy Hash: 03ff2c08ad2890ac5a29434db48aa538f23426c94ddb01833f708501c94bd6ca
                        • Instruction Fuzzy Hash: 9751AA34A04A419FC714DF29D8D4A9AB7E4FF4A328F14855DE95A8B3A2DB30ED04CF91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsDebuggerPresent.KERNEL32 ref: 00AA271A
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00AA2724
                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00AA2731
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                        • String ID:
                        • API String ID: 3906539128-0
                        • Opcode ID: ae7574a467d58818723f4f31f393f675360f4cff5e3cc5b9872a88a388cf91b9
                        • Instruction ID: 47acf66ad5045ba36aae1e8f7b80af5d727eed7e5c9e0f92f529ff3cfb54cb2a
                        • Opcode Fuzzy Hash: ae7574a467d58818723f4f31f393f675360f4cff5e3cc5b9872a88a388cf91b9
                        • Instruction Fuzzy Hash: 1031C87491121CABCB21DF68DD897DDBBB8AF18350F5041DAE81CA72A1EB349F818F45
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 00AE51DA
                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00AE5238
                        • SetErrorMode.KERNEL32(00000000), ref: 00AE52A1
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ErrorMode$DiskFreeSpace
                        • String ID:
                        • API String ID: 1682464887-0
                        • Opcode ID: 04537e79f1235365884dbb46faa3e523b9e12c5d7db32b18dbe874dd372a73a6
                        • Instruction ID: 9d22aaebe282dcfe80f35f482f8d1951b6e10e5434d4125e9a8a6023d948d494
                        • Opcode Fuzzy Hash: 04537e79f1235365884dbb46faa3e523b9e12c5d7db32b18dbe874dd372a73a6
                        • Instruction Fuzzy Hash: 43316175A00618DFDB00DF64D884EEDBBB4FF49318F148099E909AB352DB71E855CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A8FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00A90668
                          • Part of subcall function 00A8FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00A90685
                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AD170D
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AD173A
                        • GetLastError.KERNEL32 ref: 00AD174A
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                        • String ID:
                        • API String ID: 577356006-0
                        • Opcode ID: fd6a852c6b5fa1186c13e020c2f123121addb6e4eec0b16f7e7f5afdfdd355ca
                        • Instruction ID: 400152a18c10f7cbe07cfa24f9eb314852d71b56e0d4b2c2a18e6f9216514b56
                        • Opcode Fuzzy Hash: fd6a852c6b5fa1186c13e020c2f123121addb6e4eec0b16f7e7f5afdfdd355ca
                        • Instruction Fuzzy Hash: 4711CEB2400305BFE718AF64DC86D6ABBBDFB04714B20852EE45653251EB70FC418B24
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00ADD608
                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00ADD645
                        • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00ADD650
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CloseControlCreateDeviceFileHandle
                        • String ID:
                        • API String ID: 33631002-0
                        • Opcode ID: bed6d9450a69a4c8f7c5802492fcb4500b10eb0d41dd6f02c1403ee2cbabdf0c
                        • Instruction ID: 090385d4d59b973a124f7f50b2779b55e4a27f12670bf260e80cd75a35a1db5b
                        • Opcode Fuzzy Hash: bed6d9450a69a4c8f7c5802492fcb4500b10eb0d41dd6f02c1403ee2cbabdf0c
                        • Instruction Fuzzy Hash: 9B113C75E05228BFDB108F959C45FAFBFBCEB45B50F108156F914E7290D6704A058BA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                        Download Yara Rule
                        APIs
                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00AD168C
                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AD16A1
                        • FreeSid.ADVAPI32(?), ref: 00AD16B1
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: AllocateCheckFreeInitializeMembershipToken
                        • String ID:
                        • API String ID: 3429775523-0
                        • Opcode ID: dace6147195b8d27e60b6e92dea3e5212a4fb4d9561f7360a3279675d28e956f
                        • Instruction ID: 42a5a7018578d9954aa05804dc1ef8b83270aca9bd553ef3a0cc2e8e8f933af9
                        • Opcode Fuzzy Hash: dace6147195b8d27e60b6e92dea3e5212a4fb4d9561f7360a3279675d28e956f
                        • Instruction Fuzzy Hash: 9AF0F471950309FBEB00DFE49D89AAEBBBCEB08604F504565E501E2181E774AA448A50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A94CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00AA28E9,?,00A94CBE,00AA28E9,00B388B8,0000000C,00A94E15,00AA28E9,00000002,00000000,?,00AA28E9), ref: 00A94D09
                        • TerminateProcess.KERNEL32(00000000,?,00A94CBE,00AA28E9,00B388B8,0000000C,00A94E15,00AA28E9,00000002,00000000,?,00AA28E9), ref: 00A94D10
                        • ExitProcess.KERNEL32 ref: 00A94D22
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Process$CurrentExitTerminate
                        • String ID:
                        • API String ID: 1703294689-0
                        • Opcode ID: 188288780e7df14438d90de11da9e32d3af8b92c8d067f54ab6fcea85d89d10c
                        • Instruction ID: a21c8eb72c011e8169d32d7942e3eaff52712fc7b8de0c42a2bb39adb32a7924
                        • Opcode Fuzzy Hash: 188288780e7df14438d90de11da9e32d3af8b92c8d067f54ab6fcea85d89d10c
                        • Instruction Fuzzy Hash: E2E0B635110148AFCF15AF54DE49E593FA9FB5A781B108114FC059B122CF35DD42CA84
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AAC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID: /
                        • API String ID: 0-2043925204
                        • Opcode ID: 360e8eb3023752d79f57edee44b5ee42ea558abb92bb987f5908e7ed2964b0c4
                        • Instruction ID: f86b3f7e81846e961a232a75119190bad8dc1c8564fb8becf87b2c8ac247a057
                        • Opcode Fuzzy Hash: 360e8eb3023752d79f57edee44b5ee42ea558abb92bb987f5908e7ed2964b0c4
                        • Instruction Fuzzy Hash: 294149765002186FDB20AFB9CC48EBBB7B8EB85324F104269F915DB1C0E7719D40CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ACD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                        Download Yara Rule
                        APIs
                        • GetUserNameW.ADVAPI32(?,?), ref: 00ACD28C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: NameUser
                        • String ID: X64
                        • API String ID: 2645101109-893830106
                        • Opcode ID: ef01be05c2f805a5fe7be98b8a42fd2233a6f34cfbd7b4e8ffad36e3a4e2624d
                        • Instruction ID: 46080c3d43b053748c2f4e1b4371d34576d0dbd449f5dc15099de8990533dcf4
                        • Opcode Fuzzy Hash: ef01be05c2f805a5fe7be98b8a42fd2233a6f34cfbd7b4e8ffad36e3a4e2624d
                        • Instruction Fuzzy Hash: B7D0E9B581511DEACB94DB90DC88DD9B77CBB14345F104655F506A2140DB7496499F10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A9CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                        • Instruction ID: 9deebd328bd85a722e6c14b3810b7c3056d670c80c51a7fb276b07513079fbc6
                        • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                        • Instruction Fuzzy Hash: 61021C71F006199FDF14CFA9C9806ADFBF1EF48324F25816AD819EB384D731AA418B94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?), ref: 00AE6918
                        • FindClose.KERNEL32(00000000), ref: 00AE6961
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Find$CloseFileFirst
                        • String ID:
                        • API String ID: 2295610775-0
                        • Opcode ID: aa6ad99a5b59bbca8a1f1524574b5cdf521b80d2511fba665adcb2bb5b4b9903
                        • Instruction ID: 1984553dd1a3e635ab13cf3d7afeff2a3db215eae9aa231e5b62f796bb606aac
                        • Opcode Fuzzy Hash: aa6ad99a5b59bbca8a1f1524574b5cdf521b80d2511fba665adcb2bb5b4b9903
                        • Instruction Fuzzy Hash: AF1190316042409FC710DF2AD884A1ABBE5FF95328F14C69DE4698F6A2CB30EC05CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00AF4891,?,?,00000035,?), ref: 00AE37E4
                        • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00AF4891,?,?,00000035,?), ref: 00AE37F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ErrorFormatLastMessage
                        • String ID:
                        • API String ID: 3479602957-0
                        • Opcode ID: 9318930e59dbdaa7c8adc3c3258d045251eee4bd0a182c75207f710c1c41dabe
                        • Instruction ID: b512155135099e17599bcdb08aa2e22db88cfa25b6a7e4a2c4c1c82463208549
                        • Opcode Fuzzy Hash: 9318930e59dbdaa7c8adc3c3258d045251eee4bd0a182c75207f710c1c41dabe
                        • Instruction Fuzzy Hash: 86F0E5B16052282AEB2057778D4DFEB3AAEEFC4761F000265F509D3281DA609904C6B0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00ADB25D
                        • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00ADB270
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: InputSendkeybd_event
                        • String ID:
                        • API String ID: 3536248340-0
                        • Opcode ID: 908460298a5944318027a4ae349f71526be28f158c194ffcacbdd6b154872390
                        • Instruction ID: b113a7bb085da54a5da9be70c281771d5ecea8ba6009eaff5dcae3d9aa3ad607
                        • Opcode Fuzzy Hash: 908460298a5944318027a4ae349f71526be28f158c194ffcacbdd6b154872390
                        • Instruction Fuzzy Hash: 06F01D7581424DABDB059FA0C806BEE7FB4FF14305F00800AF965A6191C77986119FA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AD11FC), ref: 00AD10D4
                        • CloseHandle.KERNEL32(?,?,00AD11FC), ref: 00AD10E9
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: AdjustCloseHandlePrivilegesToken
                        • String ID:
                        • API String ID: 81990902-0
                        • Opcode ID: 3ff512300ece01b058849a079eede10f8cffebb79edb1a025946fd4ab74182c4
                        • Instruction ID: 42b73bb113931217d76f88de7b9f9430b04221ab5c0a9133d9ae492f13b32f51
                        • Opcode Fuzzy Hash: 3ff512300ece01b058849a079eede10f8cffebb79edb1a025946fd4ab74182c4
                        • Instruction Fuzzy Hash: 3CE04F32014601EEE7252B11FC05E737BA9EB04310B10892EF5A6814B1DB626CA0DB14
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A7CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                        Download Yara Rule
                        Strings
                        • Variable is not of type 'Object'., xrefs: 00AC0C40
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID: Variable is not of type 'Object'.
                        • API String ID: 0-1840281001
                        • Opcode ID: 59914db2b3cccdf568a3ebfee9162721f6fe43c27c8f95e5574d2733ec21ff88
                        • Instruction ID: 61b15988d49f543ae5e7407b86f7fd42240f7f674b56a07a0a70ce88386c0f24
                        • Opcode Fuzzy Hash: 59914db2b3cccdf568a3ebfee9162721f6fe43c27c8f95e5574d2733ec21ff88
                        • Instruction Fuzzy Hash: D5324574900218DBDF24DF94C995FEEB7B5AF05314F24C06DE80AAB292DB35AE45CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00AA6766,?,?,00000008,?,?,00AAFEFE,00000000), ref: 00AA6998
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ExceptionRaise
                        • String ID:
                        • API String ID: 3997070919-0
                        • Opcode ID: b17a60c73a79520e04eb69ed99d8f101d1efc8021cb19ca52fa6d9146b691f47
                        • Instruction ID: b2f5d13dbd64c830869921ceacafb6419cb70bf3d1bdb721dfa8dcce688d2216
                        • Opcode Fuzzy Hash: b17a60c73a79520e04eb69ed99d8f101d1efc8021cb19ca52fa6d9146b691f47
                        • Instruction Fuzzy Hash: CFB11A716106099FD715CF28C48AB657BB0FF4A364F298658E899CF2E2C735E991CF40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A8B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID: 0-3916222277
                        • Opcode ID: 3ab078a3327812507e9ad67c609239a559be6b38992d227d5ff55dfd7519eb27
                        • Instruction ID: d0e9f9896911170c85f52ecea09db4feecee075fc31faa725dfe5b454576b3d8
                        • Opcode Fuzzy Hash: 3ab078a3327812507e9ad67c609239a559be6b38992d227d5ff55dfd7519eb27
                        • Instruction Fuzzy Hash: F7126F75910229DBCB14DF58C881BEEB7F5FF48710F1181AAE849EB251DB349E81CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AEEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • BlockInput.USER32(00000001), ref: 00AEEABD
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: BlockInput
                        • String ID:
                        • API String ID: 3456056419-0
                        • Opcode ID: 9422cdb05706ce84893e0fe5b6a14b4771275067555d62d5201a52f584a572c4
                        • Instruction ID: 9155d8dfb91de2b78a2dd54edcaf06c21af4acc9b1b6f6ec6bb20393b3eec2d2
                        • Opcode Fuzzy Hash: 9422cdb05706ce84893e0fe5b6a14b4771275067555d62d5201a52f584a572c4
                        • Instruction Fuzzy Hash: 17E048312102049FC710DF5AD804E9AF7E9AF58770F00C42AFC4AC7351DB70E8408B90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00A903EE), ref: 00A909DA
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: 816c751ccc7e2e57e8514b27057a8717ab2a3835c7c6f98b705f44173ad716cd
                        • Instruction ID: 245863b3d48b18914a22c0d74b39271a9e7864404d0952bd3738120d8f362f45
                        • Opcode Fuzzy Hash: 816c751ccc7e2e57e8514b27057a8717ab2a3835c7c6f98b705f44173ad716cd
                        • Instruction Fuzzy Hash:
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA6DD9 Relevance: .6, Instructions: 637COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 15e8146965bed945fd5017b1c7a45ec730403be3c5e481f86377a79106d45f79
                        • Instruction ID: d029ad5c372cabf3808332dd5df934e954515cfff90266e2f3816988ce5bc416
                        • Opcode Fuzzy Hash: 15e8146965bed945fd5017b1c7a45ec730403be3c5e481f86377a79106d45f79
                        • Instruction Fuzzy Hash: 46323422D29F014DD7239735DC2233AA689AFB73C5F55D737E81AB69A5EF29C4834100
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A8CC39 Relevance: .6, Instructions: 635COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8a4a620d8dcef67f6805a9d3bb146e22c626d181c184a5cf84a7ea85d6b33032
                        • Instruction ID: 07f399066964015cfe58ac5cfa6a3b0cbd71995b6ade43419481450849dc1923
                        • Opcode Fuzzy Hash: 8a4a620d8dcef67f6805a9d3bb146e22c626d181c184a5cf84a7ea85d6b33032
                        • Instruction Fuzzy Hash: 73322372A041158BCF28CF29C494F7DBBB1EB45330F2A856ED89E9B291E634DD81DB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A77920 Relevance: .6, Instructions: 563COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f5664e2d6334f8842cdcbeb1555041a72ff4bfcf77ee49d1a5321a98b95c8390
                        • Instruction ID: ad4a7d7fa0ff40135e3c472fb0a2ede7dc353449523ea5fc1b62364a6bd54364
                        • Opcode Fuzzy Hash: f5664e2d6334f8842cdcbeb1555041a72ff4bfcf77ee49d1a5321a98b95c8390
                        • Instruction Fuzzy Hash: 64228F70E0460A9FDF14DF64C981AEEB7F5FF48300F248629E816AB291EB369D55CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A791C0 Relevance: .5, Instructions: 475COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ae6de61a5511de438f3ada0fdc41f3adc3d53284130f1546c4b7b96ee8b68cb0
                        • Instruction ID: 2c74be860fe9a1fb07f4e68d0c254fcd589105a12016a01f1cd9901bb8217d38
                        • Opcode Fuzzy Hash: ae6de61a5511de438f3ada0fdc41f3adc3d53284130f1546c4b7b96ee8b68cb0
                        • Instruction Fuzzy Hash: BE0285B1A00106EFDF04DF54D981AEEBBB5FF44340F11C169E81A9B291EB319A61CB95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA9EEE Relevance: .3, Instructions: 294COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6c863628519756a30101e66e899b1354aab9473daeb5a3ec09a31f9242a5d49a
                        • Instruction ID: 6cf3dc3baa59226e6b0c1adfb1f266ce4036c31a53213c1eb0e3e7c41c82c812
                        • Opcode Fuzzy Hash: 6c863628519756a30101e66e899b1354aab9473daeb5a3ec09a31f9242a5d49a
                        • Instruction Fuzzy Hash: 4FB1EF20D2AF404DC22396399831336FA9CAFBB6D5B91D31BFC2675D62FF2286834144
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A97A4A Relevance: .2, Instructions: 237COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0569c5f829b079632de5b6e2687e7361ed6bd1e091217acd79532c8bfec82d5b
                        • Instruction ID: c507adab69ccbfaf3d5edeee0534ae684addb3b747a8d4690be34dc37e16ac50
                        • Opcode Fuzzy Hash: 0569c5f829b079632de5b6e2687e7361ed6bd1e091217acd79532c8bfec82d5b
                        • Instruction Fuzzy Hash: 1C615671338709A6DE389B2C8D95BBE33E9EF42740F24091AE843DF691DA159E428375
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A97CA7 Relevance: .2, Instructions: 237COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c91cd18190b0808b9bd5a587dcd6551af578e84fe888b9d186430100c019f7cd
                        • Instruction ID: bce377cc079dae460093f9cbca67f0fe2a853b9f699fd63b7cefefd1ac5ceec8
                        • Opcode Fuzzy Hash: c91cd18190b0808b9bd5a587dcd6551af578e84fe888b9d186430100c019f7cd
                        • Instruction Fuzzy Hash: D0617A7173870997DE388B288991BBF33D4EF42744F140959E943DF281DA16DD428B75
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A8D07D Relevance: .1, Instructions: 131COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d604cf87a98e73f11155a7fd560066addd11849543c018993cf1e7ae8f97982e
                        • Instruction ID: c6fdbcbefa982d01c9b174166190a76a7d4ccbed05fc4e82ee97523f12a6ac03
                        • Opcode Fuzzy Hash: d604cf87a98e73f11155a7fd560066addd11849543c018993cf1e7ae8f97982e
                        • Instruction Fuzzy Hash: 0741FD7545E6C20FEB269B30581AC64BFF49D5352430E86EFC4C54F1AFDA61012ED74A
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE2046 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4ed348611e1ef842860482e1836b88c6bd2ac6098943554043eaa6af9da8d5c4
                        • Instruction ID: 2b41d8c380a727d1d9c5d7e13fc85c5a302e403d1525b429dbf206b5addb46eb
                        • Opcode Fuzzy Hash: 4ed348611e1ef842860482e1836b88c6bd2ac6098943554043eaa6af9da8d5c4
                        • Instruction Fuzzy Hash: 2821A5326206158BDB28CF79C82267A73E9B754310F558A2EE4A7C37D1DE35AD04DB80
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteObject.GDI32(00000000), ref: 00AF2B30
                        • DeleteObject.GDI32(00000000), ref: 00AF2B43
                        • DestroyWindow.USER32 ref: 00AF2B52
                        • GetDesktopWindow.USER32 ref: 00AF2B6D
                        • GetWindowRect.USER32(00000000), ref: 00AF2B74
                        • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00AF2CA3
                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00AF2CB1
                        • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AF2CF8
                        • GetClientRect.USER32(00000000,?), ref: 00AF2D04
                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00AF2D40
                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AF2D62
                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AF2D75
                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AF2D80
                        • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AF2D89
                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AF2D98
                        • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AF2DA1
                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AF2DA8
                        • GlobalFree.KERNEL32(00000000), ref: 00AF2DB3
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AF2DC5
                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,00B0FC38,00000000), ref: 00AF2DDB
                        • GlobalFree.KERNEL32(00000000), ref: 00AF2DEB
                        • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00AF2E11
                        • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00AF2E30
                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AF2E52
                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AF303F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                        • String ID: $AutoIt v3$DISPLAY$static
                        • API String ID: 2211948467-2373415609
                        • Opcode ID: 314c53f3d49280dab344ce738d958547e9c3c04511f9ba46a4cd39ec71e1a920
                        • Instruction ID: 20d9cd9bc152a0a0f81168f98927bd59478f3c649b00d87db07924c25d15d8bb
                        • Opcode Fuzzy Hash: 314c53f3d49280dab344ce738d958547e9c3c04511f9ba46a4cd39ec71e1a920
                        • Instruction Fuzzy Hash: CC027C75900209AFDB14DFA4CD89EAE7BB9FF49710F148658F915AB2A1CB70ED01CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                        Download Yara Rule
                        APIs
                        • SetTextColor.GDI32(?,00000000), ref: 00B0712F
                        • GetSysColorBrush.USER32(0000000F), ref: 00B07160
                        • GetSysColor.USER32(0000000F), ref: 00B0716C
                        • SetBkColor.GDI32(?,000000FF), ref: 00B07186
                        • SelectObject.GDI32(?,?), ref: 00B07195
                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00B071C0
                        • GetSysColor.USER32(00000010), ref: 00B071C8
                        • CreateSolidBrush.GDI32(00000000), ref: 00B071CF
                        • FrameRect.USER32(?,?,00000000), ref: 00B071DE
                        • DeleteObject.GDI32(00000000), ref: 00B071E5
                        • InflateRect.USER32(?,000000FE,000000FE), ref: 00B07230
                        • FillRect.USER32(?,?,?), ref: 00B07262
                        • GetWindowLongW.USER32(?,000000F0), ref: 00B07284
                          • Part of subcall function 00B073E8: GetSysColor.USER32(00000012), ref: 00B07421
                          • Part of subcall function 00B073E8: SetTextColor.GDI32(?,?), ref: 00B07425
                          • Part of subcall function 00B073E8: GetSysColorBrush.USER32(0000000F), ref: 00B0743B
                          • Part of subcall function 00B073E8: GetSysColor.USER32(0000000F), ref: 00B07446
                          • Part of subcall function 00B073E8: GetSysColor.USER32(00000011), ref: 00B07463
                          • Part of subcall function 00B073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B07471
                          • Part of subcall function 00B073E8: SelectObject.GDI32(?,00000000), ref: 00B07482
                          • Part of subcall function 00B073E8: SetBkColor.GDI32(?,00000000), ref: 00B0748B
                          • Part of subcall function 00B073E8: SelectObject.GDI32(?,?), ref: 00B07498
                          • Part of subcall function 00B073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00B074B7
                          • Part of subcall function 00B073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B074CE
                          • Part of subcall function 00B073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00B074DB
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                        • String ID:
                        • API String ID: 4124339563-0
                        • Opcode ID: dd444c06bfae9932b429bd150cac3c454748a80ee6cd03b3cf8fab9aad670c8e
                        • Instruction ID: 27736e53defb4820b8184892247e275a4e81a9f963adac6a927ff0b7fd6d1f0c
                        • Opcode Fuzzy Hash: dd444c06bfae9932b429bd150cac3c454748a80ee6cd03b3cf8fab9aad670c8e
                        • Instruction Fuzzy Hash: 86A18E72408301AFDB109F60DC49A6BBFE9FB99320F104B19F962A71E1DB71E944CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(00000000), ref: 00AF273E
                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00AF286A
                        • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00AF28A9
                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00AF28B9
                        • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00AF2900
                        • GetClientRect.USER32(00000000,?), ref: 00AF290C
                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00AF2955
                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00AF2964
                        • GetStockObject.GDI32(00000011), ref: 00AF2974
                        • SelectObject.GDI32(00000000,00000000), ref: 00AF2978
                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00AF2988
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AF2991
                        • DeleteDC.GDI32(00000000), ref: 00AF299A
                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00AF29C6
                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 00AF29DD
                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00AF2A1D
                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00AF2A31
                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 00AF2A42
                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00AF2A77
                        • GetStockObject.GDI32(00000011), ref: 00AF2A82
                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00AF2A8D
                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00AF2A97
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                        • API String ID: 2910397461-517079104
                        • Opcode ID: 54c21ed7957bab717be4e90a0edb17d7e078032d0cf7ce54719b2429fcc1e1a8
                        • Instruction ID: 654e4645ba80ab149f4d867be21eec56ffbd8f283fe9a3fc8ac2af915cede30f
                        • Opcode Fuzzy Hash: 54c21ed7957bab717be4e90a0edb17d7e078032d0cf7ce54719b2429fcc1e1a8
                        • Instruction Fuzzy Hash: 68B14C75A40219AFEB14DFA8CD45FAE7BB9FB08710F108654FA15E7290DB70AD40CBA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 00AE4AED
                        • GetDriveTypeW.KERNEL32(?,00B0CB68,?,\\.\,00B0CC08), ref: 00AE4BCA
                        • SetErrorMode.KERNEL32(00000000,00B0CB68,?,\\.\,00B0CC08), ref: 00AE4D36
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ErrorMode$DriveType
                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                        • API String ID: 2907320926-4222207086
                        • Opcode ID: c3052721f65384a708c798bdfdada01b9e155d82573eff0a1a7570484fe4056d
                        • Instruction ID: 5a81c502653380ad3f5dadf5ffa37a86ddbbf16d1bb262e57d97c873b0f92a84
                        • Opcode Fuzzy Hash: c3052721f65384a708c798bdfdada01b9e155d82573eff0a1a7570484fe4056d
                        • Instruction Fuzzy Hash: 2A619230705145ABCB14DF2ACA8296D77F8EB8C304F34C4A6F80AAB6A1DB75ED41DB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B073E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(00000012), ref: 00B07421
                        • SetTextColor.GDI32(?,?), ref: 00B07425
                        • GetSysColorBrush.USER32(0000000F), ref: 00B0743B
                        • GetSysColor.USER32(0000000F), ref: 00B07446
                        • CreateSolidBrush.GDI32(?), ref: 00B0744B
                        • GetSysColor.USER32(00000011), ref: 00B07463
                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B07471
                        • SelectObject.GDI32(?,00000000), ref: 00B07482
                        • SetBkColor.GDI32(?,00000000), ref: 00B0748B
                        • SelectObject.GDI32(?,?), ref: 00B07498
                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00B074B7
                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B074CE
                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00B074DB
                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B0752A
                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B07554
                        • InflateRect.USER32(?,000000FD,000000FD), ref: 00B07572
                        • DrawFocusRect.USER32(?,?), ref: 00B0757D
                        • GetSysColor.USER32(00000011), ref: 00B0758E
                        • SetTextColor.GDI32(?,00000000), ref: 00B07596
                        • DrawTextW.USER32(?,00B070F5,000000FF,?,00000000), ref: 00B075A8
                        • SelectObject.GDI32(?,?), ref: 00B075BF
                        • DeleteObject.GDI32(?), ref: 00B075CA
                        • SelectObject.GDI32(?,?), ref: 00B075D0
                        • DeleteObject.GDI32(?), ref: 00B075D5
                        • SetTextColor.GDI32(?,?), ref: 00B075DB
                        • SetBkColor.GDI32(?,?), ref: 00B075E5
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                        • String ID:
                        • API String ID: 1996641542-0
                        • Opcode ID: 79d391c0ddf43612823578a3c07c4fb1524f21aad1106c8b53abf38f9c4cf306
                        • Instruction ID: 1d5233e413cf3a7117d2f394444bfb2be7697f381c02006113581586db891174
                        • Opcode Fuzzy Hash: 79d391c0ddf43612823578a3c07c4fb1524f21aad1106c8b53abf38f9c4cf306
                        • Instruction Fuzzy Hash: AE616A76D00218AFDF019FA4DC49AEEBFB9EB19320F104255F911BB2E1DB75A940CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B00FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetCursorPos.USER32(?), ref: 00B01128
                        • GetDesktopWindow.USER32 ref: 00B0113D
                        • GetWindowRect.USER32(00000000), ref: 00B01144
                        • GetWindowLongW.USER32(?,000000F0), ref: 00B01199
                        • DestroyWindow.USER32(?), ref: 00B011B9
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B011ED
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B0120B
                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B0121D
                        • SendMessageW.USER32(00000000,00000421,?,?), ref: 00B01232
                        • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00B01245
                        • IsWindowVisible.USER32(00000000), ref: 00B012A1
                        • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00B012BC
                        • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00B012D0
                        • GetWindowRect.USER32(00000000,?), ref: 00B012E8
                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00B0130E
                        • GetMonitorInfoW.USER32(00000000,?), ref: 00B01328
                        • CopyRect.USER32(?,?), ref: 00B0133F
                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 00B013AA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                        • String ID: ($0$tooltips_class32
                        • API String ID: 698492251-4156429822
                        • Opcode ID: 49b755923c1e1628cf9e0b2b0ede9d81a46b073a47bc690b956fe2b27cfc753b
                        • Instruction ID: 98f499d580d247758839ffc058eb0f4e630c89dca94f26e224399575aa70d9f6
                        • Opcode Fuzzy Hash: 49b755923c1e1628cf9e0b2b0ede9d81a46b073a47bc690b956fe2b27cfc753b
                        • Instruction Fuzzy Hash: 17B18A71604341AFD718DF68C984B6BBFE4FF84754F008959F9999B2A1CB31E844CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B00241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?), ref: 00B002E5
                        • _wcslen.LIBCMT ref: 00B0031F
                        • _wcslen.LIBCMT ref: 00B00389
                        • _wcslen.LIBCMT ref: 00B003F1
                        • _wcslen.LIBCMT ref: 00B00475
                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B004C5
                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B00504
                          • Part of subcall function 00A8F9F2: _wcslen.LIBCMT ref: 00A8F9FD
                          • Part of subcall function 00AD223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AD2258
                          • Part of subcall function 00AD223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AD228A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _wcslen$MessageSend$BuffCharUpper
                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                        • API String ID: 1103490817-719923060
                        • Opcode ID: 092657a507f028d327b15ecc3e3522491657ad8bff1364edf4ac4da1ba77296d
                        • Instruction ID: 785059b82b956889d0129726df362c46ec8c2d612d67086035b0c77a99ecedb9
                        • Opcode Fuzzy Hash: 092657a507f028d327b15ecc3e3522491657ad8bff1364edf4ac4da1ba77296d
                        • Instruction Fuzzy Hash: 24E191712282018FC724EF24C991A2EBBE6FF98714F14859DF8969B3A1DB30ED45CB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A88891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A88968
                        • GetSystemMetrics.USER32(00000007), ref: 00A88970
                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A8899B
                        • GetSystemMetrics.USER32(00000008), ref: 00A889A3
                        • GetSystemMetrics.USER32(00000004), ref: 00A889C8
                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A889E5
                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A889F5
                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A88A28
                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A88A3C
                        • GetClientRect.USER32(00000000,000000FF), ref: 00A88A5A
                        • GetStockObject.GDI32(00000011), ref: 00A88A76
                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00A88A81
                          • Part of subcall function 00A8912D: GetCursorPos.USER32(?), ref: 00A89141
                          • Part of subcall function 00A8912D: ScreenToClient.USER32(00000000,?), ref: 00A8915E
                          • Part of subcall function 00A8912D: GetAsyncKeyState.USER32(00000001), ref: 00A89183
                          • Part of subcall function 00A8912D: GetAsyncKeyState.USER32(00000002), ref: 00A8919D
                        • SetTimer.USER32(00000000,00000000,00000028,00A890FC), ref: 00A88AA8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                        • String ID: AutoIt v3 GUI
                        • API String ID: 1458621304-248962490
                        • Opcode ID: 1a5eb752e7c59407497fad94abcaf6cc758bbeaf3764e80a6ae5988df8d9e248
                        • Instruction ID: 764935d5e43540289b6bf1bd9c70fa91be3b5e6d09d18876f271bdc86a0b31d6
                        • Opcode Fuzzy Hash: 1a5eb752e7c59407497fad94abcaf6cc758bbeaf3764e80a6ae5988df8d9e248
                        • Instruction Fuzzy Hash: 37B18B75A0020AAFDF14EFA8CC45BAE7BB5FB48314F114629FA15AB290DF34E941CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00AD10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AD1114
                          • Part of subcall function 00AD10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00AD0B9B,?,?,?), ref: 00AD1120
                          • Part of subcall function 00AD10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AD0B9B,?,?,?), ref: 00AD112F
                          • Part of subcall function 00AD10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AD0B9B,?,?,?), ref: 00AD1136
                          • Part of subcall function 00AD10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AD114D
                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AD0DF5
                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AD0E29
                        • GetLengthSid.ADVAPI32(?), ref: 00AD0E40
                        • GetAce.ADVAPI32(?,00000000,?), ref: 00AD0E7A
                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AD0E96
                        • GetLengthSid.ADVAPI32(?), ref: 00AD0EAD
                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00AD0EB5
                        • HeapAlloc.KERNEL32(00000000), ref: 00AD0EBC
                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AD0EDD
                        • CopySid.ADVAPI32(00000000), ref: 00AD0EE4
                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AD0F13
                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AD0F35
                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AD0F47
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AD0F6E
                        • HeapFree.KERNEL32(00000000), ref: 00AD0F75
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AD0F7E
                        • HeapFree.KERNEL32(00000000), ref: 00AD0F85
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AD0F8E
                        • HeapFree.KERNEL32(00000000), ref: 00AD0F95
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00AD0FA1
                        • HeapFree.KERNEL32(00000000), ref: 00AD0FA8
                          • Part of subcall function 00AD1193: GetProcessHeap.KERNEL32(00000008,00AD0BB1,?,00000000,?,00AD0BB1,?), ref: 00AD11A1
                          • Part of subcall function 00AD1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00AD0BB1,?), ref: 00AD11A8
                          • Part of subcall function 00AD1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00AD0BB1,?), ref: 00AD11B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                        • String ID:
                        • API String ID: 4175595110-0
                        • Opcode ID: c08354b3ab38a03ac663aba3e1b7aa58321e9031f60275a2c50469a208b16fb4
                        • Instruction ID: fd5e21c6e98a9ca1d248eeb597e0e38cea0e96334b8a636b1d15762bbe6511fe
                        • Opcode Fuzzy Hash: c08354b3ab38a03ac663aba3e1b7aa58321e9031f60275a2c50469a208b16fb4
                        • Instruction Fuzzy Hash: B6715172900209AFDF209FA5DD48FEEBBB8BF18310F148216F956E7291DB719905CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AFC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AFC4BD
                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00B0CC08,00000000,?,00000000,?,?), ref: 00AFC544
                        • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00AFC5A4
                        • _wcslen.LIBCMT ref: 00AFC5F4
                        • _wcslen.LIBCMT ref: 00AFC66F
                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00AFC6B2
                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00AFC7C1
                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00AFC84D
                        • RegCloseKey.ADVAPI32(?), ref: 00AFC881
                        • RegCloseKey.ADVAPI32(00000000), ref: 00AFC88E
                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00AFC960
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                        • API String ID: 9721498-966354055
                        • Opcode ID: dc9e90615ba4b55e01bbc92fe28e631e5ff420f2a40b223b01a1a7dd3241ffe8
                        • Instruction ID: 1cde239a22e5c2aaf40c7247114caedc5864035a3f32823602a6ce4db4b0f4b5
                        • Opcode Fuzzy Hash: dc9e90615ba4b55e01bbc92fe28e631e5ff420f2a40b223b01a1a7dd3241ffe8
                        • Instruction Fuzzy Hash: A9126A356042059FDB14DF25CA81E2AB7E5EF88764F14C89CF94A9B3A2DB31ED41CB81
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B0091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?), ref: 00B009C6
                        • _wcslen.LIBCMT ref: 00B00A01
                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B00A54
                        • _wcslen.LIBCMT ref: 00B00A8A
                        • _wcslen.LIBCMT ref: 00B00B06
                        • _wcslen.LIBCMT ref: 00B00B81
                          • Part of subcall function 00A8F9F2: _wcslen.LIBCMT ref: 00A8F9FD
                          • Part of subcall function 00AD2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AD2BFA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _wcslen$MessageSend$BuffCharUpper
                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                        • API String ID: 1103490817-4258414348
                        • Opcode ID: a7675765420405fc37477e7e286a134afd6f22b19171a29cdd964c4e009d6427
                        • Instruction ID: 97cc71f98e4a1eae930cbb362062292daf93abd1e2b0f398720194104296a897
                        • Opcode Fuzzy Hash: a7675765420405fc37477e7e286a134afd6f22b19171a29cdd964c4e009d6427
                        • Instruction Fuzzy Hash: B1E18D712187019FC714EF24C590A2ABBE1FF98314F14899DF89A9B3A2DB31ED45CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AFC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _wcslen$BuffCharUpper
                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                        • API String ID: 1256254125-909552448
                        • Opcode ID: 24ea94bc55f036869885407e181afe8f3c57faff67b3cd544b3512944b93645c
                        • Instruction ID: 759e5e1929eb77ca46bfb2d37b3b663c2246d58ab4e29cbd88236762b7bb0d31
                        • Opcode Fuzzy Hash: 24ea94bc55f036869885407e181afe8f3c57faff67b3cd544b3512944b93645c
                        • Instruction Fuzzy Hash: 5471C67360012E8BCB20EFBECF515BA33A2AB647B4F254564FA5597284EA31DD45C3A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B0833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 00B0835A
                        • _wcslen.LIBCMT ref: 00B0836E
                        • _wcslen.LIBCMT ref: 00B08391
                        • _wcslen.LIBCMT ref: 00B083B4
                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B083F2
                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B05BF2), ref: 00B0844E
                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B08487
                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B084CA
                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B08501
                        • FreeLibrary.KERNEL32(?), ref: 00B0850D
                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B0851D
                        • DestroyIcon.USER32(?,?,?,?,?,00B05BF2), ref: 00B0852C
                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B08549
                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B08555
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                        • String ID: .dll$.exe$.icl
                        • API String ID: 799131459-1154884017
                        • Opcode ID: 508689ff5bc70fead697c393ff7b771be737af12694621a39b9247d71bf6fa93
                        • Instruction ID: 836b2e669c4d3f62559db690395f29744ed4f8bfd0215dbfe6c13feb5ed800ff
                        • Opcode Fuzzy Hash: 508689ff5bc70fead697c393ff7b771be737af12694621a39b9247d71bf6fa93
                        • Instruction Fuzzy Hash: D061C171540219BAEB14DF64CC81FBE7BE8FB18B21F108689F855D61D1DF74AA81CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A77778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                        • API String ID: 0-1645009161
                        • Opcode ID: 6848f6f714c27d85b14a2944535e53e064f5749afc4eb3f290473787f662b70d
                        • Instruction ID: fb1c20b44843a401e4765b9dcb82aa17ac81ea9aad41421245d4f7bfab4f9197
                        • Opcode Fuzzy Hash: 6848f6f714c27d85b14a2944535e53e064f5749afc4eb3f290473787f662b70d
                        • Instruction Fuzzy Hash: FB81CF71B04205BBDB25BF64DD82FEF3BA8AF15300F04C065F909AA196EB74DA51C7A1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                        Download Yara Rule
                        APIs
                        • CharLowerBuffW.USER32(?,?), ref: 00AE3EF8
                        • _wcslen.LIBCMT ref: 00AE3F03
                        • _wcslen.LIBCMT ref: 00AE3F5A
                        • _wcslen.LIBCMT ref: 00AE3F98
                        • GetDriveTypeW.KERNEL32(?), ref: 00AE3FD6
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AE401E
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AE4059
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AE4087
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: SendString_wcslen$BuffCharDriveLowerType
                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                        • API String ID: 1839972693-4113822522
                        • Opcode ID: 969848d93bffe069136c7efbbc08a7b991d40bb1be4d8d019cde8e2ce7b46ef0
                        • Instruction ID: 8136ab7a0a69248aa952dfa14280980e3fdfda8f5573c2bec98f5108b7a43208
                        • Opcode Fuzzy Hash: 969848d93bffe069136c7efbbc08a7b991d40bb1be4d8d019cde8e2ce7b46ef0
                        • Instruction Fuzzy Hash: EA71D1326042019FCB10EF25C98196BB7F4EF98764F50892DF89A9B261EB30DE45CB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • LoadIconW.USER32(00000063), ref: 00AD5A2E
                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AD5A40
                        • SetWindowTextW.USER32(?,?), ref: 00AD5A57
                        • GetDlgItem.USER32(?,000003EA), ref: 00AD5A6C
                        • SetWindowTextW.USER32(00000000,?), ref: 00AD5A72
                        • GetDlgItem.USER32(?,000003E9), ref: 00AD5A82
                        • SetWindowTextW.USER32(00000000,?), ref: 00AD5A88
                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00AD5AA9
                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00AD5AC3
                        • GetWindowRect.USER32(?,?), ref: 00AD5ACC
                        • _wcslen.LIBCMT ref: 00AD5B33
                        • SetWindowTextW.USER32(?,?), ref: 00AD5B6F
                        • GetDesktopWindow.USER32 ref: 00AD5B75
                        • GetWindowRect.USER32(00000000), ref: 00AD5B7C
                        • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00AD5BD3
                        • GetClientRect.USER32(?,?), ref: 00AD5BE0
                        • PostMessageW.USER32(?,00000005,00000000,?), ref: 00AD5C05
                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00AD5C2F
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                        • String ID:
                        • API String ID: 895679908-0
                        • Opcode ID: c1cbf4d059482dc5c21dc7a440c78a8fe96f5859d47a3650bcef963469a49d04
                        • Instruction ID: 17ba30815239c4b391bd0575fb9b98c07e18543f81d82e00a207ac8d45cc4ff9
                        • Opcode Fuzzy Hash: c1cbf4d059482dc5c21dc7a440c78a8fe96f5859d47a3650bcef963469a49d04
                        • Instruction Fuzzy Hash: 02712D31900B05AFDB20DFB8CE85A6EBBF5FF48704F10461AE546A76A0DB75E944CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AEFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                        Download Yara Rule
                        APIs
                        • LoadCursorW.USER32(00000000,00007F89), ref: 00AEFE27
                        • LoadCursorW.USER32(00000000,00007F8A), ref: 00AEFE32
                        • LoadCursorW.USER32(00000000,00007F00), ref: 00AEFE3D
                        • LoadCursorW.USER32(00000000,00007F03), ref: 00AEFE48
                        • LoadCursorW.USER32(00000000,00007F8B), ref: 00AEFE53
                        • LoadCursorW.USER32(00000000,00007F01), ref: 00AEFE5E
                        • LoadCursorW.USER32(00000000,00007F81), ref: 00AEFE69
                        • LoadCursorW.USER32(00000000,00007F88), ref: 00AEFE74
                        • LoadCursorW.USER32(00000000,00007F80), ref: 00AEFE7F
                        • LoadCursorW.USER32(00000000,00007F86), ref: 00AEFE8A
                        • LoadCursorW.USER32(00000000,00007F83), ref: 00AEFE95
                        • LoadCursorW.USER32(00000000,00007F85), ref: 00AEFEA0
                        • LoadCursorW.USER32(00000000,00007F82), ref: 00AEFEAB
                        • LoadCursorW.USER32(00000000,00007F84), ref: 00AEFEB6
                        • LoadCursorW.USER32(00000000,00007F04), ref: 00AEFEC1
                        • LoadCursorW.USER32(00000000,00007F02), ref: 00AEFECC
                        • GetCursorInfo.USER32(?), ref: 00AEFEDC
                        • GetLastError.KERNEL32 ref: 00AEFF1E
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Cursor$Load$ErrorInfoLast
                        • String ID:
                        • API String ID: 3215588206-0
                        • Opcode ID: cb1799f32f730ea012dae37da16c532b4734173bd1b460fe7dcff25ded262810
                        • Instruction ID: b1076c89b46f1dba9c3096f27eaf3ae2e38e7befa6f5c38ab8f291a733dc14f1
                        • Opcode Fuzzy Hash: cb1799f32f730ea012dae37da16c532b4734173bd1b460fe7dcff25ded262810
                        • Instruction Fuzzy Hash: 734122B0D053596EDB109FBA8C8985EBFE8FF04754B50852AF11DEB281DB78A901CE91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                        Download Yara Rule
                        APIs
                        • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00A900C6
                          • Part of subcall function 00A900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00B4070C,00000FA0,29A7A41B,?,?,?,?,00AB23B3,000000FF), ref: 00A9011C
                          • Part of subcall function 00A900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00AB23B3,000000FF), ref: 00A90127
                          • Part of subcall function 00A900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00AB23B3,000000FF), ref: 00A90138
                          • Part of subcall function 00A900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00A9014E
                          • Part of subcall function 00A900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00A9015C
                          • Part of subcall function 00A900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00A9016A
                          • Part of subcall function 00A900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A90195
                          • Part of subcall function 00A900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A901A0
                        • ___scrt_fastfail.LIBCMT ref: 00A900E7
                          • Part of subcall function 00A900A3: __onexit.LIBCMT ref: 00A900A9
                        Strings
                        • kernel32.dll, xrefs: 00A90133
                        • WakeAllConditionVariable, xrefs: 00A90162
                        • SleepConditionVariableCS, xrefs: 00A90154
                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00A90122
                        • InitializeConditionVariable, xrefs: 00A90148
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                        • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                        • API String ID: 66158676-1714406822
                        • Opcode ID: 1b856883383edee14f81779d91f78ca2e04a4b881d6358a4e8d20da976ca9a8b
                        • Instruction ID: 085439dc15340f5c3ff547376a3122a2ee178006049ccb17b5a5bde689fe4d8a
                        • Opcode Fuzzy Hash: 1b856883383edee14f81779d91f78ca2e04a4b881d6358a4e8d20da976ca9a8b
                        • Instruction Fuzzy Hash: F821F932754711AFDB206BA4AC09F6A3BD4EF05F91F10037AF901A36E1DF749C008A91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _wcslen
                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                        • API String ID: 176396367-1603158881
                        • Opcode ID: b76131d1cdb173f3c7725334c12fa3dd220bd0164bc2aba69f4a8dca8c006d53
                        • Instruction ID: 2174f78d183c31d599eaab13ee288fe23a9f7c05733c4f29b8d1cdab662bbc5c
                        • Opcode Fuzzy Hash: b76131d1cdb173f3c7725334c12fa3dd220bd0164bc2aba69f4a8dca8c006d53
                        • Instruction Fuzzy Hash: 30E1E333A00516AFCF249F68C951AEEFBB0BF54750F64825AE457B7340DB30AE8587A1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                        Download Yara Rule
                        APIs
                        • CharLowerBuffW.USER32(00000000,00000000,00B0CC08), ref: 00AE4527
                        • _wcslen.LIBCMT ref: 00AE453B
                        • _wcslen.LIBCMT ref: 00AE4599
                        • _wcslen.LIBCMT ref: 00AE45F4
                        • _wcslen.LIBCMT ref: 00AE463F
                        • _wcslen.LIBCMT ref: 00AE46A7
                          • Part of subcall function 00A8F9F2: _wcslen.LIBCMT ref: 00A8F9FD
                        • GetDriveTypeW.KERNEL32(?,00B36BF0,00000061), ref: 00AE4743
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _wcslen$BuffCharDriveLowerType
                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                        • API String ID: 2055661098-1000479233
                        • Opcode ID: b85396af3aa0dd8c31522d3a6070c4ffb975a285fddf778218657f67f5a21089
                        • Instruction ID: 40e9dbf13b45ec527df486cfe964ac2bbabf856af1d2179264769e26914523ae
                        • Opcode Fuzzy Hash: b85396af3aa0dd8c31522d3a6070c4ffb975a285fddf778218657f67f5a21089
                        • Instruction Fuzzy Hash: 35B1F6316083429FC710DF29C991A6EB7E9BFA9720F50891DF496C7291E730DC45CBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AFAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 00AFB198
                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00AFB1B0
                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00AFB1D4
                        • _wcslen.LIBCMT ref: 00AFB200
                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00AFB214
                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00AFB236
                        • _wcslen.LIBCMT ref: 00AFB332
                          • Part of subcall function 00AE05A7: GetStdHandle.KERNEL32(000000F6), ref: 00AE05C6
                        • _wcslen.LIBCMT ref: 00AFB34B
                        • _wcslen.LIBCMT ref: 00AFB366
                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AFB3B6
                        • GetLastError.KERNEL32(00000000), ref: 00AFB407
                        • CloseHandle.KERNEL32(?), ref: 00AFB439
                        • CloseHandle.KERNEL32(00000000), ref: 00AFB44A
                        • CloseHandle.KERNEL32(00000000), ref: 00AFB45C
                        • CloseHandle.KERNEL32(00000000), ref: 00AFB46E
                        • CloseHandle.KERNEL32(?), ref: 00AFB4E3
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                        • String ID:
                        • API String ID: 2178637699-0
                        • Opcode ID: eda3bfd3ce847a47a99de51398b0294c2f96f723d46c06e7db866002b5448734
                        • Instruction ID: 8228d28d142f4761746574a813f6c81ad74e05b46c7f97b5624355d5bb548b18
                        • Opcode Fuzzy Hash: eda3bfd3ce847a47a99de51398b0294c2f96f723d46c06e7db866002b5448734
                        • Instruction Fuzzy Hash: F0F1BC716183049FCB14EF64C991B6EBBF1AF85314F14855DF99A8B2A2CB31EC40CB62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A7326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenuItemCount.USER32(00B41990), ref: 00AB2F8D
                        • GetMenuItemCount.USER32(00B41990), ref: 00AB303D
                        • GetCursorPos.USER32(?), ref: 00AB3081
                        • SetForegroundWindow.USER32(00000000), ref: 00AB308A
                        • TrackPopupMenuEx.USER32(00B41990,00000000,?,00000000,00000000,00000000), ref: 00AB309D
                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AB30A9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                        • String ID: 0
                        • API String ID: 36266755-4108050209
                        • Opcode ID: c8dcc6fcdf3b0e1033c155711c8bd1ad4153143b95fd8d845c6ab0f67eec09a3
                        • Instruction ID: 3053d647ed872e33263d76dc3574ec55398842612555c8497afcc7bfedf1f5bc
                        • Opcode Fuzzy Hash: c8dcc6fcdf3b0e1033c155711c8bd1ad4153143b95fd8d845c6ab0f67eec09a3
                        • Instruction Fuzzy Hash: 20710971640205BEEB259F25CC49FEABF78FF15364F208216F5296A1E2C7B1AD10D790
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B06CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(00000000,?), ref: 00B06DEB
                          • Part of subcall function 00A76B57: _wcslen.LIBCMT ref: 00A76B6A
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B06E5F
                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B06E81
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B06E94
                        • DestroyWindow.USER32(?), ref: 00B06EB5
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A70000,00000000), ref: 00B06EE4
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B06EFD
                        • GetDesktopWindow.USER32 ref: 00B06F16
                        • GetWindowRect.USER32(00000000), ref: 00B06F1D
                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B06F35
                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B06F4D
                          • Part of subcall function 00A89944: GetWindowLongW.USER32(?,000000EB), ref: 00A89952
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                        • String ID: 0$tooltips_class32
                        • API String ID: 2429346358-3619404913
                        • Opcode ID: f7773575675ce2fdec9f8e96046ec30fd9539d3583c934333abd81a192a09bd0
                        • Instruction ID: f4082da542212f85b06ede0aba10dff8dbcf43d69a2ee762395533d2d05ff2c2
                        • Opcode Fuzzy Hash: f7773575675ce2fdec9f8e96046ec30fd9539d3583c934333abd81a192a09bd0
                        • Instruction Fuzzy Hash: B6717674504341AFDB21CF18DC48FAABFE9FB89304F14495DFA89872A1CB71A956CB12
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B0911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A89BB2
                        • DragQueryPoint.SHELL32(?,?), ref: 00B09147
                          • Part of subcall function 00B07674: ClientToScreen.USER32(?,?), ref: 00B0769A
                          • Part of subcall function 00B07674: GetWindowRect.USER32(?,?), ref: 00B07710
                          • Part of subcall function 00B07674: PtInRect.USER32(?,?,00B08B89), ref: 00B07720
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00B091B0
                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B091BB
                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B091DE
                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B09225
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00B0923E
                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00B09255
                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00B09277
                        • DragFinish.SHELL32(?), ref: 00B0927E
                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B09371
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                        • API String ID: 221274066-3440237614
                        • Opcode ID: 0e371815735eef311641dd017f35e4c2593e00dc2bfb9e2079ac1395e2f42aaf
                        • Instruction ID: 089ced0c5d5539339c733878794263722793dc6ab9dae06c91a5a3c2120366a2
                        • Opcode Fuzzy Hash: 0e371815735eef311641dd017f35e4c2593e00dc2bfb9e2079ac1395e2f42aaf
                        • Instruction Fuzzy Hash: 19618771108300AFC701EF64DD85DAFBBE8EF99750F008A6EF595931A1DB309A49CB52
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AEC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AEC4B0
                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00AEC4C3
                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00AEC4D7
                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00AEC4F0
                        • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00AEC533
                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00AEC549
                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AEC554
                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00AEC584
                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00AEC5DC
                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00AEC5F0
                        • InternetCloseHandle.WININET(00000000), ref: 00AEC5FB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                        • String ID:
                        • API String ID: 3800310941-3916222277
                        • Opcode ID: ee03156057a1a7d290afddb95a84668c8e4a693d7c07f39bd58ea4298ceb9553
                        • Instruction ID: bc6ccc3cea0398304f48f084b6d356c0e609bb169f9020151323aea03a4cffe1
                        • Opcode Fuzzy Hash: ee03156057a1a7d290afddb95a84668c8e4a693d7c07f39bd58ea4298ceb9553
                        • Instruction Fuzzy Hash: 4E5169B0540348BFDB219F62C988AAB7FFCFF18764F00451AF94697250DB34EA459B60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B0856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00B08592
                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B085A2
                        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B085AD
                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B085BA
                        • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B085C8
                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B085D7
                        • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B085E0
                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B085E7
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B085F8
                        • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00B0FC38,?), ref: 00B08611
                        • GlobalFree.KERNEL32(00000000), ref: 00B08621
                        • GetObjectW.GDI32(?,00000018,?), ref: 00B08641
                        • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00B08671
                        • DeleteObject.GDI32(?), ref: 00B08699
                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B086AF
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                        • String ID:
                        • API String ID: 3840717409-0
                        • Opcode ID: abe59f01cdfc2da90ca430595e3b15b332bf8ce15adf17df8ee524c322f1287c
                        • Instruction ID: 89ceb6e3833cdd0258aa0cedeeacc466c834f054e7b62544c03e9fa5100e4869
                        • Opcode Fuzzy Hash: abe59f01cdfc2da90ca430595e3b15b332bf8ce15adf17df8ee524c322f1287c
                        • Instruction Fuzzy Hash: 8F41F975600204EFDB119FA5DC88EAE7FB8FF99751F108158F946E72A0DB719A01CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(00000000), ref: 00AE1502
                        • VariantCopy.OLEAUT32(?,?), ref: 00AE150B
                        • VariantClear.OLEAUT32(?), ref: 00AE1517
                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00AE15FB
                        • VarR8FromDec.OLEAUT32(?,?), ref: 00AE1657
                        • VariantInit.OLEAUT32(?), ref: 00AE1708
                        • SysFreeString.OLEAUT32(?), ref: 00AE178C
                        • VariantClear.OLEAUT32(?), ref: 00AE17D8
                        • VariantClear.OLEAUT32(?), ref: 00AE17E7
                        • VariantInit.OLEAUT32(00000000), ref: 00AE1823
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                        • API String ID: 1234038744-3931177956
                        • Opcode ID: d2f4f30053632acccb856bd3b2fd14937789f7eb1f2da3a8e102850699550d0d
                        • Instruction ID: 964e95efc3fe1f326c6f23822cd7c77ef5d65b70972f1e3a74c71768add61384
                        • Opcode Fuzzy Hash: d2f4f30053632acccb856bd3b2fd14937789f7eb1f2da3a8e102850699550d0d
                        • Instruction Fuzzy Hash: 38D11571A00165EFDB10EF66D985BBDBBB5BF45B00F20815AF846AB284DB30DC41DB61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AFB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                          • Part of subcall function 00AFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AFB6AE,?,?), ref: 00AFC9B5
                          • Part of subcall function 00AFC998: _wcslen.LIBCMT ref: 00AFC9F1
                          • Part of subcall function 00AFC998: _wcslen.LIBCMT ref: 00AFCA68
                          • Part of subcall function 00AFC998: _wcslen.LIBCMT ref: 00AFCA9E
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AFB6F4
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AFB772
                        • RegDeleteValueW.ADVAPI32(?,?), ref: 00AFB80A
                        • RegCloseKey.ADVAPI32(?), ref: 00AFB87E
                        • RegCloseKey.ADVAPI32(?), ref: 00AFB89C
                        • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00AFB8F2
                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00AFB904
                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00AFB922
                        • FreeLibrary.KERNEL32(00000000), ref: 00AFB983
                        • RegCloseKey.ADVAPI32(00000000), ref: 00AFB994
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                        • String ID: RegDeleteKeyExW$advapi32.dll
                        • API String ID: 146587525-4033151799
                        • Opcode ID: a13e0082f6dc3a3374f6f8fa4d1d8ff2f87ee875d1d55e92a2a6f4c72125018e
                        • Instruction ID: 225db38164ac6e24cd8385c7adf29fd1077d7fb6fb1375536d11146130f83e48
                        • Opcode Fuzzy Hash: a13e0082f6dc3a3374f6f8fa4d1d8ff2f87ee875d1d55e92a2a6f4c72125018e
                        • Instruction Fuzzy Hash: FEC16B30214205AFD710DF64C995F2ABBF5BF84318F14C59CF69A8B2A2CB71E945CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetDC.USER32(00000000), ref: 00AF25D8
                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00AF25E8
                        • CreateCompatibleDC.GDI32(?), ref: 00AF25F4
                        • SelectObject.GDI32(00000000,?), ref: 00AF2601
                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00AF266D
                        • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00AF26AC
                        • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00AF26D0
                        • SelectObject.GDI32(?,?), ref: 00AF26D8
                        • DeleteObject.GDI32(?), ref: 00AF26E1
                        • DeleteDC.GDI32(?), ref: 00AF26E8
                        • ReleaseDC.USER32(00000000,?), ref: 00AF26F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                        • String ID: (
                        • API String ID: 2598888154-3887548279
                        • Opcode ID: 0f1d7cb9a25a5516b99598f727a36663b1c1e1f7723cf07885c286cd26f4b17a
                        • Instruction ID: 71efe767d532957af417219501308308c754c804d18819512397136ecef96eef
                        • Opcode Fuzzy Hash: 0f1d7cb9a25a5516b99598f727a36663b1c1e1f7723cf07885c286cd26f4b17a
                        • Instruction Fuzzy Hash: EE61E275D00219EFCF14CFE4D984AAEBBB5FF48310F208529EA55A7250E774A951CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___free_lconv_mon.LIBCMT ref: 00AADAA1
                          • Part of subcall function 00AAD63C: _free.LIBCMT ref: 00AAD659
                          • Part of subcall function 00AAD63C: _free.LIBCMT ref: 00AAD66B
                          • Part of subcall function 00AAD63C: _free.LIBCMT ref: 00AAD67D
                          • Part of subcall function 00AAD63C: _free.LIBCMT ref: 00AAD68F
                          • Part of subcall function 00AAD63C: _free.LIBCMT ref: 00AAD6A1
                          • Part of subcall function 00AAD63C: _free.LIBCMT ref: 00AAD6B3
                          • Part of subcall function 00AAD63C: _free.LIBCMT ref: 00AAD6C5
                          • Part of subcall function 00AAD63C: _free.LIBCMT ref: 00AAD6D7
                          • Part of subcall function 00AAD63C: _free.LIBCMT ref: 00AAD6E9
                          • Part of subcall function 00AAD63C: _free.LIBCMT ref: 00AAD6FB
                          • Part of subcall function 00AAD63C: _free.LIBCMT ref: 00AAD70D
                          • Part of subcall function 00AAD63C: _free.LIBCMT ref: 00AAD71F
                          • Part of subcall function 00AAD63C: _free.LIBCMT ref: 00AAD731
                        • _free.LIBCMT ref: 00AADA96
                          • Part of subcall function 00AA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AAD7D1,00000000,00000000,00000000,00000000,?,00AAD7F8,00000000,00000007,00000000,?,00AADBF5,00000000), ref: 00AA29DE
                          • Part of subcall function 00AA29C8: GetLastError.KERNEL32(00000000,?,00AAD7D1,00000000,00000000,00000000,00000000,?,00AAD7F8,00000000,00000007,00000000,?,00AADBF5,00000000,00000000), ref: 00AA29F0
                        • _free.LIBCMT ref: 00AADAB8
                        • _free.LIBCMT ref: 00AADACD
                        • _free.LIBCMT ref: 00AADAD8
                        • _free.LIBCMT ref: 00AADAFA
                        • _free.LIBCMT ref: 00AADB0D
                        • _free.LIBCMT ref: 00AADB1B
                        • _free.LIBCMT ref: 00AADB26
                        • _free.LIBCMT ref: 00AADB5E
                        • _free.LIBCMT ref: 00AADB65
                        • _free.LIBCMT ref: 00AADB82
                        • _free.LIBCMT ref: 00AADB9A
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                        • String ID:
                        • API String ID: 161543041-0
                        • Opcode ID: fc47de03403dea9b87de1243614bcfe57b0186127049eed21321b6f7fe1a103c
                        • Instruction ID: aca649ffa05a945ffdc80345067f9e10e52d974d3f343e4b99d32a011a927390
                        • Opcode Fuzzy Hash: fc47de03403dea9b87de1243614bcfe57b0186127049eed21321b6f7fe1a103c
                        • Instruction Fuzzy Hash: 0C316B326043049FEB62AB78E945B6BB7E8FF42750F11441AE48AD75D1DF30AC508721
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetClassNameW.USER32(?,?,00000100), ref: 00AD369C
                        • _wcslen.LIBCMT ref: 00AD36A7
                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00AD3797
                        • GetClassNameW.USER32(?,?,00000400), ref: 00AD380C
                        • GetDlgCtrlID.USER32(?), ref: 00AD385D
                        • GetWindowRect.USER32(?,?), ref: 00AD3882
                        • GetParent.USER32(?), ref: 00AD38A0
                        • ScreenToClient.USER32(00000000), ref: 00AD38A7
                        • GetClassNameW.USER32(?,?,00000100), ref: 00AD3921
                        • GetWindowTextW.USER32(?,?,00000400), ref: 00AD395D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                        • String ID: %s%u
                        • API String ID: 4010501982-679674701
                        • Opcode ID: 407ffd862fe42f9a67c58d7902622e420b0eeb4d90330c88a438b6b224cfe4d7
                        • Instruction ID: 2312b0dcffab5f1d9a28c118e40690f208c6b5a3bfe8caa41a51d750a2e19d02
                        • Opcode Fuzzy Hash: 407ffd862fe42f9a67c58d7902622e420b0eeb4d90330c88a438b6b224cfe4d7
                        • Instruction Fuzzy Hash: 0B919872204606AFDB15DF64C895BAAB7E8FF44350F00461AF99AD3290DB30EA45CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                        Download Yara Rule
                        APIs
                        • GetClassNameW.USER32(?,?,00000400), ref: 00AD4994
                        • GetWindowTextW.USER32(?,?,00000400), ref: 00AD49DA
                        • _wcslen.LIBCMT ref: 00AD49EB
                        • CharUpperBuffW.USER32(?,00000000), ref: 00AD49F7
                        • _wcsstr.LIBVCRUNTIME ref: 00AD4A2C
                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00AD4A64
                        • GetWindowTextW.USER32(?,?,00000400), ref: 00AD4A9D
                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00AD4AE6
                        • GetClassNameW.USER32(?,?,00000400), ref: 00AD4B20
                        • GetWindowRect.USER32(?,?), ref: 00AD4B8B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                        • String ID: ThumbnailClass
                        • API String ID: 1311036022-1241985126
                        • Opcode ID: 45a8f19f3407419fc6eb922e05811278758d0c3fce661ac230378e7341cda323
                        • Instruction ID: 9ceaf4e750e35c3d73b8afd7a469f9ca292db832d7382c96730d1a189c47cb45
                        • Opcode Fuzzy Hash: 45a8f19f3407419fc6eb922e05811278758d0c3fce661ac230378e7341cda323
                        • Instruction Fuzzy Hash: 7991CC711042059FDB04CF14C985BAA7BE8FF98354F04856BFD8A9B296EB30ED45CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B08D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A89BB2
                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B08D5A
                        • GetFocus.USER32 ref: 00B08D6A
                        • GetDlgCtrlID.USER32(00000000), ref: 00B08D75
                        • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00B08E1D
                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B08ECF
                        • GetMenuItemCount.USER32(?), ref: 00B08EEC
                        • GetMenuItemID.USER32(?,00000000), ref: 00B08EFC
                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B08F2E
                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B08F70
                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B08FA1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                        • String ID: 0
                        • API String ID: 1026556194-4108050209
                        • Opcode ID: 8ad62879b712464b9822b739138595cbcc46a143b9b0d8e69037e1204be13901
                        • Instruction ID: f97dca54b1cd9d0354708bd24748754fe1b0bf270266f2c7edef2329b42aaf9b
                        • Opcode Fuzzy Hash: 8ad62879b712464b9822b739138595cbcc46a143b9b0d8e69037e1204be13901
                        • Instruction Fuzzy Hash: 07817D71504301AFDB20DF24D884AAB7FE9FB98354F140AA9F985972D1DF70DA41CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                        Download Yara Rule
                        APIs
                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00ADDC20
                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00ADDC46
                        • _wcslen.LIBCMT ref: 00ADDC50
                        • _wcsstr.LIBVCRUNTIME ref: 00ADDCA0
                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00ADDCBC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                        • API String ID: 1939486746-1459072770
                        • Opcode ID: fa126e9aa67c4d4a5def92a4893be40aec1946f80ac3eb980b54656c631dbc92
                        • Instruction ID: 2c86d16da0b4f7278bcf5c8c25588ea0317e17b625e4c14e13460043447c9154
                        • Opcode Fuzzy Hash: fa126e9aa67c4d4a5def92a4893be40aec1946f80ac3eb980b54656c631dbc92
                        • Instruction Fuzzy Hash: 13412332A402057EEF11A774DD03EBF7BECEF55710F1041AAF901A62D2EB749A0187A4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AFCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00AFCC64
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00AFCC8D
                        • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00AFCD48
                          • Part of subcall function 00AFCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00AFCCAA
                          • Part of subcall function 00AFCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00AFCCBD
                          • Part of subcall function 00AFCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00AFCCCF
                          • Part of subcall function 00AFCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00AFCD05
                          • Part of subcall function 00AFCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00AFCD28
                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00AFCCF3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                        • String ID: RegDeleteKeyExW$advapi32.dll
                        • API String ID: 2734957052-4033151799
                        • Opcode ID: b6de333a84778063a6212bdb01c3eb5ff4dd0f889263b0f234b5e458e4f4312f
                        • Instruction ID: af0f11049a92ad32946d4edfd20acf0c80fa9f65341b7e8aa14df16457e18a95
                        • Opcode Fuzzy Hash: b6de333a84778063a6212bdb01c3eb5ff4dd0f889263b0f234b5e458e4f4312f
                        • Instruction Fuzzy Hash: 8B316D7194112DBBDB208B96DD88EFFBF7CEF55760F000265BA06E3250DB349A45DAA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                        Download Yara Rule
                        APIs
                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AE3D40
                        • _wcslen.LIBCMT ref: 00AE3D6D
                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00AE3D9D
                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00AE3DBE
                        • RemoveDirectoryW.KERNEL32(?), ref: 00AE3DCE
                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00AE3E55
                        • CloseHandle.KERNEL32(00000000), ref: 00AE3E60
                        • CloseHandle.KERNEL32(00000000), ref: 00AE3E6B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                        • String ID: :$\$\??\%s
                        • API String ID: 1149970189-3457252023
                        • Opcode ID: 7ba5469d6e7de317c62ef53969db8e07ad69335015e3a282b947eebe4f0a807a
                        • Instruction ID: 50dbd97e00fcbb67411a8202ea6828a47f3b5871f636172ce96bb7e0c565063d
                        • Opcode Fuzzy Hash: 7ba5469d6e7de317c62ef53969db8e07ad69335015e3a282b947eebe4f0a807a
                        • Instruction Fuzzy Hash: CF318F72A00259ABDF219FA1DC89FEB37BCEF88700F5041A5F509D7060EB7497448B24
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • timeGetTime.WINMM ref: 00ADE6B4
                          • Part of subcall function 00A8E551: timeGetTime.WINMM(?,?,00ADE6D4), ref: 00A8E555
                        • Sleep.KERNEL32(0000000A), ref: 00ADE6E1
                        • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00ADE705
                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00ADE727
                        • SetActiveWindow.USER32 ref: 00ADE746
                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00ADE754
                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00ADE773
                        • Sleep.KERNEL32(000000FA), ref: 00ADE77E
                        • IsWindow.USER32 ref: 00ADE78A
                        • EndDialog.USER32(00000000), ref: 00ADE79B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                        • String ID: BUTTON
                        • API String ID: 1194449130-3405671355
                        • Opcode ID: a3ef2a0d225f388f4450ec4a71eeb750d1db3898e33578538a95175fd7a5ead9
                        • Instruction ID: 8ee30a2a27dc327638b176cbb80511b189672e8f2a7ea66796e61349dbe11434
                        • Opcode Fuzzy Hash: a3ef2a0d225f388f4450ec4a71eeb750d1db3898e33578538a95175fd7a5ead9
                        • Instruction Fuzzy Hash: 3421A578200204BFEB10AF64ECC9A363F69F766748F504526F517872B1DF72AE109B25
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00ADEA5D
                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00ADEA73
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ADEA84
                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00ADEA96
                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00ADEAA7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: SendString$_wcslen
                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                        • API String ID: 2420728520-1007645807
                        • Opcode ID: 02361244cae895133c24801fd56472b1703c7c25a26a6a961504197657c8d3de
                        • Instruction ID: 4e44143a084254c9d37e4f11495050c7c6456b0256edb4e146d0ddd420c9120e
                        • Opcode Fuzzy Hash: 02361244cae895133c24801fd56472b1703c7c25a26a6a961504197657c8d3de
                        • Instruction Fuzzy Hash: 9E115131A9021979D720F7A1DD4AEFF7BBCEBD5B40F10856A7415A60E1EE701A05C5B0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(?,00000001), ref: 00AD5CE2
                        • GetWindowRect.USER32(00000000,?), ref: 00AD5CFB
                        • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00AD5D59
                        • GetDlgItem.USER32(?,00000002), ref: 00AD5D69
                        • GetWindowRect.USER32(00000000,?), ref: 00AD5D7B
                        • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00AD5DCF
                        • GetDlgItem.USER32(?,000003E9), ref: 00AD5DDD
                        • GetWindowRect.USER32(00000000,?), ref: 00AD5DEF
                        • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00AD5E31
                        • GetDlgItem.USER32(?,000003EA), ref: 00AD5E44
                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00AD5E5A
                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00AD5E67
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$ItemMoveRect$Invalidate
                        • String ID:
                        • API String ID: 3096461208-0
                        • Opcode ID: 8fb58a9d1fdaa8844418234df1df8b857fdef444a40cf2813fbb5d7c25bcdedb
                        • Instruction ID: e76237acf2fe8465285c1a815ad364422c7489d6e535d776c631c4874c10660d
                        • Opcode Fuzzy Hash: 8fb58a9d1fdaa8844418234df1df8b857fdef444a40cf2813fbb5d7c25bcdedb
                        • Instruction Fuzzy Hash: 9851FF71E00605AFDF18DF68DD89AAE7BB5FB58301F148229F516E7290DB709E04CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A88BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A88F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A88BE8,?,00000000,?,?,?,?,00A88BBA,00000000,?), ref: 00A88FC5
                        • DestroyWindow.USER32(?), ref: 00A88C81
                        • KillTimer.USER32(00000000,?,?,?,?,00A88BBA,00000000,?), ref: 00A88D1B
                        • DestroyAcceleratorTable.USER32(00000000), ref: 00AC6973
                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00A88BBA,00000000,?), ref: 00AC69A1
                        • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00A88BBA,00000000,?), ref: 00AC69B8
                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00A88BBA,00000000), ref: 00AC69D4
                        • DeleteObject.GDI32(00000000), ref: 00AC69E6
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                        • String ID:
                        • API String ID: 641708696-0
                        • Opcode ID: d7d869c47fb42bacb193bd4905a1442f0a37270d6cdb0dc41f3f6778ccb73fe4
                        • Instruction ID: 3a98c4f691b4daf335415442ed29b2bc54956f728a298f4b57813a9732acebf5
                        • Opcode Fuzzy Hash: d7d869c47fb42bacb193bd4905a1442f0a37270d6cdb0dc41f3f6778ccb73fe4
                        • Instruction Fuzzy Hash: 4E617875902610DFDB25EF18DA48B297BF1FB51312F54491CE0829B9A4CF39AE91CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A89838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A89944: GetWindowLongW.USER32(?,000000EB), ref: 00A89952
                        • GetSysColor.USER32(0000000F), ref: 00A89862
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ColorLongWindow
                        • String ID:
                        • API String ID: 259745315-0
                        • Opcode ID: ad4939a0c72775db1e304840d4e696a4cd835900934c0cfd2ea29b5f6dfa4f31
                        • Instruction ID: 2505699e697e9327fb7179af3baf3a9c883697405f1c1767c2c8654ff473a3ea
                        • Opcode Fuzzy Hash: ad4939a0c72775db1e304840d4e696a4cd835900934c0cfd2ea29b5f6dfa4f31
                        • Instruction Fuzzy Hash: 6941B331504645AFDB206F38DC88BBA3BA5FB16334F194619F9A2971E1DB319C42DB10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00ABF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00AD9717
                        • LoadStringW.USER32(00000000,?,00ABF7F8,00000001), ref: 00AD9720
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                        • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00ABF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00AD9742
                        • LoadStringW.USER32(00000000,?,00ABF7F8,00000001), ref: 00AD9745
                        • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00AD9866
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: HandleLoadModuleString$Message_wcslen
                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                        • API String ID: 747408836-2268648507
                        • Opcode ID: bd419da2daaa25b19ff73833e1184b40acd5b6a231684c6f1e07f75bd72b47cd
                        • Instruction ID: 71673e52a89c56c08f33a7c872a40fd079c294e43405f5abbc97c77bb81a1d7c
                        • Opcode Fuzzy Hash: bd419da2daaa25b19ff73833e1184b40acd5b6a231684c6f1e07f75bd72b47cd
                        • Instruction Fuzzy Hash: C3415272900109AACF14FBE0CE46DEF7778AF15740F508066F60A76192EB355F48DB61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A76B57: _wcslen.LIBCMT ref: 00A76B6A
                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00AD07A2
                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00AD07BE
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00AD07DA
                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00AD0804
                        • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00AD082C
                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AD0837
                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AD083C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                        • API String ID: 323675364-22481851
                        • Opcode ID: 184132145f7d0bd326f73d20862c5a9e2b1cf1f7cc12b8ba0aa34ee2d663cf23
                        • Instruction ID: d60c8b0dcc838d7d18980b40f4041d8dd7b91a782ed1dda6b660208d1b10df8e
                        • Opcode Fuzzy Hash: 184132145f7d0bd326f73d20862c5a9e2b1cf1f7cc12b8ba0aa34ee2d663cf23
                        • Instruction Fuzzy Hash: 95413A72C10228ABCF21EFA4DC95DEDB7B8FF54340F14816AE915A71A1EB305E04CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B03F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                        Download Yara Rule
                        APIs
                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B0403B
                        • CreateCompatibleDC.GDI32(00000000), ref: 00B04042
                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B04055
                        • SelectObject.GDI32(00000000,00000000), ref: 00B0405D
                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00B04068
                        • DeleteDC.GDI32(00000000), ref: 00B04072
                        • GetWindowLongW.USER32(?,000000EC), ref: 00B0407C
                        • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00B04092
                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00B0409E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                        • String ID: static
                        • API String ID: 2559357485-2160076837
                        • Opcode ID: ee7bb1f7de23f572daf37625e5bfce511bdc10bc208ac27ddb5258a4f0243d8f
                        • Instruction ID: bf8ba4464690b64cc8ed935efd7cabbbc385284b1879db1c62140a3005cc52ad
                        • Opcode Fuzzy Hash: ee7bb1f7de23f572daf37625e5bfce511bdc10bc208ac27ddb5258a4f0243d8f
                        • Instruction Fuzzy Hash: 69316972500219ABDF229FA4CC09FDA3FA8EF1D320F100350FA18A60E0DB76D821DB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 00AF3C5C
                        • CoInitialize.OLE32(00000000), ref: 00AF3C8A
                        • CoUninitialize.OLE32 ref: 00AF3C94
                        • _wcslen.LIBCMT ref: 00AF3D2D
                        • GetRunningObjectTable.OLE32(00000000,?), ref: 00AF3DB1
                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00AF3ED5
                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00AF3F0E
                        • CoGetObject.OLE32(?,00000000,00B0FB98,?), ref: 00AF3F2D
                        • SetErrorMode.KERNEL32(00000000), ref: 00AF3F40
                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00AF3FC4
                        • VariantClear.OLEAUT32(?), ref: 00AF3FD8
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                        • String ID:
                        • API String ID: 429561992-0
                        • Opcode ID: 17cde29b83418bb4bd0addaf2baa71fb6e8e7b8d2ec8f5184756adc122a0555e
                        • Instruction ID: 4ab2bfac5f7b2a5c9d8544f95a031ba8b596df2a7a75816977e5ad954feb431c
                        • Opcode Fuzzy Hash: 17cde29b83418bb4bd0addaf2baa71fb6e8e7b8d2ec8f5184756adc122a0555e
                        • Instruction Fuzzy Hash: E0C138726083059FDB00DFA8C98492BBBE9FF89744F10495DFA8A9B251DB31ED05CB52
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32(00000000), ref: 00AE7AF3
                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00AE7B8F
                        • SHGetDesktopFolder.SHELL32(?), ref: 00AE7BA3
                        • CoCreateInstance.OLE32(00B0FD08,00000000,00000001,00B36E6C,?), ref: 00AE7BEF
                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00AE7C74
                        • CoTaskMemFree.OLE32(?,?), ref: 00AE7CCC
                        • SHBrowseForFolderW.SHELL32(?), ref: 00AE7D57
                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00AE7D7A
                        • CoTaskMemFree.OLE32(00000000), ref: 00AE7D81
                        • CoTaskMemFree.OLE32(00000000), ref: 00AE7DD6
                        • CoUninitialize.OLE32 ref: 00AE7DDC
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                        • String ID:
                        • API String ID: 2762341140-0
                        • Opcode ID: e778e9dea3e6a3a5766a7c17a6a99ccc2f1ed7ca7d8fa7bdb4dd8b612d0badd1
                        • Instruction ID: 1681f4c63e57d5188c8b461935439b1c5e10883390b9d778685160a4481695db
                        • Opcode Fuzzy Hash: e778e9dea3e6a3a5766a7c17a6a99ccc2f1ed7ca7d8fa7bdb4dd8b612d0badd1
                        • Instruction Fuzzy Hash: D0C12C75A04249AFCB14DF65C894DAEBBF9FF48304B148599E81ADB361DB30ED41CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B0541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B05504
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B05515
                        • CharNextW.USER32(00000158), ref: 00B05544
                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B05585
                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B0559B
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B055AC
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend$CharNext
                        • String ID:
                        • API String ID: 1350042424-0
                        • Opcode ID: 5491638489de0336b4541f62babfd7a585cb850011221832386841ffab518381
                        • Instruction ID: 1cf83edc3ce63a4bce4beaf940838844e608dbd18f2809ec08e84e74052ba043
                        • Opcode Fuzzy Hash: 5491638489de0336b4541f62babfd7a585cb850011221832386841ffab518381
                        • Instruction Fuzzy Hash: 85617B74900608ABDF209F54CC84AFF7FB9EB19720F108585F925AB6E0DB709A81DF60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ACFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                        Download Yara Rule
                        APIs
                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00ACFAAF
                        • SafeArrayAllocData.OLEAUT32(?), ref: 00ACFB08
                        • VariantInit.OLEAUT32(?), ref: 00ACFB1A
                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 00ACFB3A
                        • VariantCopy.OLEAUT32(?,?), ref: 00ACFB8D
                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00ACFBA1
                        • VariantClear.OLEAUT32(?), ref: 00ACFBB6
                        • SafeArrayDestroyData.OLEAUT32(?), ref: 00ACFBC3
                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00ACFBCC
                        • VariantClear.OLEAUT32(?), ref: 00ACFBDE
                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00ACFBE9
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                        • String ID:
                        • API String ID: 2706829360-0
                        • Opcode ID: 51e693c7f77f8127331465364db169922e1c16946da87aa0789c2571581d1923
                        • Instruction ID: 560ba5040be50098cd3621bf26337d2f00b21a733cc13403dcd53bfe22aa7d2d
                        • Opcode Fuzzy Hash: 51e693c7f77f8127331465364db169922e1c16946da87aa0789c2571581d1923
                        • Instruction Fuzzy Hash: B8413E35A00219AFCB00DF68C854EAEBFBAFF58354F118169E955A7261CB30AD45CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?), ref: 00AD9CA1
                        • GetAsyncKeyState.USER32(000000A0), ref: 00AD9D22
                        • GetKeyState.USER32(000000A0), ref: 00AD9D3D
                        • GetAsyncKeyState.USER32(000000A1), ref: 00AD9D57
                        • GetKeyState.USER32(000000A1), ref: 00AD9D6C
                        • GetAsyncKeyState.USER32(00000011), ref: 00AD9D84
                        • GetKeyState.USER32(00000011), ref: 00AD9D96
                        • GetAsyncKeyState.USER32(00000012), ref: 00AD9DAE
                        • GetKeyState.USER32(00000012), ref: 00AD9DC0
                        • GetAsyncKeyState.USER32(0000005B), ref: 00AD9DD8
                        • GetKeyState.USER32(0000005B), ref: 00AD9DEA
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: State$Async$Keyboard
                        • String ID:
                        • API String ID: 541375521-0
                        • Opcode ID: 4488b7b514ae1e267dac894b03a497b5d392d86953b50bb4fb73dc0422f44ebf
                        • Instruction ID: 07cfa1682d64cdde28b42ab8768505e65fb12b7a1490139a08b17f654025c3db
                        • Opcode Fuzzy Hash: 4488b7b514ae1e267dac894b03a497b5d392d86953b50bb4fb73dc0422f44ebf
                        • Instruction Fuzzy Hash: 6C4195345047C96DFF31976488043B7BEA16B21344F04815BDAC7577C2EBA5D9C8C7A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • WSAStartup.WSOCK32(00000101,?), ref: 00AF05BC
                        • inet_addr.WSOCK32(?), ref: 00AF061C
                        • gethostbyname.WSOCK32(?), ref: 00AF0628
                        • IcmpCreateFile.IPHLPAPI ref: 00AF0636
                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00AF06C6
                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00AF06E5
                        • IcmpCloseHandle.IPHLPAPI(?), ref: 00AF07B9
                        • WSACleanup.WSOCK32 ref: 00AF07BF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                        • String ID: Ping
                        • API String ID: 1028309954-2246546115
                        • Opcode ID: a36eef119a70292cf7dee2206191d9c221e55ad4a9b016123e752f6486a41bdf
                        • Instruction ID: 9563cb592a85014bb798133ac985fa72db25a1cfa9d5e89345713dc5ae064ab3
                        • Opcode Fuzzy Hash: a36eef119a70292cf7dee2206191d9c221e55ad4a9b016123e752f6486a41bdf
                        • Instruction Fuzzy Hash: 07919E756086019FD720DF55C988F2ABBE0AF44318F14C5A9F5699B6A3CB70EC41CF91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _wcslen$BuffCharLower
                        • String ID: cdecl$none$stdcall$winapi
                        • API String ID: 707087890-567219261
                        • Opcode ID: dbfe1b50a1a2dacecef66bfe52fdb5c9ef81ac47fe386ef882550ad0c53bb0c5
                        • Instruction ID: b6f38ae8a9ed824610af3fac24267581a3537d2f703b43815349497a6e712c32
                        • Opcode Fuzzy Hash: dbfe1b50a1a2dacecef66bfe52fdb5c9ef81ac47fe386ef882550ad0c53bb0c5
                        • Instruction Fuzzy Hash: 1651B432A0051A9BCF14DFA8C9519BEB7E5BF64710B208229F626E72C4DF38DD40C790
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32 ref: 00AF3774
                        • CoUninitialize.OLE32 ref: 00AF377F
                        • CoCreateInstance.OLE32(?,00000000,00000017,00B0FB78,?), ref: 00AF37D9
                        • IIDFromString.OLE32(?,?), ref: 00AF384C
                        • VariantInit.OLEAUT32(?), ref: 00AF38E4
                        • VariantClear.OLEAUT32(?), ref: 00AF3936
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                        • API String ID: 636576611-1287834457
                        • Opcode ID: 6b79b92c50987fd6997fcc5ddc19c5ee37d4f9c36014447c91a2b214369eac7f
                        • Instruction ID: a6b70a4e50fc29325252cc6b98d8d6290aa5531b14d4e9176625dc57abd4fda7
                        • Opcode Fuzzy Hash: 6b79b92c50987fd6997fcc5ddc19c5ee37d4f9c36014447c91a2b214369eac7f
                        • Instruction Fuzzy Hash: B661C272608305AFDB10EF94C988F6ABBE4EF49750F104949FA8597291D770EE48CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                        Download Yara Rule
                        APIs
                        • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00AE33CF
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00AE33F0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: LoadString$_wcslen
                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                        • API String ID: 4099089115-3080491070
                        • Opcode ID: 4307d7b2c91b0e93de3349fdecb1e666576bac280fa36d2ee9fa70b770cbaf20
                        • Instruction ID: 6af5d7c633d7a270a5d82d26f728de6df92fde497fd012042e3d1cecf4bf7d9f
                        • Opcode Fuzzy Hash: 4307d7b2c91b0e93de3349fdecb1e666576bac280fa36d2ee9fa70b770cbaf20
                        • Instruction Fuzzy Hash: 4E516072D00109BADF15EBA0CE46EEEB7B8AF14740F208565F509731A2EB316F58DB61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _wcslen$BuffCharUpper
                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                        • API String ID: 1256254125-769500911
                        • Opcode ID: 1ed46a2fdce553ed21573c3dc7690a49b2f15241ad5eb4cf7ac4a88a09fe55eb
                        • Instruction ID: 7c3ff358e145018715684a768093ed9399c649beb7752f2903e95cb557d54ecd
                        • Opcode Fuzzy Hash: 1ed46a2fdce553ed21573c3dc7690a49b2f15241ad5eb4cf7ac4a88a09fe55eb
                        • Instruction Fuzzy Hash: 2841E532A11026DBCB205F7D8D905BE77B5AFA4B54B26462BE822D7384E731CD81C7A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 00AE53A0
                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00AE5416
                        • GetLastError.KERNEL32 ref: 00AE5420
                        • SetErrorMode.KERNEL32(00000000,READY), ref: 00AE54A7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Error$Mode$DiskFreeLastSpace
                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                        • API String ID: 4194297153-14809454
                        • Opcode ID: 9af57d5ebca99886475e4fe57b37793b8d1f299b17020846fac16aa4fc638dcb
                        • Instruction ID: 14c25bf1244a1686e22756282e3040d22b14ac50765eaaee1435d093cc786d66
                        • Opcode Fuzzy Hash: 9af57d5ebca99886475e4fe57b37793b8d1f299b17020846fac16aa4fc638dcb
                        • Instruction Fuzzy Hash: F931C139E006449FD710DF79D984AAABBF5EF04309F14C0A9E406DB292DB71DD86CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B03C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                        Download Yara Rule
                        APIs
                        • CreateMenu.USER32 ref: 00B03C79
                        • SetMenu.USER32(?,00000000), ref: 00B03C88
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B03D10
                        • IsMenu.USER32(?), ref: 00B03D24
                        • CreatePopupMenu.USER32 ref: 00B03D2E
                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B03D5B
                        • DrawMenuBar.USER32 ref: 00B03D63
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Menu$CreateItem$DrawInfoInsertPopup
                        • String ID: 0$F
                        • API String ID: 161812096-3044882817
                        • Opcode ID: f189ff6f56cebb2b33df9f275f8c2a028c6cdf68c48b159e87d0e8fb1d4e5ec6
                        • Instruction ID: b9b85838fd8398e62ff342daa078f918da3f50b0e8f2a5501effa904d8adf576
                        • Opcode Fuzzy Hash: f189ff6f56cebb2b33df9f275f8c2a028c6cdf68c48b159e87d0e8fb1d4e5ec6
                        • Instruction Fuzzy Hash: AD419C79A01209EFDB14CF64D888AAA7BF9FF59340F144168F916973A0DB30AA10CF90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                          • Part of subcall function 00AD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AD3CCA
                        • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00AD1F64
                        • GetDlgCtrlID.USER32 ref: 00AD1F6F
                        • GetParent.USER32 ref: 00AD1F8B
                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00AD1F8E
                        • GetDlgCtrlID.USER32(?), ref: 00AD1F97
                        • GetParent.USER32(?), ref: 00AD1FAB
                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00AD1FAE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend$CtrlParent$ClassName_wcslen
                        • String ID: ComboBox$ListBox
                        • API String ID: 711023334-1403004172
                        • Opcode ID: 1da7fd47394a5760d4a14f4868a805e4740892b3a94a7393ea5707d3b3b4493f
                        • Instruction ID: 4f7317b55d453cb5319e28605509c8fccb0a8ec0a7cbf4b7638fbfc65dde769f
                        • Opcode Fuzzy Hash: 1da7fd47394a5760d4a14f4868a805e4740892b3a94a7393ea5707d3b3b4493f
                        • Instruction Fuzzy Hash: 4521CF71A00214BBCF15AFA0CD85DEEBBB8EF19310F104257F966A72A1DF355909DB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B03A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B03A9D
                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B03AA0
                        • GetWindowLongW.USER32(?,000000F0), ref: 00B03AC7
                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B03AEA
                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B03B62
                        • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00B03BAC
                        • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00B03BC7
                        • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00B03BE2
                        • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00B03BF6
                        • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00B03C13
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend$LongWindow
                        • String ID:
                        • API String ID: 312131281-0
                        • Opcode ID: 1dd8d02b49980b9c17fc3c53b4e13ebdb71973ebba34edd89f609e4f662b62de
                        • Instruction ID: 820d2b76f003175527f08b9afe3c2098ea3ae1dc1ae48be05404a35b4d93fedd
                        • Opcode Fuzzy Hash: 1dd8d02b49980b9c17fc3c53b4e13ebdb71973ebba34edd89f609e4f662b62de
                        • Instruction Fuzzy Hash: 40615975900248AFDB20DF68CC85EEE7BF8EB49704F104599FA15E72E1DB70AA81DB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 00ADB151
                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00ADA1E1,?,00000001), ref: 00ADB165
                        • GetWindowThreadProcessId.USER32(00000000), ref: 00ADB16C
                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ADA1E1,?,00000001), ref: 00ADB17B
                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00ADB18D
                        • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00ADA1E1,?,00000001), ref: 00ADB1A6
                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ADA1E1,?,00000001), ref: 00ADB1B8
                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00ADA1E1,?,00000001), ref: 00ADB1FD
                        • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00ADA1E1,?,00000001), ref: 00ADB212
                        • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00ADA1E1,?,00000001), ref: 00ADB21D
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                        • String ID:
                        • API String ID: 2156557900-0
                        • Opcode ID: 59fa3ae13795ec77a16bfafa49ec8bf25d517411f824ddc540ba65b78fbcaa29
                        • Instruction ID: d74a7435070806d3e42d6de3d341d08dc653c438a60651a87723e494e884110c
                        • Opcode Fuzzy Hash: 59fa3ae13795ec77a16bfafa49ec8bf25d517411f824ddc540ba65b78fbcaa29
                        • Instruction Fuzzy Hash: 8631B476510204FFDB209F24EC94BAD7BB9BB52755F254206F902D7360DB749A408F70
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00AA2C94
                          • Part of subcall function 00AA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AAD7D1,00000000,00000000,00000000,00000000,?,00AAD7F8,00000000,00000007,00000000,?,00AADBF5,00000000), ref: 00AA29DE
                          • Part of subcall function 00AA29C8: GetLastError.KERNEL32(00000000,?,00AAD7D1,00000000,00000000,00000000,00000000,?,00AAD7F8,00000000,00000007,00000000,?,00AADBF5,00000000,00000000), ref: 00AA29F0
                        • _free.LIBCMT ref: 00AA2CA0
                        • _free.LIBCMT ref: 00AA2CAB
                        • _free.LIBCMT ref: 00AA2CB6
                        • _free.LIBCMT ref: 00AA2CC1
                        • _free.LIBCMT ref: 00AA2CCC
                        • _free.LIBCMT ref: 00AA2CD7
                        • _free.LIBCMT ref: 00AA2CE2
                        • _free.LIBCMT ref: 00AA2CED
                        • _free.LIBCMT ref: 00AA2CFB
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 53d011067151023d4d03eeb32804943f0f3cfff12ea1dcdf025b18ec87060b3c
                        • Instruction ID: dfc0c2d0c5902e8506f4e8b303edc6dc0f769f7ed2bce923551451654ecd3a48
                        • Opcode Fuzzy Hash: 53d011067151023d4d03eeb32804943f0f3cfff12ea1dcdf025b18ec87060b3c
                        • Instruction Fuzzy Hash: 6211B976100108BFCB42EF58DA42EDE3BA5FF46750F4144A5FA485F2A2D731EE609B91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A71410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                        Download Yara Rule
                        APIs
                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A71459
                        • OleUninitialize.OLE32(?,00000000), ref: 00A714F8
                        • UnregisterHotKey.USER32(?), ref: 00A716DD
                        • DestroyWindow.USER32(?), ref: 00AB24B9
                        • FreeLibrary.KERNEL32(?), ref: 00AB251E
                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AB254B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                        • String ID: close all
                        • API String ID: 469580280-3243417748
                        • Opcode ID: 8c3e4db1b82087ea5ad33c42898e3a7caee249f3029f6cc481dac0ada674adc0
                        • Instruction ID: 7980ba46ba66bc18052c1ac5502f390c16df957aebbc7bb44cb760deaf3c8dba
                        • Opcode Fuzzy Hash: 8c3e4db1b82087ea5ad33c42898e3a7caee249f3029f6cc481dac0ada674adc0
                        • Instruction Fuzzy Hash: 4ED15B31701212CFDB29EF19C999B69FBA4BF05700F14C2AEE54A6B252DB31AD12CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AE7FAD
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE7FC1
                        • GetFileAttributesW.KERNEL32(?), ref: 00AE7FEB
                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00AE8005
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE8017
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE8060
                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AE80B0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CurrentDirectory$AttributesFile
                        • String ID: *.*
                        • API String ID: 769691225-438819550
                        • Opcode ID: 723ea90e08404db7eaf8e847a2581801446a5f38f181563f76f7e6d9954e77fe
                        • Instruction ID: 6b9b17357d97189ec98dc164de5c3b95a67a0c0fc0c969487c7a745a0a607d1a
                        • Opcode Fuzzy Hash: 723ea90e08404db7eaf8e847a2581801446a5f38f181563f76f7e6d9954e77fe
                        • Instruction Fuzzy Hash: 6381A0725083819BCB24EF16C845AAEB3E8BF88310F548C5EF889D7251EB35DD45CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A75BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                        Download Yara Rule
                        APIs
                        • SetWindowLongW.USER32(?,000000EB), ref: 00A75C7A
                          • Part of subcall function 00A75D0A: GetClientRect.USER32(?,?), ref: 00A75D30
                          • Part of subcall function 00A75D0A: GetWindowRect.USER32(?,?), ref: 00A75D71
                          • Part of subcall function 00A75D0A: ScreenToClient.USER32(?,?), ref: 00A75D99
                        • GetDC.USER32 ref: 00AB46F5
                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00AB4708
                        • SelectObject.GDI32(00000000,00000000), ref: 00AB4716
                        • SelectObject.GDI32(00000000,00000000), ref: 00AB472B
                        • ReleaseDC.USER32(?,00000000), ref: 00AB4733
                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00AB47C4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                        • String ID: U
                        • API String ID: 4009187628-3372436214
                        • Opcode ID: 70e8326ba11e9ca526756fb0a80dde2b4a319a0f42ab9a01aac9970bd2943e2a
                        • Instruction ID: 0fbc7b21ea46a17bc180cc2488a82d444b7cc35fe49544543d7158b392a3e3a1
                        • Opcode Fuzzy Hash: 70e8326ba11e9ca526756fb0a80dde2b4a319a0f42ab9a01aac9970bd2943e2a
                        • Instruction Fuzzy Hash: 6A71DF35900205DFCF228F64CD85AFA7BB9FF4A360F148269E9555A2A7CB319881DF60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                        Download Yara Rule
                        APIs
                        • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00AE35E4
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                        • LoadStringW.USER32(00B42390,?,00000FFF,?), ref: 00AE360A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: LoadString$_wcslen
                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                        • API String ID: 4099089115-2391861430
                        • Opcode ID: 1097e5774bf9759ba551fcfce84e6158a25c20690f309e140e76664355087c6c
                        • Instruction ID: 63d4edb7b5e28ff2987944b709cd380b74226e390145a68342ae136def50ea27
                        • Opcode Fuzzy Hash: 1097e5774bf9759ba551fcfce84e6158a25c20690f309e140e76664355087c6c
                        • Instruction Fuzzy Hash: BD518072D00249BADF15EBA1CE46EEEBB78AF14300F148165F109771A1EB315B98DF61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B08B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A89BB2
                          • Part of subcall function 00A8912D: GetCursorPos.USER32(?), ref: 00A89141
                          • Part of subcall function 00A8912D: ScreenToClient.USER32(00000000,?), ref: 00A8915E
                          • Part of subcall function 00A8912D: GetAsyncKeyState.USER32(00000001), ref: 00A89183
                          • Part of subcall function 00A8912D: GetAsyncKeyState.USER32(00000002), ref: 00A8919D
                        • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00B08B6B
                        • ImageList_EndDrag.COMCTL32 ref: 00B08B71
                        • ReleaseCapture.USER32 ref: 00B08B77
                        • SetWindowTextW.USER32(?,00000000), ref: 00B08C12
                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B08C25
                        • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00B08CFF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                        • String ID: @GUI_DRAGFILE$@GUI_DROPID
                        • API String ID: 1924731296-2107944366
                        • Opcode ID: dea2fab1bb129e458cd03af86b216b84e1fdf42920ffffd3eaa0472f5c018b28
                        • Instruction ID: 6088dd5b4180a0edf72216e4b398e547066b9a2c28800e4a2a8c4cf8a67b74dd
                        • Opcode Fuzzy Hash: dea2fab1bb129e458cd03af86b216b84e1fdf42920ffffd3eaa0472f5c018b28
                        • Instruction Fuzzy Hash: DC51BD71504300AFE710EF24CD5AFAA7BE4FB88710F004A6DF996572E1CB719A44CB62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AEC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AEC272
                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AEC29A
                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00AEC2CA
                        • GetLastError.KERNEL32 ref: 00AEC322
                        • SetEvent.KERNEL32(?), ref: 00AEC336
                        • InternetCloseHandle.WININET(00000000), ref: 00AEC341
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                        • String ID:
                        • API String ID: 3113390036-3916222277
                        • Opcode ID: ab7bf915942d792f7d113b483e9897e75cdd621cabdf7187e75d19fed5aa4e38
                        • Instruction ID: f1bda9a75343e90f52263810e19343fb5644f22d9e32450b41c1bed10280af74
                        • Opcode Fuzzy Hash: ab7bf915942d792f7d113b483e9897e75cdd621cabdf7187e75d19fed5aa4e38
                        • Instruction Fuzzy Hash: F931AEB1600388AFD7219F668D88AABBBFCEB59760F14851EF446D7200DB30DD068B60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00AB3AAF,?,?,Bad directive syntax error,00B0CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00AD98BC
                        • LoadStringW.USER32(00000000,?,00AB3AAF,?), ref: 00AD98C3
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00AD9987
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: HandleLoadMessageModuleString_wcslen
                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                        • API String ID: 858772685-4153970271
                        • Opcode ID: 4b848dd9ee90874da873c0ab03970b250ea15d5e2687ff271a961a8a69a5eb06
                        • Instruction ID: 42032c1faa5e8b89e469fa6929c31636b9c7db154ff48fb15465d3805898954f
                        • Opcode Fuzzy Hash: 4b848dd9ee90874da873c0ab03970b250ea15d5e2687ff271a961a8a69a5eb06
                        • Instruction Fuzzy Hash: 56217132D0021ABFCF25AF90CD16EEE7779FF18700F048456F519661A2EB719618DB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32 ref: 00AD20AB
                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00AD20C0
                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00AD214D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ClassMessageNameParentSend
                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                        • API String ID: 1290815626-3381328864
                        • Opcode ID: a1477ba0de3380dffd97361bbb3861c9c007ee1c95cf2cd616a1e8b1ee5f16b8
                        • Instruction ID: b2154819a864cfd39eb67a9b9540a14ea222e79d839f0bf2ebe0b58a30e4653d
                        • Opcode Fuzzy Hash: a1477ba0de3380dffd97361bbb3861c9c007ee1c95cf2cd616a1e8b1ee5f16b8
                        • Instruction Fuzzy Hash: 4111067A688706B9FA216720DC07EA677ECDF28764F204357FB06A61E1FE6168029714
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                        • String ID:
                        • API String ID: 1282221369-0
                        • Opcode ID: a2e2b5537a4e1a2b755b53493412fe08c0a438110ea4e8765237077d53d7ce62
                        • Instruction ID: 030ac1cb7697d58720f1a591516dc5488fbf7f120a377f40abd855a6612d4709
                        • Opcode Fuzzy Hash: a2e2b5537a4e1a2b755b53493412fe08c0a438110ea4e8765237077d53d7ce62
                        • Instruction Fuzzy Hash: 47610872908300AFEF25AFB89981B6E7BA5AF07370F04416DFA55972C1DB319E018791
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B050D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00B05186
                        • ShowWindow.USER32(?,00000000), ref: 00B051C7
                        • ShowWindow.USER32(?,00000005,?,00000000), ref: 00B051CD
                        • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00B051D1
                          • Part of subcall function 00B06FBA: DeleteObject.GDI32(00000000), ref: 00B06FE6
                        • GetWindowLongW.USER32(?,000000F0), ref: 00B0520D
                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B0521A
                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B0524D
                        • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00B05287
                        • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00B05296
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                        • String ID:
                        • API String ID: 3210457359-0
                        • Opcode ID: e624dfab2c3c9776d21820aef99b5ff764cb96b533023f5a30b0aa513dfed37a
                        • Instruction ID: c985cdb927d3f6f51532b2a26987872d243ddbc973aa83aa36bb63388da61c7a
                        • Opcode Fuzzy Hash: e624dfab2c3c9776d21820aef99b5ff764cb96b533023f5a30b0aa513dfed37a
                        • Instruction Fuzzy Hash: 42516B30A50A08FEEF309F24CC4AB9A3FE5EF05321F148191F615A6AE1CB75A990DF41
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A88B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00AC6890
                        • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00AC68A9
                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00AC68B9
                        • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00AC68D1
                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00AC68F2
                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A88874,00000000,00000000,00000000,000000FF,00000000), ref: 00AC6901
                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00AC691E
                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A88874,00000000,00000000,00000000,000000FF,00000000), ref: 00AC692D
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Icon$DestroyExtractImageLoadMessageSend
                        • String ID:
                        • API String ID: 1268354404-0
                        • Opcode ID: a49b999e106314a509b2a55b12408f571d56ef675040dd452dfd903703bd524d
                        • Instruction ID: c06634c707b1486ad9628ccd1bb5c0e98f9d3114258482a81f029f14a1d1b8fa
                        • Opcode Fuzzy Hash: a49b999e106314a509b2a55b12408f571d56ef675040dd452dfd903703bd524d
                        • Instruction Fuzzy Hash: 0E517870A00209EFDB20DF24CC99FAA7BB5FB98750F104618F906972A0DF74E991DB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AEC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AEC182
                        • GetLastError.KERNEL32 ref: 00AEC195
                        • SetEvent.KERNEL32(?), ref: 00AEC1A9
                          • Part of subcall function 00AEC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AEC272
                          • Part of subcall function 00AEC253: GetLastError.KERNEL32 ref: 00AEC322
                          • Part of subcall function 00AEC253: SetEvent.KERNEL32(?), ref: 00AEC336
                          • Part of subcall function 00AEC253: InternetCloseHandle.WININET(00000000), ref: 00AEC341
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                        • String ID:
                        • API String ID: 337547030-0
                        • Opcode ID: 1957ba3ec599888a290516cdfd790085bed231bd9743de21c3308a9f7cbe1b00
                        • Instruction ID: 71335775e3da143829a7a98ae9d090a9d9db9950fcf8f5c0ab0d47a1a51d1b91
                        • Opcode Fuzzy Hash: 1957ba3ec599888a290516cdfd790085bed231bd9743de21c3308a9f7cbe1b00
                        • Instruction Fuzzy Hash: 3E319271100781AFDB21AFA6DD44AA7BFF9FF28320B00451DFA5683611DB30E815DB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00AD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AD3A57
                          • Part of subcall function 00AD3A3D: GetCurrentThreadId.KERNEL32 ref: 00AD3A5E
                          • Part of subcall function 00AD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AD25B3), ref: 00AD3A65
                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00AD25BD
                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00AD25DB
                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00AD25DF
                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00AD25E9
                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00AD2601
                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00AD2605
                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00AD260F
                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00AD2623
                        • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00AD2627
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                        • String ID:
                        • API String ID: 2014098862-0
                        • Opcode ID: fbd25515db032cb4368833f1579d304fee5ec4661c489af0d3b642dd36e5a5cc
                        • Instruction ID: 97057735d94ef47e8601ae459c34ddad3d668f7da92d967798fefe063ed07fb8
                        • Opcode Fuzzy Hash: fbd25515db032cb4368833f1579d304fee5ec4661c489af0d3b642dd36e5a5cc
                        • Instruction Fuzzy Hash: 1C01D831390210BBFB2067689C8AF593F69DB5EB51F100112F315AF1E1CEE25444CAAA
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00AD1449,?,?,00000000), ref: 00AD180C
                        • HeapAlloc.KERNEL32(00000000,?,00AD1449,?,?,00000000), ref: 00AD1813
                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AD1449,?,?,00000000), ref: 00AD1828
                        • GetCurrentProcess.KERNEL32(?,00000000,?,00AD1449,?,?,00000000), ref: 00AD1830
                        • DuplicateHandle.KERNEL32(00000000,?,00AD1449,?,?,00000000), ref: 00AD1833
                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AD1449,?,?,00000000), ref: 00AD1843
                        • GetCurrentProcess.KERNEL32(00AD1449,00000000,?,00AD1449,?,?,00000000), ref: 00AD184B
                        • DuplicateHandle.KERNEL32(00000000,?,00AD1449,?,?,00000000), ref: 00AD184E
                        • CreateThread.KERNEL32(00000000,00000000,00AD1874,00000000,00000000,00000000), ref: 00AD1868
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                        • String ID:
                        • API String ID: 1957940570-0
                        • Opcode ID: c5f18b9332d98550b87e47af9c9d35e6ed52dfdb1d90d2e548532a250abaea9d
                        • Instruction ID: dbfac83e3d8571281defd2ba3571b61a4b3cd2a7757003a56fdc1f90e3c92a45
                        • Opcode Fuzzy Hash: c5f18b9332d98550b87e47af9c9d35e6ed52dfdb1d90d2e548532a250abaea9d
                        • Instruction Fuzzy Hash: BF01BBB5240308BFE710ABA5DC4DF6B3FACEB99B11F108511FA05DB2A2CA709800CB20
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AFA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00ADD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00ADD501
                          • Part of subcall function 00ADD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00ADD50F
                          • Part of subcall function 00ADD4DC: CloseHandle.KERNEL32(00000000), ref: 00ADD5DC
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AFA16D
                        • GetLastError.KERNEL32 ref: 00AFA180
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AFA1B3
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00AFA268
                        • GetLastError.KERNEL32(00000000), ref: 00AFA273
                        • CloseHandle.KERNEL32(00000000), ref: 00AFA2C4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                        • String ID: SeDebugPrivilege
                        • API String ID: 2533919879-2896544425
                        • Opcode ID: 0688ee73fc36701ea240f054f15323b838822b607ed3aa8d2ea79f10f9517425
                        • Instruction ID: 4e061111c448c23978b8e22a4d6eb13262e830b14c41924efd05e2f0d909e53f
                        • Opcode Fuzzy Hash: 0688ee73fc36701ea240f054f15323b838822b607ed3aa8d2ea79f10f9517425
                        • Instruction Fuzzy Hash: 2A619D702042419FD320DF54C894FAABBA1AF64318F14C48CF56A4B7A3C772ED45CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B03886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B03925
                        • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00B0393A
                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B03954
                        • _wcslen.LIBCMT ref: 00B03999
                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 00B039C6
                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B039F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend$Window_wcslen
                        • String ID: SysListView32
                        • API String ID: 2147712094-78025650
                        • Opcode ID: 7591a4266d256a7fadcaa20d5ff4ea50f06e9a2cd56bd850d20873513cc7dbea
                        • Instruction ID: 7a37b38b0aae7e24708b69a89c285d2ed4ffc9a6d3ad7591ec2c115f696748e6
                        • Opcode Fuzzy Hash: 7591a4266d256a7fadcaa20d5ff4ea50f06e9a2cd56bd850d20873513cc7dbea
                        • Instruction Fuzzy Hash: B9419371A00318ABEF219F64CC49BEA7BEDEF08750F1045A6F559E72D1DB719A80CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ADBCFD
                        • IsMenu.USER32(00000000), ref: 00ADBD1D
                        • CreatePopupMenu.USER32 ref: 00ADBD53
                        • GetMenuItemCount.USER32(010A67F8), ref: 00ADBDA4
                        • InsertMenuItemW.USER32(010A67F8,?,00000001,00000030), ref: 00ADBDCC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Menu$Item$CountCreateInfoInsertPopup
                        • String ID: 0$2
                        • API String ID: 93392585-3793063076
                        • Opcode ID: 0f5abfa2cc16c04dd01d2e7f325e851ee06491a0e185ca74139592808e2a482a
                        • Instruction ID: d77cc8273a38456503e1322dc7790df2485fad73641088ae5e13b9782b2c5756
                        • Opcode Fuzzy Hash: 0f5abfa2cc16c04dd01d2e7f325e851ee06491a0e185ca74139592808e2a482a
                        • Instruction Fuzzy Hash: A051AD70A10209EBDF20CFA8D984BAEBBF6BF59314F15425BE49297391DB709940CB71
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadIconW.USER32(00000000,00007F03), ref: 00ADC913
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: IconLoad
                        • String ID: blank$info$question$stop$warning
                        • API String ID: 2457776203-404129466
                        • Opcode ID: d42e45126d159c2c723835361d960be2fb24af75b53667da78580f00601a74a5
                        • Instruction ID: cf6026e0130fcdd3bd694187ce54e0dabb24185746b5130975b7b81528f70b1f
                        • Opcode Fuzzy Hash: d42e45126d159c2c723835361d960be2fb24af75b53667da78580f00601a74a5
                        • Instruction Fuzzy Hash: 8411EB32789307BAEB015B549C93CAE77ECDF15374BA0406BF901A6382E7705D019264
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                        • String ID: 0.0.0.0
                        • API String ID: 642191829-3771769585
                        • Opcode ID: d16d728c95774c171928811d26b66be48564353b4ee0dee50855670242a105e8
                        • Instruction ID: 007979c20be64e39df74a18ec68616e6ed069535b0dc776f157fd71f0d2fb0ca
                        • Opcode Fuzzy Hash: d16d728c95774c171928811d26b66be48564353b4ee0dee50855670242a105e8
                        • Instruction Fuzzy Hash: D7110631904114AFCB20AB64DD0AEEE7BBCDF14711F0002AAF446AB291EF708A818B60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _wcslen$LocalTime
                        • String ID:
                        • API String ID: 952045576-0
                        • Opcode ID: a86b6ab871b33fd51043df8b54863a0c74fb4d8264e3dddb04a652d54382cee9
                        • Instruction ID: be26c2cbc87525705bbc3dc6293af82703694967b34d5090e051a451b05c7b94
                        • Opcode Fuzzy Hash: a86b6ab871b33fd51043df8b54863a0c74fb4d8264e3dddb04a652d54382cee9
                        • Instruction Fuzzy Hash: EE41AE65E1021876DF11FBB48C8A9CFB7ECAF45710F508462E519E3222FB34E645C3A6
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A8F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                        Download Yara Rule
                        APIs
                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00AC682C,00000004,00000000,00000000), ref: 00A8F953
                        • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00AC682C,00000004,00000000,00000000), ref: 00ACF3D1
                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00AC682C,00000004,00000000,00000000), ref: 00ACF454
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ShowWindow
                        • String ID:
                        • API String ID: 1268545403-0
                        • Opcode ID: 8f16787a3daef3c97d4bb8981f37d165481edb996e5d50eaaf9353fb4061fc97
                        • Instruction ID: 9756ef07564cf8bc757d18d323efba8dfffef5e08c4d2d39c3506089da5718ad
                        • Opcode Fuzzy Hash: 8f16787a3daef3c97d4bb8981f37d165481edb996e5d50eaaf9353fb4061fc97
                        • Instruction Fuzzy Hash: CE412831618681FEC739AF3DCD88B2A7FA2AB56310F15453CE49757660CB36A980CB11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B02D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteObject.GDI32(00000000), ref: 00B02D1B
                        • GetDC.USER32(00000000), ref: 00B02D23
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B02D2E
                        • ReleaseDC.USER32(00000000,00000000), ref: 00B02D3A
                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B02D76
                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B02D87
                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B05A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00B02DC2
                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B02DE1
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                        • String ID:
                        • API String ID: 3864802216-0
                        • Opcode ID: 67e5915ffb5aff3cd8bf748e41a2b024fce2556035ca1d78eb7f955c737d3d13
                        • Instruction ID: 9a9bacde1e503c9884444187f362518b7c5f80d26200f3090dd70c94d2286f8d
                        • Opcode Fuzzy Hash: 67e5915ffb5aff3cd8bf748e41a2b024fce2556035ca1d78eb7f955c737d3d13
                        • Instruction Fuzzy Hash: 6A318972201214BBEB218F50CC8AFEB3FADEB19751F0441A5FE089B2D1DA759C41CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _memcmp
                        • String ID:
                        • API String ID: 2931989736-0
                        • Opcode ID: db367933ae995b2bec5cff608a20a790ebd9e1e1ef147dc67dd141b418f57b6a
                        • Instruction ID: 55335fef25e527f2a3c7eb5956d4cdd848c5002c17943be2c90cc48015f96fe6
                        • Opcode Fuzzy Hash: db367933ae995b2bec5cff608a20a790ebd9e1e1ef147dc67dd141b418f57b6a
                        • Instruction Fuzzy Hash: EC219571F44A0AB7E62556308E82FBB33ECAE21784F580022FD069AB81F720ED1085A5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID: NULL Pointer assignment$Not an Object type
                        • API String ID: 0-572801152
                        • Opcode ID: c74a9dd20fca28c51d4470ec50c9e27d57ac3c363a7effde89ae9443168e46c2
                        • Instruction ID: 9cd732d13d8a94075fe552180fecf4546a1552e11626c972571168c19240a40b
                        • Opcode Fuzzy Hash: c74a9dd20fca28c51d4470ec50c9e27d57ac3c363a7effde89ae9443168e46c2
                        • Instruction Fuzzy Hash: 66D18F71E0060AAFDB14DFA8C891BBEB7B5BF48344F148169FA15AB281D770ED45CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AB1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00AB17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00AB15CE
                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00AB17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AB1651
                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00AB17FB,?,00AB17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AB16E4
                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00AB17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AB16FB
                          • Part of subcall function 00AA3820: RtlAllocateHeap.NTDLL(00000000,?,00B41444,?,00A8FDF5,?,?,00A7A976,00000010,00B41440,00A713FC,?,00A713C6,?,00A71129), ref: 00AA3852
                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00AB17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AB1777
                        • __freea.LIBCMT ref: 00AB17A2
                        • __freea.LIBCMT ref: 00AB17AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                        • String ID:
                        • API String ID: 2829977744-0
                        • Opcode ID: dadaf5af79c2a65888dd5550206927a8322e9a3792a118b9b29b6a29984e6834
                        • Instruction ID: 782ca4c38a8be9b877edfdaef9b068eb5f94c3f62f10948a5254d9f025e4c325
                        • Opcode Fuzzy Hash: dadaf5af79c2a65888dd5550206927a8322e9a3792a118b9b29b6a29984e6834
                        • Instruction Fuzzy Hash: 8091B672E102169EDF308F74C9A1AEEBBBD9F49350F984659E801E7182DB35DD80CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Variant$ClearInit
                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                        • API String ID: 2610073882-625585964
                        • Opcode ID: 305e0a1d54e458094b3690783600f0ac3c167b5b50fe1443495584225b8ad59c
                        • Instruction ID: fc88fa19af50d6b435d2253dedf8089941462984087e273aaf406823e37e2728
                        • Opcode Fuzzy Hash: 305e0a1d54e458094b3690783600f0ac3c167b5b50fe1443495584225b8ad59c
                        • Instruction Fuzzy Hash: F1916D71A00219ABDF24DFA5C884FBFBBB8EF4A714F108559F615AB280D7709945CFA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                        Download Yara Rule
                        APIs
                        • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00AE125C
                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00AE1284
                        • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00AE12A8
                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AE12D8
                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AE135F
                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AE13C4
                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AE1430
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ArraySafe$Data$Access$UnaccessVartype
                        • String ID:
                        • API String ID: 2550207440-0
                        • Opcode ID: b31866d1c51ba8633856993f6f3139a3413155ec27f4a1dccaae009014460b07
                        • Instruction ID: e740897591c4f9640cc68c1c2d74c94c375c709f64b2ab06733b1327a920507c
                        • Opcode Fuzzy Hash: b31866d1c51ba8633856993f6f3139a3413155ec27f4a1dccaae009014460b07
                        • Instruction Fuzzy Hash: 0191D2B5A002699FDB00DFA9C884BFEB7B5FF45315F208029EA10EB291D774AD41CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A8948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ObjectSelect$BeginCreatePath
                        • String ID:
                        • API String ID: 3225163088-0
                        • Opcode ID: 20b65d0080ac366011c16e5d876311ab2ee7487902f4110857eaed802774069d
                        • Instruction ID: e065a578cefebca951fc30961664c0c745f1fbfa9971c382f684404d37caf38a
                        • Opcode Fuzzy Hash: 20b65d0080ac366011c16e5d876311ab2ee7487902f4110857eaed802774069d
                        • Instruction Fuzzy Hash: E2912471D40219EFCB14DFA9C884AEEBBB8FF49320F188159E515B7251D774AA42CF60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 00AF396B
                        • CharUpperBuffW.USER32(?,?), ref: 00AF3A7A
                        • _wcslen.LIBCMT ref: 00AF3A8A
                        • VariantClear.OLEAUT32(?), ref: 00AF3C1F
                          • Part of subcall function 00AE0CDF: VariantInit.OLEAUT32(00000000), ref: 00AE0D1F
                          • Part of subcall function 00AE0CDF: VariantCopy.OLEAUT32(?,?), ref: 00AE0D28
                          • Part of subcall function 00AE0CDF: VariantClear.OLEAUT32(?), ref: 00AE0D34
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                        • API String ID: 4137639002-1221869570
                        • Opcode ID: 78fd90e2a96998141573348317faa85787d0c4052bce499eb676bbed9aa1aeb2
                        • Instruction ID: 985294a2cad7039952992c3d48ae11a62f4e2cc7ab1ed9ebd43598e4ffdfe3ac
                        • Opcode Fuzzy Hash: 78fd90e2a96998141573348317faa85787d0c4052bce499eb676bbed9aa1aeb2
                        • Instruction Fuzzy Hash: 1A9189756083059FCB04EF64C59082ABBE4FF88314F14896EF98A9B351DB31EE45CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00AD000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ACFF41,80070057,?,?,?,00AD035E), ref: 00AD002B
                          • Part of subcall function 00AD000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ACFF41,80070057,?,?), ref: 00AD0046
                          • Part of subcall function 00AD000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ACFF41,80070057,?,?), ref: 00AD0054
                          • Part of subcall function 00AD000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ACFF41,80070057,?), ref: 00AD0064
                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00AF4C51
                        • _wcslen.LIBCMT ref: 00AF4D59
                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00AF4DCF
                        • CoTaskMemFree.OLE32(?), ref: 00AF4DDA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                        • String ID: NULL Pointer assignment
                        • API String ID: 614568839-2785691316
                        • Opcode ID: 02a29c105b94fbd725bb08180bb27b8e0f64249587aa586853e4bfbb6aed6f68
                        • Instruction ID: 1ecac399423a914f50d2ae317106218f0dc3631c656f729b88f9790606e2d6e8
                        • Opcode Fuzzy Hash: 02a29c105b94fbd725bb08180bb27b8e0f64249587aa586853e4bfbb6aed6f68
                        • Instruction Fuzzy Hash: 4C910671D0021DAFDF14DFA4CC91AEEBBB9BF48310F10816AF919A7251EB349A458F61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenu.USER32(?), ref: 00B02183
                        • GetMenuItemCount.USER32(00000000), ref: 00B021B5
                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B021DD
                        • _wcslen.LIBCMT ref: 00B02213
                        • GetMenuItemID.USER32(?,?), ref: 00B0224D
                        • GetSubMenu.USER32(?,?), ref: 00B0225B
                          • Part of subcall function 00AD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AD3A57
                          • Part of subcall function 00AD3A3D: GetCurrentThreadId.KERNEL32 ref: 00AD3A5E
                          • Part of subcall function 00AD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AD25B3), ref: 00AD3A65
                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B022E3
                          • Part of subcall function 00ADE97B: Sleep.KERNEL32 ref: 00ADE9F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                        • String ID:
                        • API String ID: 4196846111-0
                        • Opcode ID: 1e2e429c503352fde7ae0cb96ffa6809c9658d76a6fe208bd66063eb9c3946eb
                        • Instruction ID: 9c7d57bff10fff774bc0cd59313fcaa39fee79fd2399c16bef3bfab00ab347fb
                        • Opcode Fuzzy Hash: 1e2e429c503352fde7ae0cb96ffa6809c9658d76a6fe208bd66063eb9c3946eb
                        • Instruction Fuzzy Hash: EC719175E00205AFCB10EFA4C985AAEBBF5FF48310F148499E916EB391DB34ED458B90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B07E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                        Download Yara Rule
                        APIs
                        • IsWindow.USER32(010A67D0), ref: 00B07F37
                        • IsWindowEnabled.USER32(010A67D0), ref: 00B07F43
                        • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00B0801E
                        • SendMessageW.USER32(010A67D0,000000B0,?,?), ref: 00B08051
                        • IsDlgButtonChecked.USER32(?,?), ref: 00B08089
                        • GetWindowLongW.USER32(010A67D0,000000EC), ref: 00B080AB
                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B080C3
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                        • String ID:
                        • API String ID: 4072528602-0
                        • Opcode ID: 878acceed81ba597149903bc1087555eb022eeee2a86bf58765b9d8e923fa453
                        • Instruction ID: 9534fc52b43bc19b8ae46c58584186746916e034bfc5cbff213e85cc56d68ad1
                        • Opcode Fuzzy Hash: 878acceed81ba597149903bc1087555eb022eeee2a86bf58765b9d8e923fa453
                        • Instruction Fuzzy Hash: F7718D34A48245AFEB219F64C884FAABFF9EF19300F144499E946972E1CF31B945DB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32(?), ref: 00ADAEF9
                        • GetKeyboardState.USER32(?), ref: 00ADAF0E
                        • SetKeyboardState.USER32(?), ref: 00ADAF6F
                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 00ADAF9D
                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 00ADAFBC
                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00ADAFFD
                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00ADB020
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessagePost$KeyboardState$Parent
                        • String ID:
                        • API String ID: 87235514-0
                        • Opcode ID: 0cbc09efd01ac9281e3974355d0a9f5375d1db1abb2a69f81301103bed9466f4
                        • Instruction ID: ce6915a9c3ab12066aa405d26f5454c14937c69813c8e2023d1696e478901e51
                        • Opcode Fuzzy Hash: 0cbc09efd01ac9281e3974355d0a9f5375d1db1abb2a69f81301103bed9466f4
                        • Instruction Fuzzy Hash: EB5103A16147D17DFB3643348C05BBB7EA96B0A304F08858AE1DA469C2C7D9ADC8D361
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32(00000000), ref: 00ADAD19
                        • GetKeyboardState.USER32(?), ref: 00ADAD2E
                        • SetKeyboardState.USER32(?), ref: 00ADAD8F
                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00ADADBB
                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00ADADD8
                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00ADAE17
                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00ADAE38
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessagePost$KeyboardState$Parent
                        • String ID:
                        • API String ID: 87235514-0
                        • Opcode ID: bd6ce30d6afc9282c41c6f66e34ff59e15b5e5b756af9966431bbaebf17739c5
                        • Instruction ID: d2c242d8a912e4901630a29b37bb20617d2f303c06f6832bb43e0daf4f681935
                        • Opcode Fuzzy Hash: bd6ce30d6afc9282c41c6f66e34ff59e15b5e5b756af9966431bbaebf17739c5
                        • Instruction Fuzzy Hash: A7510BA16047E53DFB334334CC45BBA7FA96B56300F08858AE1D746AC2D794EC84D762
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetConsoleCP.KERNEL32(00AB3CD6,?,?,?,?,?,?,?,?,00AA5BA3,?,?,00AB3CD6,?,?), ref: 00AA5470
                        • __fassign.LIBCMT ref: 00AA54EB
                        • __fassign.LIBCMT ref: 00AA5506
                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00AB3CD6,00000005,00000000,00000000), ref: 00AA552C
                        • WriteFile.KERNEL32(?,00AB3CD6,00000000,00AA5BA3,00000000,?,?,?,?,?,?,?,?,?,00AA5BA3,?), ref: 00AA554B
                        • WriteFile.KERNEL32(?,?,00000001,00AA5BA3,00000000,?,?,?,?,?,?,?,?,?,00AA5BA3,?), ref: 00AA5584
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                        • String ID:
                        • API String ID: 1324828854-0
                        • Opcode ID: d5b5b29b2c6e6de78b6806328286b6f638a6de87779691743e368a21c19bb160
                        • Instruction ID: 9fa98b0558c40f2b0167a9c76956e4de92cab996bf24e39ca89845096916d08c
                        • Opcode Fuzzy Hash: d5b5b29b2c6e6de78b6806328286b6f638a6de87779691743e368a21c19bb160
                        • Instruction Fuzzy Hash: FF51C271E00649AFDB11CFB8D885AEEBBF9EF1A300F14411AF955E7291D7309A41CB64
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A92D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                        Download Yara Rule
                        APIs
                        • _ValidateLocalCookies.LIBCMT ref: 00A92D4B
                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00A92D53
                        • _ValidateLocalCookies.LIBCMT ref: 00A92DE1
                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00A92E0C
                        • _ValidateLocalCookies.LIBCMT ref: 00A92E61
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                        • String ID: csm
                        • API String ID: 1170836740-1018135373
                        • Opcode ID: a2daafd8425baade3664616f6fcc0be6361bd233de3e5777953491fd75a6d961
                        • Instruction ID: 7fe9312ffc9f53e092f832d248efa8d32914f90d0903ce2a64c97cac9362ecc2
                        • Opcode Fuzzy Hash: a2daafd8425baade3664616f6fcc0be6361bd233de3e5777953491fd75a6d961
                        • Instruction Fuzzy Hash: BD419D34B01209ABCF14EF68C885B9EBBF5BF44324F148155E814AB3A2DB31AE45CBD0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00AF304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00AF307A
                          • Part of subcall function 00AF304E: _wcslen.LIBCMT ref: 00AF309B
                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00AF1112
                        • WSAGetLastError.WSOCK32 ref: 00AF1121
                        • WSAGetLastError.WSOCK32 ref: 00AF11C9
                        • closesocket.WSOCK32(00000000), ref: 00AF11F9
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                        • String ID:
                        • API String ID: 2675159561-0
                        • Opcode ID: 0a5274b47d68a9c5cb3f359b2ff2ac72b6ffb53fc2ba7c9b4450ee56895b0325
                        • Instruction ID: e54741a38595f2df99854950369e092bdee4d12021d6487dfd36245e7d4ef354
                        • Opcode Fuzzy Hash: 0a5274b47d68a9c5cb3f359b2ff2ac72b6ffb53fc2ba7c9b4450ee56895b0325
                        • Instruction Fuzzy Hash: F841D731600208EFDB109F54CC44BBABBE9EF45324F14C259FA5A9B291CB70AD41CBE5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00ADDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ADCF22,?), ref: 00ADDDFD
                          • Part of subcall function 00ADDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ADCF22,?), ref: 00ADDE16
                        • lstrcmpiW.KERNEL32(?,?), ref: 00ADCF45
                        • MoveFileW.KERNEL32(?,?), ref: 00ADCF7F
                        • _wcslen.LIBCMT ref: 00ADD005
                        • _wcslen.LIBCMT ref: 00ADD01B
                        • SHFileOperationW.SHELL32(?), ref: 00ADD061
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                        • String ID: \*.*
                        • API String ID: 3164238972-1173974218
                        • Opcode ID: eb8f0ebe3e428374335980fb9cbd050126c1d61b94f14350d2f865bd392826a1
                        • Instruction ID: 628955c8e66508b939aacdb16a34c5da84be51e6509e16544a8d29bcefb6fbc1
                        • Opcode Fuzzy Hash: eb8f0ebe3e428374335980fb9cbd050126c1d61b94f14350d2f865bd392826a1
                        • Instruction Fuzzy Hash: 274137719452195FDF12EFA4CE81ADE77B9AF18780F5000E7E546EB242EB34AB48CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B02DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00B02E1C
                        • GetWindowLongW.USER32(?,000000F0), ref: 00B02E4F
                        • GetWindowLongW.USER32(?,000000F0), ref: 00B02E84
                        • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00B02EB6
                        • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00B02EE0
                        • GetWindowLongW.USER32(?,000000F0), ref: 00B02EF1
                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B02F0B
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: LongWindow$MessageSend
                        • String ID:
                        • API String ID: 2178440468-0
                        • Opcode ID: 862243e8ca4299d8edaf215db0bf1bfbfaba51514af271bd91c740aa2b4a0117
                        • Instruction ID: 986e3803dccd0ac1db90856219bbd4cc5717a062852887e3f87be57cde0bc4f2
                        • Opcode Fuzzy Hash: 862243e8ca4299d8edaf215db0bf1bfbfaba51514af271bd91c740aa2b4a0117
                        • Instruction Fuzzy Hash: 2D310334684250AFEB21CF58DC89F653BE5FB9A750F1501A4FA058B2F2CB71A889DB41
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AD7769
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AD778F
                        • SysAllocString.OLEAUT32(00000000), ref: 00AD7792
                        • SysAllocString.OLEAUT32(?), ref: 00AD77B0
                        • SysFreeString.OLEAUT32(?), ref: 00AD77B9
                        • StringFromGUID2.OLE32(?,?,00000028), ref: 00AD77DE
                        • SysAllocString.OLEAUT32(?), ref: 00AD77EC
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                        • String ID:
                        • API String ID: 3761583154-0
                        • Opcode ID: b7c7140e3b267307e914042ded2fad8d45171734c38faef682d243c46a8badc4
                        • Instruction ID: 161d60542e63a64fc7198838bf725de7465d1daa383fa2d8be2948f1cb37d977
                        • Opcode Fuzzy Hash: b7c7140e3b267307e914042ded2fad8d45171734c38faef682d243c46a8badc4
                        • Instruction Fuzzy Hash: AA219276604219AFDF14EFA8CC88CBF77ACFB097647048526FA15DB290EA70DC418764
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AD7842
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AD7868
                        • SysAllocString.OLEAUT32(00000000), ref: 00AD786B
                        • SysAllocString.OLEAUT32 ref: 00AD788C
                        • SysFreeString.OLEAUT32 ref: 00AD7895
                        • StringFromGUID2.OLE32(?,?,00000028), ref: 00AD78AF
                        • SysAllocString.OLEAUT32(?), ref: 00AD78BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                        • String ID:
                        • API String ID: 3761583154-0
                        • Opcode ID: 38e6d3e79948ed347762d31199ce313bcec706b6ee25be3b2cb638db327ffc90
                        • Instruction ID: dc0c3ba83226e1687a989a9c0d61ecb2eec81c390aae1a481c245c2593f43f24
                        • Opcode Fuzzy Hash: 38e6d3e79948ed347762d31199ce313bcec706b6ee25be3b2cb638db327ffc90
                        • Instruction Fuzzy Hash: 77216232604205AFDB14AFA8DC89DAE77ACFB197607108126F915CB3A1EB74DC81DB64
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                        Download Yara Rule
                        APIs
                        • GetStdHandle.KERNEL32(0000000C), ref: 00AE04F2
                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AE052E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CreateHandlePipe
                        • String ID: nul
                        • API String ID: 1424370930-2873401336
                        • Opcode ID: d1118f770007c5308c40729640dd62fe4bffd092d836da531e3061e0d4ee137c
                        • Instruction ID: 1158a83f1b00217f6690a8e0c760eac275f0f4d3e855adde194f3fdedfbfafcc
                        • Opcode Fuzzy Hash: d1118f770007c5308c40729640dd62fe4bffd092d836da531e3061e0d4ee137c
                        • Instruction Fuzzy Hash: F9213D75500346AFDB209F6ADC44E9A7BB4AF55724F608A19F8A1E72E0D7B0D980CF30
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                        Download Yara Rule
                        APIs
                        • GetStdHandle.KERNEL32(000000F6), ref: 00AE05C6
                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AE0601
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CreateHandlePipe
                        • String ID: nul
                        • API String ID: 1424370930-2873401336
                        • Opcode ID: da1add9600737051ef413f570ba55b3728f28bcda4b7d5bb90820f1bdfc505f4
                        • Instruction ID: 464bf8376f91b4239f95047e29c0c875c61b3ebaede7a50c497b7d6a9ccff16f
                        • Opcode Fuzzy Hash: da1add9600737051ef413f570ba55b3728f28bcda4b7d5bb90820f1bdfc505f4
                        • Instruction Fuzzy Hash: A8214F755003459FDB209F6A9C04F9A7BE4AF95720F244B19E8A1E72E0DBF099A0CB20
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A7600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A7604C
                          • Part of subcall function 00A7600E: GetStockObject.GDI32(00000011), ref: 00A76060
                          • Part of subcall function 00A7600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A7606A
                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B04112
                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B0411F
                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B0412A
                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B04139
                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B04145
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend$CreateObjectStockWindow
                        • String ID: Msctls_Progress32
                        • API String ID: 1025951953-3636473452
                        • Opcode ID: 97ecea6f6c235d9c3db7cfeceaec169569b65088306fbbfcebe9fa17cfd176cb
                        • Instruction ID: 598ad3669f158d5e1e280d8327fa9eafde6758500748f88745c6c2bf9dadd0d5
                        • Opcode Fuzzy Hash: 97ecea6f6c235d9c3db7cfeceaec169569b65088306fbbfcebe9fa17cfd176cb
                        • Instruction Fuzzy Hash: 3811B6B214011DBEEF118F64CC85EE77F9DEF08798F008110B718A6090CB729C61DBA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AAD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00AAD7A3: _free.LIBCMT ref: 00AAD7CC
                        • _free.LIBCMT ref: 00AAD82D
                          • Part of subcall function 00AA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AAD7D1,00000000,00000000,00000000,00000000,?,00AAD7F8,00000000,00000007,00000000,?,00AADBF5,00000000), ref: 00AA29DE
                          • Part of subcall function 00AA29C8: GetLastError.KERNEL32(00000000,?,00AAD7D1,00000000,00000000,00000000,00000000,?,00AAD7F8,00000000,00000007,00000000,?,00AADBF5,00000000,00000000), ref: 00AA29F0
                        • _free.LIBCMT ref: 00AAD838
                        • _free.LIBCMT ref: 00AAD843
                        • _free.LIBCMT ref: 00AAD897
                        • _free.LIBCMT ref: 00AAD8A2
                        • _free.LIBCMT ref: 00AAD8AD
                        • _free.LIBCMT ref: 00AAD8B8
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
                        • Instruction ID: dbd91ce82a8ade5a37dfbd6320471076ec1f38bc5ab4aff9f53092848144ded4
                        • Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
                        • Instruction Fuzzy Hash: 5C115171540B04AAD522BFB0CD47FCB7BDC6F46700F400825B2DAAB8E2DB65B5154751
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00ADDA74
                        • LoadStringW.USER32(00000000), ref: 00ADDA7B
                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00ADDA91
                        • LoadStringW.USER32(00000000), ref: 00ADDA98
                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00ADDADC
                        Strings
                        • %s (%d) : ==> %s: %s %s, xrefs: 00ADDAB9
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: HandleLoadModuleString$Message
                        • String ID: %s (%d) : ==> %s: %s %s
                        • API String ID: 4072794657-3128320259
                        • Opcode ID: 5e691759ee10b0cd88f0f67d39767159beea9f95a793fe51b9a97eb933cfb4d8
                        • Instruction ID: b6ef9d36c0636a635a1538dc1784328fe40b3071748af0e28eb9a024c7580b6a
                        • Opcode Fuzzy Hash: 5e691759ee10b0cd88f0f67d39767159beea9f95a793fe51b9a97eb933cfb4d8
                        • Instruction Fuzzy Hash: 160186F69002087FE7509BA4DD89EE73B6CE708701F404592B706E7191EB749E844F74
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                        Download Yara Rule
                        APIs
                        • InterlockedExchange.KERNEL32(010B01C8,010B01C8), ref: 00AE097B
                        • EnterCriticalSection.KERNEL32(010B01A8,00000000), ref: 00AE098D
                        • TerminateThread.KERNEL32(?,000001F6), ref: 00AE099B
                        • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00AE09A9
                        • CloseHandle.KERNEL32(?), ref: 00AE09B8
                        • InterlockedExchange.KERNEL32(010B01C8,000001F6), ref: 00AE09C8
                        • LeaveCriticalSection.KERNEL32(010B01A8), ref: 00AE09CF
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                        • String ID:
                        • API String ID: 3495660284-0
                        • Opcode ID: 784e5fbdc4b4c38b9257e27a9d156c987dd02c9516251a9673b944517d366e5c
                        • Instruction ID: 0459e64184475467ea484942838a98df69cb64dd3133e2d1b86d65d21f27ca7b
                        • Opcode Fuzzy Hash: 784e5fbdc4b4c38b9257e27a9d156c987dd02c9516251a9673b944517d366e5c
                        • Instruction Fuzzy Hash: 76F01932442A02AFD7415FA4EE88AD6BE29BF11702F502225F20292CA1CB749465CF90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                        Download Yara Rule
                        APIs
                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00AF1DC0
                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00AF1DE1
                        • WSAGetLastError.WSOCK32 ref: 00AF1DF2
                        • htons.WSOCK32(?,?,?,?,?), ref: 00AF1EDB
                        • inet_ntoa.WSOCK32(?), ref: 00AF1E8C
                          • Part of subcall function 00AD39E8: _strlen.LIBCMT ref: 00AD39F2
                          • Part of subcall function 00AF3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00AEEC0C), ref: 00AF3240
                        • _strlen.LIBCMT ref: 00AF1F35
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                        • String ID:
                        • API String ID: 3203458085-0
                        • Opcode ID: 189b4435d5d72c4daa81f9b4b72c4c7cb6aadea5728d0062de563a20b370c9f6
                        • Instruction ID: 1812e6c8cbdf56abe345d4d9f827bb81a361b388988c1f4e86c921828d218aff
                        • Opcode Fuzzy Hash: 189b4435d5d72c4daa81f9b4b72c4c7cb6aadea5728d0062de563a20b370c9f6
                        • Instruction Fuzzy Hash: 80B1DE31204304AFC724EF64C895E3A7BE5AF84318F54894DF65A5B2E2DB31ED42CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A75D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                        Download Yara Rule
                        APIs
                        • GetClientRect.USER32(?,?), ref: 00A75D30
                        • GetWindowRect.USER32(?,?), ref: 00A75D71
                        • ScreenToClient.USER32(?,?), ref: 00A75D99
                        • GetClientRect.USER32(?,?), ref: 00A75ED7
                        • GetWindowRect.USER32(?,?), ref: 00A75EF8
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Rect$Client$Window$Screen
                        • String ID:
                        • API String ID: 1296646539-0
                        • Opcode ID: 0932f9e469868a18b39830fa65d3468b2fb8ad6cf297203de22dd3b4b440401b
                        • Instruction ID: 82b5b138848ea554b8ac462b4964d8085c18caf8ebc113449cd8e4168866f0be
                        • Opcode Fuzzy Hash: 0932f9e469868a18b39830fa65d3468b2fb8ad6cf297203de22dd3b4b440401b
                        • Instruction Fuzzy Hash: 24B17734A00A4ADBDB10CFB9C8807EABBF5FF58310F14C51AE8A9D7251DB30AA51DB54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                        Download Yara Rule
                        APIs
                        • __allrem.LIBCMT ref: 00AA00BA
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA00D6
                        • __allrem.LIBCMT ref: 00AA00ED
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA010B
                        • __allrem.LIBCMT ref: 00AA0122
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA0140
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                        • String ID:
                        • API String ID: 1992179935-0
                        • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                        • Instruction ID: 52279ee72b0d1937fe3d1a20d25deb3443c76260fff86a71322ec56b019130b4
                        • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                        • Instruction Fuzzy Hash: 7C81C472B00B069FEB249F69CD41BABB3E9AF42764F24463AF551D76C1E770D9008B90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00A982D9,00A982D9,?,?,?,00AA644F,00000001,00000001,8BE85006), ref: 00AA6258
                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00AA644F,00000001,00000001,8BE85006,?,?,?), ref: 00AA62DE
                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00AA63D8
                        • __freea.LIBCMT ref: 00AA63E5
                          • Part of subcall function 00AA3820: RtlAllocateHeap.NTDLL(00000000,?,00B41444,?,00A8FDF5,?,?,00A7A976,00000010,00B41440,00A713FC,?,00A713C6,?,00A71129), ref: 00AA3852
                        • __freea.LIBCMT ref: 00AA63EE
                        • __freea.LIBCMT ref: 00AA6413
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                        • String ID:
                        • API String ID: 1414292761-0
                        • Opcode ID: 45c19ac1e2d4ddf4e11938a2a3966ac96ad01bf2d3ff65f8669990306a69870e
                        • Instruction ID: 5d399e0da871aeabe14e39df3d3d8886bcab0bb3be2c3a85d71c0d7b507f6051
                        • Opcode Fuzzy Hash: 45c19ac1e2d4ddf4e11938a2a3966ac96ad01bf2d3ff65f8669990306a69870e
                        • Instruction Fuzzy Hash: 1E51A072A00216ABDF258F64CD81EAF7BA9EF46750F194629F805DB1C0EB34DC45CAA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AFBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                          • Part of subcall function 00AFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AFB6AE,?,?), ref: 00AFC9B5
                          • Part of subcall function 00AFC998: _wcslen.LIBCMT ref: 00AFC9F1
                          • Part of subcall function 00AFC998: _wcslen.LIBCMT ref: 00AFCA68
                          • Part of subcall function 00AFC998: _wcslen.LIBCMT ref: 00AFCA9E
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AFBCCA
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AFBD25
                        • RegCloseKey.ADVAPI32(00000000), ref: 00AFBD6A
                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00AFBD99
                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00AFBDF3
                        • RegCloseKey.ADVAPI32(?), ref: 00AFBDFF
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                        • String ID:
                        • API String ID: 1120388591-0
                        • Opcode ID: 67169e7f9467b09be109f482382485823259885fb0e1a9371aac910ba06916eb
                        • Instruction ID: 97e26937e413981c050c673ca0a2c839f5fddd328423fa924053ef4939dda65e
                        • Opcode Fuzzy Hash: 67169e7f9467b09be109f482382485823259885fb0e1a9371aac910ba06916eb
                        • Instruction Fuzzy Hash: D8817A30218245AFD714DF64C991E2ABBF5FF84308F14895CF6598B2A2DB31ED45CBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ACF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(00000035), ref: 00ACF7B9
                        • SysAllocString.OLEAUT32(00000001), ref: 00ACF860
                        • VariantCopy.OLEAUT32(00ACFA64,00000000), ref: 00ACF889
                        • VariantClear.OLEAUT32(00ACFA64), ref: 00ACF8AD
                        • VariantCopy.OLEAUT32(00ACFA64,00000000), ref: 00ACF8B1
                        • VariantClear.OLEAUT32(?), ref: 00ACF8BB
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Variant$ClearCopy$AllocInitString
                        • String ID:
                        • API String ID: 3859894641-0
                        • Opcode ID: e1cde2650b8ceff33355302467c3aadf315dcc15c5bcd14394a687d50228bb9f
                        • Instruction ID: 98908c16cea36bf6fd6a9f10fb885489fe64a142ea7c5d84e9f5d71eddc312a6
                        • Opcode Fuzzy Hash: e1cde2650b8ceff33355302467c3aadf315dcc15c5bcd14394a687d50228bb9f
                        • Instruction Fuzzy Hash: F651D335600310BFCF24AB65D895F29B7AAEF45710B25946FE906EF291DB708C40CBA7
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A77620: _wcslen.LIBCMT ref: 00A77625
                          • Part of subcall function 00A76B57: _wcslen.LIBCMT ref: 00A76B6A
                        • GetOpenFileNameW.COMDLG32(00000058), ref: 00AE94E5
                        • _wcslen.LIBCMT ref: 00AE9506
                        • _wcslen.LIBCMT ref: 00AE952D
                        • GetSaveFileNameW.COMDLG32(00000058), ref: 00AE9585
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _wcslen$FileName$OpenSave
                        • String ID: X
                        • API String ID: 83654149-3081909835
                        • Opcode ID: bc3d4352e0968578e2c9f10bd4ac1cb5e267dc1bfa57ed1aaf3b10cd3b172f9f
                        • Instruction ID: 763b14f2277c6dc0ecbfeb92a4bb9ca72a9b1a4cc2186de7e9302dc4d238db51
                        • Opcode Fuzzy Hash: bc3d4352e0968578e2c9f10bd4ac1cb5e267dc1bfa57ed1aaf3b10cd3b172f9f
                        • Instruction Fuzzy Hash: 70E1BD316083419FDB24EF25C981A6BB7E0BF85314F14C96DF8999B2A2DB31DD05CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A8920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A89BB2
                        • BeginPaint.USER32(?,?,?), ref: 00A89241
                        • GetWindowRect.USER32(?,?), ref: 00A892A5
                        • ScreenToClient.USER32(?,?), ref: 00A892C2
                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A892D3
                        • EndPaint.USER32(?,?,?,?,?), ref: 00A89321
                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00AC71EA
                          • Part of subcall function 00A89339: BeginPath.GDI32(00000000), ref: 00A89357
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                        • String ID:
                        • API String ID: 3050599898-0
                        • Opcode ID: 1e5fdca62ad7e78d612a9efc2533a75e71791e4d8b0315fa1ffdedc07e994ff3
                        • Instruction ID: 96942efca0caeee3a2ecf5feacb14cdf88c07cfe341f9c8965f7abf968387633
                        • Opcode Fuzzy Hash: 1e5fdca62ad7e78d612a9efc2533a75e71791e4d8b0315fa1ffdedc07e994ff3
                        • Instruction Fuzzy Hash: 3A418E70504200AFD721EF28D884FBB7BB8FB56320F180669F9A5971F1CB719985DB61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                        Download Yara Rule
                        APIs
                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 00AE080C
                        • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00AE0847
                        • EnterCriticalSection.KERNEL32(?), ref: 00AE0863
                        • LeaveCriticalSection.KERNEL32(?), ref: 00AE08DC
                        • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00AE08F3
                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00AE0921
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                        • String ID:
                        • API String ID: 3368777196-0
                        • Opcode ID: dfa503f8931dea2a9ab08ebaec4fee82af379da097590b40de32f054d855ce13
                        • Instruction ID: a7a5da34faf5b6d71dbb0de138136915bf6a2a16dc2e6ff58b7aade4d9d9437d
                        • Opcode Fuzzy Hash: dfa503f8931dea2a9ab08ebaec4fee82af379da097590b40de32f054d855ce13
                        • Instruction Fuzzy Hash: 73417A71A00205EFDF14AF55DC85AAA7BB8FF44300F1440A5ED00AB297DB70DEA0DBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                        Download Yara Rule
                        APIs
                        • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00ACF3AB,00000000,?,?,00000000,?,00AC682C,00000004,00000000,00000000), ref: 00B0824C
                        • EnableWindow.USER32(?,00000000), ref: 00B08272
                        • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00B082D1
                        • ShowWindow.USER32(?,00000004), ref: 00B082E5
                        • EnableWindow.USER32(?,00000001), ref: 00B0830B
                        • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00B0832F
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$Show$Enable$MessageSend
                        • String ID:
                        • API String ID: 642888154-0
                        • Opcode ID: 251b585acd7bca6af68fe6ab41b21d64de7338b837b24d16fee0100d7333ed1b
                        • Instruction ID: a77a22b6d3727b44e3df5073c1b0db10995aa9d5c5e5a21d62b4b6202122c03c
                        • Opcode Fuzzy Hash: 251b585acd7bca6af68fe6ab41b21d64de7338b837b24d16fee0100d7333ed1b
                        • Instruction Fuzzy Hash: 30418334601644AFDF22CF15D899BA47FE0FB4A714F1842E9E6884B2F2CB31AA41CF55
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                        Download Yara Rule
                        APIs
                        • IsWindowVisible.USER32(?), ref: 00AD4C95
                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00AD4CB2
                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00AD4CEA
                        • _wcslen.LIBCMT ref: 00AD4D08
                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00AD4D10
                        • _wcsstr.LIBVCRUNTIME ref: 00AD4D1A
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                        • String ID:
                        • API String ID: 72514467-0
                        • Opcode ID: efef39cf74b676a285c0a8d65b83f5c13c0863b1ad83152fad44b1a38c858f70
                        • Instruction ID: e23595803ee400136d59d5e104342318310c376b50e4d0a1f77e4e2f2ba23d42
                        • Opcode Fuzzy Hash: efef39cf74b676a285c0a8d65b83f5c13c0863b1ad83152fad44b1a38c858f70
                        • Instruction Fuzzy Hash: 56210432204201BBEB255B29AD49E7B7FADDF49750F10802AF80ACB291EF75CC4187A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A73A97,?,?,00A72E7F,?,?,?,00000000), ref: 00A73AC2
                        • _wcslen.LIBCMT ref: 00AE587B
                        • CoInitialize.OLE32(00000000), ref: 00AE5995
                        • CoCreateInstance.OLE32(00B0FCF8,00000000,00000001,00B0FB68,?), ref: 00AE59AE
                        • CoUninitialize.OLE32 ref: 00AE59CC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                        • String ID: .lnk
                        • API String ID: 3172280962-24824748
                        • Opcode ID: e2cb5ba1689288e0ff7a7eba77b8fa986d85bc11925640dab1b638436c879a04
                        • Instruction ID: 7a8e07ae8a1ba8f1ece9794707e1fac1361dd2e140f2ac3e87055c1448b96d88
                        • Opcode Fuzzy Hash: e2cb5ba1689288e0ff7a7eba77b8fa986d85bc11925640dab1b638436c879a04
                        • Instruction Fuzzy Hash: 8DD17571A047019FC714DF25D98092EBBE1EF89718F10885DF88A9B362DB31EC45CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00AD0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AD0FCA
                          • Part of subcall function 00AD0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AD0FD6
                          • Part of subcall function 00AD0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AD0FE5
                          • Part of subcall function 00AD0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AD0FEC
                          • Part of subcall function 00AD0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AD1002
                        • GetLengthSid.ADVAPI32(?,00000000,00AD1335), ref: 00AD17AE
                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00AD17BA
                        • HeapAlloc.KERNEL32(00000000), ref: 00AD17C1
                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 00AD17DA
                        • GetProcessHeap.KERNEL32(00000000,00000000,00AD1335), ref: 00AD17EE
                        • HeapFree.KERNEL32(00000000), ref: 00AD17F5
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                        • String ID:
                        • API String ID: 3008561057-0
                        • Opcode ID: 06a9ecfcaf7cf8e23151603c201b90999a7dce2c18cd1e849a9e0ac0e511424a
                        • Instruction ID: 4e7985df783fce1892be0f01ceaef342184e3ace6cc04b54b2cb8fce60062b55
                        • Opcode Fuzzy Hash: 06a9ecfcaf7cf8e23151603c201b90999a7dce2c18cd1e849a9e0ac0e511424a
                        • Instruction Fuzzy Hash: 4C117C75601205FFDB109FA4CC49FAE7BB9FB45355F20821AF582A7220DB35A944CF60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00AD14FF
                        • OpenProcessToken.ADVAPI32(00000000), ref: 00AD1506
                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00AD1515
                        • CloseHandle.KERNEL32(00000004), ref: 00AD1520
                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AD154F
                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 00AD1563
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                        • String ID:
                        • API String ID: 1413079979-0
                        • Opcode ID: eec41d5e9a65a9e08ca62dfc163c1a79192e88f150e7d8fd340b4facfff6bffb
                        • Instruction ID: 632ff4eda297d489032ef647df9562648a4cb49958d334d8c69dc1100076d8ea
                        • Opcode Fuzzy Hash: eec41d5e9a65a9e08ca62dfc163c1a79192e88f150e7d8fd340b4facfff6bffb
                        • Instruction Fuzzy Hash: 371129B6500209BFDF118F98ED49FDE7BA9EF48744F048115FA06A21A0D7768E60DB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A93382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,00A93379,00A92FE5), ref: 00A93390
                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A9339E
                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A933B7
                        • SetLastError.KERNEL32(00000000,?,00A93379,00A92FE5), ref: 00A93409
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ErrorLastValue___vcrt_
                        • String ID:
                        • API String ID: 3852720340-0
                        • Opcode ID: 1ae5a91ffff9387346bb4a98c727fd843dfb33dc6c1b50c501a01bd9e7c3b18c
                        • Instruction ID: 2197bc8165a96d1b4df38e77863c24d3d60cf1063e5138f8ebbd3ffb806cf65c
                        • Opcode Fuzzy Hash: 1ae5a91ffff9387346bb4a98c727fd843dfb33dc6c1b50c501a01bd9e7c3b18c
                        • Instruction Fuzzy Hash: DE01B133749311AEEF2A2BB46E85A6B2EF4EB157797300229F5109A1F0EF114D015644
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,00AA5686,00AB3CD6,?,00000000,?,00AA5B6A,?,?,?,?,?,00A9E6D1,?,00B38A48), ref: 00AA2D78
                        • _free.LIBCMT ref: 00AA2DAB
                        • _free.LIBCMT ref: 00AA2DD3
                        • SetLastError.KERNEL32(00000000,?,?,?,?,00A9E6D1,?,00B38A48,00000010,00A74F4A,?,?,00000000,00AB3CD6), ref: 00AA2DE0
                        • SetLastError.KERNEL32(00000000,?,?,?,?,00A9E6D1,?,00B38A48,00000010,00A74F4A,?,?,00000000,00AB3CD6), ref: 00AA2DEC
                        • _abort.LIBCMT ref: 00AA2DF2
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ErrorLast$_free$_abort
                        • String ID:
                        • API String ID: 3160817290-0
                        • Opcode ID: b2bd469b765113652c7286cb48dcf11c6773449a9c56360cc162ced080900470
                        • Instruction ID: 661b68593cc6268806f2214190cbf40038c7436a8a77fb1acc65f627e679605e
                        • Opcode Fuzzy Hash: b2bd469b765113652c7286cb48dcf11c6773449a9c56360cc162ced080900470
                        • Instruction Fuzzy Hash: 7EF0C232545A002BD622377DBD0AF5F2A6AAFD37A1F354618F824A31E3EF3488215361
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B08A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A89639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A89693
                          • Part of subcall function 00A89639: SelectObject.GDI32(?,00000000), ref: 00A896A2
                          • Part of subcall function 00A89639: BeginPath.GDI32(?), ref: 00A896B9
                          • Part of subcall function 00A89639: SelectObject.GDI32(?,00000000), ref: 00A896E2
                        • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00B08A4E
                        • LineTo.GDI32(?,00000003,00000000), ref: 00B08A62
                        • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00B08A70
                        • LineTo.GDI32(?,00000000,00000003), ref: 00B08A80
                        • EndPath.GDI32(?), ref: 00B08A90
                        • StrokePath.GDI32(?), ref: 00B08AA0
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                        • String ID:
                        • API String ID: 43455801-0
                        • Opcode ID: 9ff398bb2e181396b02c389b3af1b639163dded6dae976426ef0ccad8ed0cb41
                        • Instruction ID: ee52baddcca9517087641aa573b9c2022a8873c984a518e0d656f045e5a514f4
                        • Opcode Fuzzy Hash: 9ff398bb2e181396b02c389b3af1b639163dded6dae976426ef0ccad8ed0cb41
                        • Instruction Fuzzy Hash: 8E111E7600010CFFEF119F94DC88EAA7F6CEB04350F048152FA15961A1DB719E55DFA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • GetDC.USER32(00000000), ref: 00AD5218
                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 00AD5229
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AD5230
                        • ReleaseDC.USER32(00000000,00000000), ref: 00AD5238
                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00AD524F
                        • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00AD5261
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CapsDevice$Release
                        • String ID:
                        • API String ID: 1035833867-0
                        • Opcode ID: a755c8b9f5348d2067f2a1f85dff8839e7c4a99caed6b077dbcf8b9a99907181
                        • Instruction ID: a03ae1005fbca576fe514f4bdb73f958f0bfa5238a1a5a9747a74d2b2c605413
                        • Opcode Fuzzy Hash: a755c8b9f5348d2067f2a1f85dff8839e7c4a99caed6b077dbcf8b9a99907181
                        • Instruction Fuzzy Hash: C3014F75E00718BBEB109BB59C49F5EBFB8FF58751F044166FA05A7281DB709804CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A71BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A71BF4
                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00A71BFC
                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A71C07
                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A71C12
                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00A71C1A
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A71C22
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Virtual
                        • String ID:
                        • API String ID: 4278518827-0
                        • Opcode ID: 1224f6a5f74ef75fcd3febae837adcab63056b5f77479988f330ff1584a2db9d
                        • Instruction ID: 91f971f21cc7c5c4cf7b95c073a00318d2683459d454516742618901f3f0a87e
                        • Opcode Fuzzy Hash: 1224f6a5f74ef75fcd3febae837adcab63056b5f77479988f330ff1584a2db9d
                        • Instruction Fuzzy Hash: FE016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00ADEB30
                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00ADEB46
                        • GetWindowThreadProcessId.USER32(?,?), ref: 00ADEB55
                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ADEB64
                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ADEB6E
                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ADEB75
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                        • String ID:
                        • API String ID: 839392675-0
                        • Opcode ID: 8df2b0b61800515f1ded8d3c11f9747b59985921d23b9f433e4813896a53d40d
                        • Instruction ID: e7817368d0feb9b5880bf18b5bfbbd0360f9d8ba280235eec0cc90dd997bafbf
                        • Opcode Fuzzy Hash: 8df2b0b61800515f1ded8d3c11f9747b59985921d23b9f433e4813896a53d40d
                        • Instruction Fuzzy Hash: C1F03A72240158BFE7215B629C0EEEF3E7CEFDAB11F004259F602E3191DBA15A01CAB5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AC7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetClientRect.USER32(?), ref: 00AC7452
                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 00AC7469
                        • GetWindowDC.USER32(?), ref: 00AC7475
                        • GetPixel.GDI32(00000000,?,?), ref: 00AC7484
                        • ReleaseDC.USER32(?,00000000), ref: 00AC7496
                        • GetSysColor.USER32(00000005), ref: 00AC74B0
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ClientColorMessagePixelRectReleaseSendWindow
                        • String ID:
                        • API String ID: 272304278-0
                        • Opcode ID: efd442ee347a98da9acdbed7f32bfa196460a99c3aef87cbc3337b27b8b062f1
                        • Instruction ID: 5a0acd742d660f6a098794e9cb5464aa032250d194606b5cd9f13b8050c3f091
                        • Opcode Fuzzy Hash: efd442ee347a98da9acdbed7f32bfa196460a99c3aef87cbc3337b27b8b062f1
                        • Instruction Fuzzy Hash: 8C012431400615EFEB615FA4DD09BAE7FB5FB24321F650264FA16A31A1CF321E51AF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AD187F
                        • UnloadUserProfile.USERENV(?,?), ref: 00AD188B
                        • CloseHandle.KERNEL32(?), ref: 00AD1894
                        • CloseHandle.KERNEL32(?), ref: 00AD189C
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00AD18A5
                        • HeapFree.KERNEL32(00000000), ref: 00AD18AC
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                        • String ID:
                        • API String ID: 146765662-0
                        • Opcode ID: cae41e378b17351fb43b24ab59df4f3ab8c24ffbb96e892cab5348bd34b9828e
                        • Instruction ID: 51b4e48b96eabf081660e274848742690b918140eb4f929451fa38a5ada591eb
                        • Opcode Fuzzy Hash: cae41e378b17351fb43b24ab59df4f3ab8c24ffbb96e892cab5348bd34b9828e
                        • Instruction Fuzzy Hash: 29E0E536004101BFDB015FA1ED0C90ABF39FF69B22B108320F225920B0CF329420DF90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A77620: _wcslen.LIBCMT ref: 00A77625
                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ADC6EE
                        • _wcslen.LIBCMT ref: 00ADC735
                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ADC79C
                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00ADC7CA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ItemMenu$Info_wcslen$Default
                        • String ID: 0
                        • API String ID: 1227352736-4108050209
                        • Opcode ID: cfe6c8f13e276a3a104c910b832f941c9f31fc12b90555d707e2f47229770cad
                        • Instruction ID: 18ff8d77ad92fe02004c02e2578acba18078358c5fd421559a23384619d4d130
                        • Opcode Fuzzy Hash: cfe6c8f13e276a3a104c910b832f941c9f31fc12b90555d707e2f47229770cad
                        • Instruction Fuzzy Hash: 6751D0716043029BD7149F28C985B6B77E8AF89724F440A2EF996D33E0DB70DD44DB52
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AFAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                        Download Yara Rule
                        APIs
                        • ShellExecuteExW.SHELL32(0000003C), ref: 00AFAEA3
                          • Part of subcall function 00A77620: _wcslen.LIBCMT ref: 00A77625
                        • GetProcessId.KERNEL32(00000000), ref: 00AFAF38
                        • CloseHandle.KERNEL32(00000000), ref: 00AFAF67
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CloseExecuteHandleProcessShell_wcslen
                        • String ID: <$@
                        • API String ID: 146682121-1426351568
                        • Opcode ID: 69f54cc624c2d982d61a259f37bab70ad975efb61270726939e16d8ae89cb5d0
                        • Instruction ID: 4d06af0462f726859d975c49293e556b67ee8c38e212ad216c9c1f67829ccc4e
                        • Opcode Fuzzy Hash: 69f54cc624c2d982d61a259f37bab70ad975efb61270726939e16d8ae89cb5d0
                        • Instruction Fuzzy Hash: 44715AB1A00619DFCB14DF94C984AAEBBF0BF18314F14C499E95AAB352CB74ED41CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AD7206
                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00AD723C
                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00AD724D
                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AD72CF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ErrorMode$AddressCreateInstanceProc
                        • String ID: DllGetClassObject
                        • API String ID: 753597075-1075368562
                        • Opcode ID: da8041cdbcbccc00f033cad28e5c326e8f2abf1b27a892a52bf30ed992a0cc8e
                        • Instruction ID: edf59c743107e26cc5e7d7f0f7677305d5cbc26dfbe7bdcf46969335e34b72f9
                        • Opcode Fuzzy Hash: da8041cdbcbccc00f033cad28e5c326e8f2abf1b27a892a52bf30ed992a0cc8e
                        • Instruction Fuzzy Hash: 55415EB1604204EFDB19CF54C884A9E7BB9EF44710F1480AEBD069F34AE7B5D945CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B03D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B03E35
                        • IsMenu.USER32(?), ref: 00B03E4A
                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B03E92
                        • DrawMenuBar.USER32 ref: 00B03EA5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Menu$Item$DrawInfoInsert
                        • String ID: 0
                        • API String ID: 3076010158-4108050209
                        • Opcode ID: c628d6ffa284f843f212ec49c64001b32f8b4d277771f25c8ae2f8735b39968a
                        • Instruction ID: 0373fe06d856e8c35b577e8c11457cfa03ba67c3df7f2004d858e24f8ef375b6
                        • Opcode Fuzzy Hash: c628d6ffa284f843f212ec49c64001b32f8b4d277771f25c8ae2f8735b39968a
                        • Instruction Fuzzy Hash: D0413B75A01209EFDB10DF54D888EAABBF9FF49754F0482A9F90597290D730AE45CF60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                          • Part of subcall function 00AD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AD3CCA
                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00AD1E66
                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00AD1E79
                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 00AD1EA9
                          • Part of subcall function 00A76B57: _wcslen.LIBCMT ref: 00A76B6A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend$_wcslen$ClassName
                        • String ID: ComboBox$ListBox
                        • API String ID: 2081771294-1403004172
                        • Opcode ID: 853b5ef51ae02dbb988098125be7d2545e470388fa0d3bf96652859a546bbbb6
                        • Instruction ID: 327da463552e9fa7a422df82bb23b7844a115912f1568a56a583f1a725a23509
                        • Opcode Fuzzy Hash: 853b5ef51ae02dbb988098125be7d2545e470388fa0d3bf96652859a546bbbb6
                        • Instruction Fuzzy Hash: FA213871A00104BEDB14AB64DD46CFFBBB9EF55754B14852AF826A72E1DF344A0A8620
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B02F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B02F8D
                        • LoadLibraryW.KERNEL32(?), ref: 00B02F94
                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B02FA9
                        • DestroyWindow.USER32(?), ref: 00B02FB1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend$DestroyLibraryLoadWindow
                        • String ID: SysAnimate32
                        • API String ID: 3529120543-1011021900
                        • Opcode ID: c663ef6dde4ac40c3c23eb86dbfe6c8a26f70b1f02886a70b50f52abfa964059
                        • Instruction ID: 96ff468a45a2f5466a352af76839ad598259ee3746c3eb2918b06d8cfeb20f14
                        • Opcode Fuzzy Hash: c663ef6dde4ac40c3c23eb86dbfe6c8a26f70b1f02886a70b50f52abfa964059
                        • Instruction Fuzzy Hash: E821AE7120020AABEB215F64DC88EBB7BFDEB693A4F104658F950D31D0DB71DC559760
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A94D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A94D1E,00AA28E9,?,00A94CBE,00AA28E9,00B388B8,0000000C,00A94E15,00AA28E9,00000002), ref: 00A94D8D
                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A94DA0
                        • FreeLibrary.KERNEL32(00000000,?,?,?,00A94D1E,00AA28E9,?,00A94CBE,00AA28E9,00B388B8,0000000C,00A94E15,00AA28E9,00000002,00000000), ref: 00A94DC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: ecedc1338e3ba5833e231935251d45386db390f28cdf0f417eae573f343040e9
                        • Instruction ID: 20e28c32fcd8f68d7e6b403d0075de8568f944a380ed9ae5dd2814468ef81d28
                        • Opcode Fuzzy Hash: ecedc1338e3ba5833e231935251d45386db390f28cdf0f417eae573f343040e9
                        • Instruction Fuzzy Hash: 41F03C34A50208ABEB119B90DC49BAEBFE5EF58752F4401A4B809A22A0DF705D81CB94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ACD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32 ref: 00ACD3AD
                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00ACD3BF
                        • FreeLibrary.KERNEL32(00000000), ref: 00ACD3E5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Library$AddressFreeLoadProc
                        • String ID: GetSystemWow64DirectoryW$X64
                        • API String ID: 145871493-2590602151
                        • Opcode ID: 45e479671f6522d70adf78cc064bc81b7ceea380149035d7e4b80dddcb0ec094
                        • Instruction ID: a927bdf8c73822e8a8772445c31e4099ad1fd26dd1f7c429201d329c77e28947
                        • Opcode Fuzzy Hash: 45e479671f6522d70adf78cc064bc81b7ceea380149035d7e4b80dddcb0ec094
                        • Instruction Fuzzy Hash: A9F0E5758056219BD7712B108C58FAE7B34AF21701F6782BDF406FA295DF20CD409792
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A74E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A74EDD,?,00B41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A74E9C
                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A74EAE
                        • FreeLibrary.KERNEL32(00000000,?,?,00A74EDD,?,00B41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A74EC0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Library$AddressFreeLoadProc
                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                        • API String ID: 145871493-3689287502
                        • Opcode ID: c6e84ea831da24804da4e2aa75ec091ad9a979e040b58a80a6174f0de908c4cc
                        • Instruction ID: b7b2a53aa7ef64cdb2f2e6a4baf2b4b72945a35f887d67ae7cb6a2bf8f0bd372
                        • Opcode Fuzzy Hash: c6e84ea831da24804da4e2aa75ec091ad9a979e040b58a80a6174f0de908c4cc
                        • Instruction Fuzzy Hash: 29E0C237A066225BD2321B25AC18BAF7E98EF96F72B058255FC09F3250DFA4CD0180E0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A74E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AB3CDE,?,00B41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A74E62
                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A74E74
                        • FreeLibrary.KERNEL32(00000000,?,?,00AB3CDE,?,00B41418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A74E87
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Library$AddressFreeLoadProc
                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                        • API String ID: 145871493-1355242751
                        • Opcode ID: e176b7b1f34971b1b2dbbd8fc4faf5730c74ca2db8e6f0a00ff6a82a22d383cd
                        • Instruction ID: 3f255cd86acdf38ba54310ae86121ff90063b9e8dd2e90e50af0c0e3b3c3bdb8
                        • Opcode Fuzzy Hash: e176b7b1f34971b1b2dbbd8fc4faf5730c74ca2db8e6f0a00ff6a82a22d383cd
                        • Instruction Fuzzy Hash: 48D0123660262157D6221B256C18ECB7E5CEF99F613058755F909F3164CF64CD0186D0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AFA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcessId.KERNEL32 ref: 00AFA427
                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00AFA435
                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00AFA468
                        • CloseHandle.KERNEL32(?), ref: 00AFA63D
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Process$CloseCountersCurrentHandleOpen
                        • String ID:
                        • API String ID: 3488606520-0
                        • Opcode ID: b22ac1f028664d444ca3559fe96069261f69602eaf2b025bca82ec488c295cf0
                        • Instruction ID: 0fdbd1bc5b27f9a126981fc4ae2277cdf04afcd1a0ace3336c4e8245808b0162
                        • Opcode Fuzzy Hash: b22ac1f028664d444ca3559fe96069261f69602eaf2b025bca82ec488c295cf0
                        • Instruction Fuzzy Hash: 59A180B16043019FD720DF24C986F2AB7E5AF94714F14C85DFA5A9B392DB70EC418B92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AABB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00B13700), ref: 00AABB91
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00B4121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00AABC09
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00B41270,000000FF,?,0000003F,00000000,?), ref: 00AABC36
                        • _free.LIBCMT ref: 00AABB7F
                          • Part of subcall function 00AA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AAD7D1,00000000,00000000,00000000,00000000,?,00AAD7F8,00000000,00000007,00000000,?,00AADBF5,00000000), ref: 00AA29DE
                          • Part of subcall function 00AA29C8: GetLastError.KERNEL32(00000000,?,00AAD7D1,00000000,00000000,00000000,00000000,?,00AAD7F8,00000000,00000007,00000000,?,00AADBF5,00000000,00000000), ref: 00AA29F0
                        • _free.LIBCMT ref: 00AABD4B
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                        • String ID:
                        • API String ID: 1286116820-0
                        • Opcode ID: 1a5b66469c2f698f5f1695a676b488e55599fcbdc67053c8bfece8f2cb769c6a
                        • Instruction ID: f8f4c4e293f4ec31939e7c928e50ed2bf7b208ca4f8c011bf82492cad1f758bb
                        • Opcode Fuzzy Hash: 1a5b66469c2f698f5f1695a676b488e55599fcbdc67053c8bfece8f2cb769c6a
                        • Instruction Fuzzy Hash: D851C771D10219AFCB10EF69DD419AEBBBCFF46360B10466AE554D71E2EB709E808B70
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00ADDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ADCF22,?), ref: 00ADDDFD
                          • Part of subcall function 00ADDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ADCF22,?), ref: 00ADDE16
                          • Part of subcall function 00ADE199: GetFileAttributesW.KERNEL32(?,00ADCF95), ref: 00ADE19A
                        • lstrcmpiW.KERNEL32(?,?), ref: 00ADE473
                        • MoveFileW.KERNEL32(?,?), ref: 00ADE4AC
                        • _wcslen.LIBCMT ref: 00ADE5EB
                        • _wcslen.LIBCMT ref: 00ADE603
                        • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00ADE650
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                        • String ID:
                        • API String ID: 3183298772-0
                        • Opcode ID: b180b36f104488e2901f35cf7eee2d2dc5bbb31cdb9a4b77cf1a1074edeeede8
                        • Instruction ID: ce4f83cd36507cd4885ba1812e022b16102d894f16a4b5d80264bd0b9bc0e57a
                        • Opcode Fuzzy Hash: b180b36f104488e2901f35cf7eee2d2dc5bbb31cdb9a4b77cf1a1074edeeede8
                        • Instruction Fuzzy Hash: CC5183B25083455BCB24EBA0DD819DF73ECAF94340F00491FF58AD7291EF75A6888766
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AFB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                          • Part of subcall function 00AFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AFB6AE,?,?), ref: 00AFC9B5
                          • Part of subcall function 00AFC998: _wcslen.LIBCMT ref: 00AFC9F1
                          • Part of subcall function 00AFC998: _wcslen.LIBCMT ref: 00AFCA68
                          • Part of subcall function 00AFC998: _wcslen.LIBCMT ref: 00AFCA9E
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AFBAA5
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AFBB00
                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00AFBB63
                        • RegCloseKey.ADVAPI32(?,?), ref: 00AFBBA6
                        • RegCloseKey.ADVAPI32(00000000), ref: 00AFBBB3
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                        • String ID:
                        • API String ID: 826366716-0
                        • Opcode ID: dbb18542ed98b6903348cddea20f12d4350fb192f356b20278ccf0e312075940
                        • Instruction ID: bb65b85cb7e09368beb4d350130d7203880bff98f09b482909558654f125fe34
                        • Opcode Fuzzy Hash: dbb18542ed98b6903348cddea20f12d4350fb192f356b20278ccf0e312075940
                        • Instruction Fuzzy Hash: C4618C31218205AFD714DF54C890E2ABBF5FF84348F14899DF5998B2A2DB31ED45CBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 00AD8BCD
                        • VariantClear.OLEAUT32 ref: 00AD8C3E
                        • VariantClear.OLEAUT32 ref: 00AD8C9D
                        • VariantClear.OLEAUT32(?), ref: 00AD8D10
                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00AD8D3B
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Variant$Clear$ChangeInitType
                        • String ID:
                        • API String ID: 4136290138-0
                        • Opcode ID: cba8588a126915b76bc08708745a03c504c02b6c3468c6b8c9bd70d4f5b7de84
                        • Instruction ID: 51ebf68f2ea3321625b6cf074c84192ce5374454e563699be14c7220851cb9af
                        • Opcode Fuzzy Hash: cba8588a126915b76bc08708745a03c504c02b6c3468c6b8c9bd70d4f5b7de84
                        • Instruction Fuzzy Hash: 87516DB5A00219EFCB14CF58C894AAAB7F5FF89310B15855AF946DB350E734E911CF90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                        Download Yara Rule
                        APIs
                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00AE8BAE
                        • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00AE8BDA
                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00AE8C32
                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00AE8C57
                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00AE8C5F
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: PrivateProfile$SectionWrite$String
                        • String ID:
                        • API String ID: 2832842796-0
                        • Opcode ID: 49b84ad09389b4c47ed599f2405ca3953546f667a3677d6b14d16c05afceafc1
                        • Instruction ID: e6d8cb7c3b5e717d4375805758160e85f5100e60915e4c5b5c517f7bd1f070cf
                        • Opcode Fuzzy Hash: 49b84ad09389b4c47ed599f2405ca3953546f667a3677d6b14d16c05afceafc1
                        • Instruction Fuzzy Hash: 43514935A002199FCB05DF65C981A6EBBF5FF49314F18C458E84AAB362CB35ED51CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00AF8F40
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00AF8FD0
                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00AF8FEC
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00AF9032
                        • FreeLibrary.KERNEL32(00000000), ref: 00AF9052
                          • Part of subcall function 00A8F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00AE1043,?,7644E610), ref: 00A8F6E6
                          • Part of subcall function 00A8F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00ACFA64,00000000,00000000,?,?,00AE1043,?,7644E610,?,00ACFA64), ref: 00A8F70D
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                        • String ID:
                        • API String ID: 666041331-0
                        • Opcode ID: fe1a92241bc07ab6d1825e08533ed5451f042b7b421cf95e82fdb18bfd678697
                        • Instruction ID: d11cfabe6468443ad0471cc37f5ee84f23e11250e1331c1f9c5a0262c0ba6804
                        • Opcode Fuzzy Hash: fe1a92241bc07ab6d1825e08533ed5451f042b7b421cf95e82fdb18bfd678697
                        • Instruction Fuzzy Hash: 2C513934600209DFC711DF98C5949AEBBB1FF49314B04C1A9F90AAB362DB31ED86CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B06B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                        Download Yara Rule
                        APIs
                        • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00B06C33
                        • SetWindowLongW.USER32(?,000000EC,?), ref: 00B06C4A
                        • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00B06C73
                        • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00AEAB79,00000000,00000000), ref: 00B06C98
                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00B06CC7
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$Long$MessageSendShow
                        • String ID:
                        • API String ID: 3688381893-0
                        • Opcode ID: b7cbdd65626157fbe30773ed5b16df54547a0fa16d3c594c2c62cdbcce0134b3
                        • Instruction ID: 192672902f3dfb2db082a3f3c8caa7962225df553d2b24efc06fc68f817e2114
                        • Opcode Fuzzy Hash: b7cbdd65626157fbe30773ed5b16df54547a0fa16d3c594c2c62cdbcce0134b3
                        • Instruction Fuzzy Hash: 6441B435A04104AFE734CF28CD99FA97FE5EB09350F1502A8F995A72E0C771ED61CA50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: 8a8ecdbc214f7213ce1fe1e0b6827726923241238c38ee646032beaa38a9f050
                        • Instruction ID: c33153d087c954df17b11097aea1952606a819c0988b865c584b6319fafe2eff
                        • Opcode Fuzzy Hash: 8a8ecdbc214f7213ce1fe1e0b6827726923241238c38ee646032beaa38a9f050
                        • Instruction Fuzzy Hash: 8E41CF72A002009FCB24DF7CC981B5EB7F5EF8A714B2545A9E615EB391DB31AD11CB80
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A8912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetCursorPos.USER32(?), ref: 00A89141
                        • ScreenToClient.USER32(00000000,?), ref: 00A8915E
                        • GetAsyncKeyState.USER32(00000001), ref: 00A89183
                        • GetAsyncKeyState.USER32(00000002), ref: 00A8919D
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: AsyncState$ClientCursorScreen
                        • String ID:
                        • API String ID: 4210589936-0
                        • Opcode ID: 9b93bdcbfb908f9d780266144e6f104ff6a2159569836c2214e00673146bfd19
                        • Instruction ID: 3270d25b0be82c34dd4d6de22e22bb3735d5ffa22b8dac69609958df1678ead8
                        • Opcode Fuzzy Hash: 9b93bdcbfb908f9d780266144e6f104ff6a2159569836c2214e00673146bfd19
                        • Instruction Fuzzy Hash: 9D414F31A0851ABBDF55AF64C848BFEBB74FB05324F244359E429A72E0CB345954CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetInputState.USER32 ref: 00AE38CB
                        • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00AE3922
                        • TranslateMessage.USER32(?), ref: 00AE394B
                        • DispatchMessageW.USER32(?), ref: 00AE3955
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AE3966
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                        • String ID:
                        • API String ID: 2256411358-0
                        • Opcode ID: 5011f5791b83e1bb4f23364dfe05b3d645cf72fb6809e3fe4d699b1cb1b5e52a
                        • Instruction ID: c164a321a8dbf70815c1886ca43e58a7cc9c2e7966f24838cd8ce2f24df848dd
                        • Opcode Fuzzy Hash: 5011f5791b83e1bb4f23364dfe05b3d645cf72fb6809e3fe4d699b1cb1b5e52a
                        • Instruction Fuzzy Hash: 8B31B9769043C1AEEF35CB3ADC5DBB63BA8AB16304F040559E462831A1DBF49B85CB21
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00AECF38
                        • InternetReadFile.WININET(?,00000000,?,?), ref: 00AECF6F
                        • GetLastError.KERNEL32(?,00000000,?,?,?,00AEC21E,00000000), ref: 00AECFB4
                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,00AEC21E,00000000), ref: 00AECFC8
                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,00AEC21E,00000000), ref: 00AECFF2
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                        • String ID:
                        • API String ID: 3191363074-0
                        • Opcode ID: a6b658bd6dbb338a128e4cc219b14572fd6b48ab4a86bf955fca463d5a8a5f8b
                        • Instruction ID: 960d01e47367e9a2110f1ba75b0222028a3c4f510c749091d4488faf55b704e1
                        • Opcode Fuzzy Hash: a6b658bd6dbb338a128e4cc219b14572fd6b48ab4a86bf955fca463d5a8a5f8b
                        • Instruction Fuzzy Hash: 7A314A71600345EFDB20DFA6C984AABBBF9EF14365B10442EF506D3141DB30AE42DB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 00AD1915
                        • PostMessageW.USER32(00000001,00000201,00000001), ref: 00AD19C1
                        • Sleep.KERNEL32(00000000,?,?,?), ref: 00AD19C9
                        • PostMessageW.USER32(00000001,00000202,00000000), ref: 00AD19DA
                        • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00AD19E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessagePostSleep$RectWindow
                        • String ID:
                        • API String ID: 3382505437-0
                        • Opcode ID: 3b5ee6ec976f4888ddd8f0c3f520836515f63e563e93bdc18dc683e63b6a4871
                        • Instruction ID: 62be2083727bef850a34b0d220638d596a80480d2b3b071644784b75da938ce2
                        • Opcode Fuzzy Hash: 3b5ee6ec976f4888ddd8f0c3f520836515f63e563e93bdc18dc683e63b6a4871
                        • Instruction Fuzzy Hash: B1319171A00219EFCB14CFA8CDA9ADE7BB5EB54315F104326F922A72D1C7709D54CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B05706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B05745
                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 00B0579D
                        • _wcslen.LIBCMT ref: 00B057AF
                        • _wcslen.LIBCMT ref: 00B057BA
                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B05816
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend$_wcslen
                        • String ID:
                        • API String ID: 763830540-0
                        • Opcode ID: 1396e074b757648e2f144dec1953365d5bfb1cf383dceadf6dfd49bfdad2c64c
                        • Instruction ID: 1bd7c9d4a79df812daea71afaeb296f810a83233ba615be7839451107060f311
                        • Opcode Fuzzy Hash: 1396e074b757648e2f144dec1953365d5bfb1cf383dceadf6dfd49bfdad2c64c
                        • Instruction Fuzzy Hash: F8218175904618AADF308F64CC84AEE7FF8FF04320F108296E929AB5C4DB709985CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                        Download Yara Rule
                        APIs
                        • IsWindow.USER32(00000000), ref: 00AF0951
                        • GetForegroundWindow.USER32 ref: 00AF0968
                        • GetDC.USER32(00000000), ref: 00AF09A4
                        • GetPixel.GDI32(00000000,?,00000003), ref: 00AF09B0
                        • ReleaseDC.USER32(00000000,00000003), ref: 00AF09E8
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$ForegroundPixelRelease
                        • String ID:
                        • API String ID: 4156661090-0
                        • Opcode ID: 22ac70705eb3fb7b92638770f3f47398f25467b57755442195925672cbc2012b
                        • Instruction ID: c101d3ad086a315f040369572f38f583ffaaf3f5f88911f9fe6a4698ef09fdcd
                        • Opcode Fuzzy Hash: 22ac70705eb3fb7b92638770f3f47398f25467b57755442195925672cbc2012b
                        • Instruction Fuzzy Hash: 87218E75600214AFD714EF65CD85EAEBBF9EF48700F048168F95AA7362DB70AC04CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentStringsW.KERNEL32 ref: 00AACDC6
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AACDE9
                          • Part of subcall function 00AA3820: RtlAllocateHeap.NTDLL(00000000,?,00B41444,?,00A8FDF5,?,?,00A7A976,00000010,00B41440,00A713FC,?,00A713C6,?,00A71129), ref: 00AA3852
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00AACE0F
                        • _free.LIBCMT ref: 00AACE22
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00AACE31
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                        • String ID:
                        • API String ID: 336800556-0
                        • Opcode ID: 864519a44ab7d379d762ef02c4526965c7dd44c97c4ccd1b1ce6625b8257b0b1
                        • Instruction ID: 80737c6c2cc3a39d0511800121e1bb7cbd92bd64a68b65cc245290966e09d7b2
                        • Opcode Fuzzy Hash: 864519a44ab7d379d762ef02c4526965c7dd44c97c4ccd1b1ce6625b8257b0b1
                        • Instruction Fuzzy Hash: 7801DF726022157FB7311BBA6C88D7B6E6DEED7BB13150229F905D7281EF608D0282F0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A89639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                        Download Yara Rule
                        APIs
                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A89693
                        • SelectObject.GDI32(?,00000000), ref: 00A896A2
                        • BeginPath.GDI32(?), ref: 00A896B9
                        • SelectObject.GDI32(?,00000000), ref: 00A896E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ObjectSelect$BeginCreatePath
                        • String ID:
                        • API String ID: 3225163088-0
                        • Opcode ID: 84e0c0acd6f3774712b79dc7935a0270de6a96e2c4c2f89d3ef77138f576e987
                        • Instruction ID: 4ab100c9ae9c272957956da9bc9e895f982294bfba8dde8259dc7de01faaec58
                        • Opcode Fuzzy Hash: 84e0c0acd6f3774712b79dc7935a0270de6a96e2c4c2f89d3ef77138f576e987
                        • Instruction Fuzzy Hash: B9214F34C02305EBDB11AF6CDC14BBA3BB8BB51355F144626F460A71A0EB709A92CFA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A8990C Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(00000008), ref: 00A898CC
                        • SetTextColor.GDI32(?,?), ref: 00A898D6
                        • SetBkMode.GDI32(?,00000001), ref: 00A898E9
                        • GetStockObject.GDI32(00000005), ref: 00A898F1
                        • GetWindowLongW.USER32(?,000000EB), ref: 00A89952
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Color$LongModeObjectStockTextWindow
                        • String ID:
                        • API String ID: 1860813098-0
                        • Opcode ID: f3936c6946cd7892894484711a50f87de5ef8188a8c04231e05968cfe45aa094
                        • Instruction ID: bbba116fac5834fe9296cf4e366c68663144faab11da1430c30d8691cc0a95de
                        • Opcode Fuzzy Hash: f3936c6946cd7892894484711a50f87de5ef8188a8c04231e05968cfe45aa094
                        • Instruction Fuzzy Hash: 55210536145240AFCB229F24EC59EFA3FA0AB23325B0D0659E9929B1B1CB315981CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _memcmp
                        • String ID:
                        • API String ID: 2931989736-0
                        • Opcode ID: 217ccc9a37935c141f303ad4893a4ee07699319622266dbd5bca41f5869a6af0
                        • Instruction ID: 6647837b053d7c5186df12193882936247ab6d6ad1aa48f5e501c5277e7d2387
                        • Opcode Fuzzy Hash: 217ccc9a37935c141f303ad4893a4ee07699319622266dbd5bca41f5869a6af0
                        • Instruction Fuzzy Hash: 6B019671B41606FAE61856209E42FFB73ACDF21394B204422FD16AE781F661ED1086A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,?,00A9F2DE,00AA3863,00B41444,?,00A8FDF5,?,?,00A7A976,00000010,00B41440,00A713FC,?,00A713C6), ref: 00AA2DFD
                        • _free.LIBCMT ref: 00AA2E32
                        • _free.LIBCMT ref: 00AA2E59
                        • SetLastError.KERNEL32(00000000,00A71129), ref: 00AA2E66
                        • SetLastError.KERNEL32(00000000,00A71129), ref: 00AA2E6F
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ErrorLast$_free
                        • String ID:
                        • API String ID: 3170660625-0
                        • Opcode ID: 3d75cd3b47e0490e4cecdcb503e841f86043a480a79e8060df2b36e72aaf1dda
                        • Instruction ID: 862ac534d569a387b4ad5dc13b4cd3ab4b9c2270eb38c500ae66ef73463758d3
                        • Opcode Fuzzy Hash: 3d75cd3b47e0490e4cecdcb503e841f86043a480a79e8060df2b36e72aaf1dda
                        • Instruction Fuzzy Hash: E201F432205A006BC632277D6D46F2B2E69ABE37B1B344128F825E31D2EF74CC655320
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                        Download Yara Rule
                        APIs
                        • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ACFF41,80070057,?,?,?,00AD035E), ref: 00AD002B
                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ACFF41,80070057,?,?), ref: 00AD0046
                        • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ACFF41,80070057,?,?), ref: 00AD0054
                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ACFF41,80070057,?), ref: 00AD0064
                        • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00ACFF41,80070057,?,?), ref: 00AD0070
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: From$Prog$FreeStringTasklstrcmpi
                        • String ID:
                        • API String ID: 3897988419-0
                        • Opcode ID: c24b7a64d1e8e34c061ab1a06906057947f67bfc247d28be62220f76b25fd122
                        • Instruction ID: 00d5b6fb9dc3f73c2892e3242e143f0a053503dc4f6bf4fd8e97e32cd9711aaa
                        • Opcode Fuzzy Hash: c24b7a64d1e8e34c061ab1a06906057947f67bfc247d28be62220f76b25fd122
                        • Instruction Fuzzy Hash: 58018B72600204BFDB104F68DC04FAA7EADEB84792F148225F906D3210EB71DD408BA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                        Download Yara Rule
                        APIs
                        • QueryPerformanceCounter.KERNEL32(?), ref: 00ADE997
                        • QueryPerformanceFrequency.KERNEL32(?), ref: 00ADE9A5
                        • Sleep.KERNEL32(00000000), ref: 00ADE9AD
                        • QueryPerformanceCounter.KERNEL32(?), ref: 00ADE9B7
                        • Sleep.KERNEL32 ref: 00ADE9F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: PerformanceQuery$CounterSleep$Frequency
                        • String ID:
                        • API String ID: 2833360925-0
                        • Opcode ID: 3a8c29e2fa8954bb8b929ea1bb22fde0504c2ad720068152a30a758272958052
                        • Instruction ID: 44277c5a50f74974a570503f01e0affc52acdbb8655a4955f0867051a1b48fff
                        • Opcode Fuzzy Hash: 3a8c29e2fa8954bb8b929ea1bb22fde0504c2ad720068152a30a758272958052
                        • Instruction Fuzzy Hash: 89011331C02629DBCF00EBE5DDA9AEEFB78FB19701F004656E902B6241CB3096558BA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AD1114
                        • GetLastError.KERNEL32(?,00000000,00000000,?,?,00AD0B9B,?,?,?), ref: 00AD1120
                        • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00AD0B9B,?,?,?), ref: 00AD112F
                        • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00AD0B9B,?,?,?), ref: 00AD1136
                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AD114D
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 842720411-0
                        • Opcode ID: 710a3882c886fb861c03a1801fcf5f11e5fd000628a4dc47027e89bab41905d6
                        • Instruction ID: d1c2749b57ab85e94ba030b22d208aae186db0fe5285e6bfe94518340ad6802f
                        • Opcode Fuzzy Hash: 710a3882c886fb861c03a1801fcf5f11e5fd000628a4dc47027e89bab41905d6
                        • Instruction Fuzzy Hash: 46013779200205BFEB114FA5DC49E6A3F7EEF893A4B204629FA46D7360DF31DC009A60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AD0FCA
                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AD0FD6
                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AD0FE5
                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AD0FEC
                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AD1002
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: HeapInformationToken$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 44706859-0
                        • Opcode ID: e177b55695c48e8dc4852554e65358c6c110c69078e8cad70d8c210d409d6fba
                        • Instruction ID: 71c80318025f7e264780a1ece678be4377a7bb3615408f1c150067c837256711
                        • Opcode Fuzzy Hash: e177b55695c48e8dc4852554e65358c6c110c69078e8cad70d8c210d409d6fba
                        • Instruction Fuzzy Hash: D7F04935200301BBDB215FA4AC49F563FADEF99762F204515FA46D7291DF70DC408A60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AD102A
                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AD1036
                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD1045
                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD104C
                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD1062
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: HeapInformationToken$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 44706859-0
                        • Opcode ID: 713b9561a7e8b070b6e3e45d26a44b116753c3fb02ce7cf838b8dfbff4ee7071
                        • Instruction ID: 9e0417d7f1b7ae7c2ea305d084b02f9756c0a74e5f4545f33f3a8c60b9fe3946
                        • Opcode Fuzzy Hash: 713b9561a7e8b070b6e3e45d26a44b116753c3fb02ce7cf838b8dfbff4ee7071
                        • Instruction Fuzzy Hash: 31F04935200301BBDB216FA4EC49F563FADEF99761F604525FA46D7250DF70D8408A60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                        Download Yara Rule
                        APIs
                        • CloseHandle.KERNEL32(?,?,?,?,00AE017D,?,00AE32FC,?,00000001,00AB2592,?), ref: 00AE0324
                        • CloseHandle.KERNEL32(?,?,?,?,00AE017D,?,00AE32FC,?,00000001,00AB2592,?), ref: 00AE0331
                        • CloseHandle.KERNEL32(?,?,?,?,00AE017D,?,00AE32FC,?,00000001,00AB2592,?), ref: 00AE033E
                        • CloseHandle.KERNEL32(?,?,?,?,00AE017D,?,00AE32FC,?,00000001,00AB2592,?), ref: 00AE034B
                        • CloseHandle.KERNEL32(?,?,?,?,00AE017D,?,00AE32FC,?,00000001,00AB2592,?), ref: 00AE0358
                        • CloseHandle.KERNEL32(?,?,?,?,00AE017D,?,00AE32FC,?,00000001,00AB2592,?), ref: 00AE0365
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CloseHandle
                        • String ID:
                        • API String ID: 2962429428-0
                        • Opcode ID: 3b966de8b5055953f479a05e20bdf7434e97152f022bdc1bdf988d96e2ca0c15
                        • Instruction ID: 1ae57256b37188b0fc3c427aa45810ab0dcac3fbab34f7afc8323c129b1eae2f
                        • Opcode Fuzzy Hash: 3b966de8b5055953f479a05e20bdf7434e97152f022bdc1bdf988d96e2ca0c15
                        • Instruction Fuzzy Hash: 0401A272800B569FC730AF66D880812FBF5BF603153158A3FD19652931C7B1A994CF80
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AAD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00AAD752
                          • Part of subcall function 00AA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AAD7D1,00000000,00000000,00000000,00000000,?,00AAD7F8,00000000,00000007,00000000,?,00AADBF5,00000000), ref: 00AA29DE
                          • Part of subcall function 00AA29C8: GetLastError.KERNEL32(00000000,?,00AAD7D1,00000000,00000000,00000000,00000000,?,00AAD7F8,00000000,00000007,00000000,?,00AADBF5,00000000,00000000), ref: 00AA29F0
                        • _free.LIBCMT ref: 00AAD764
                        • _free.LIBCMT ref: 00AAD776
                        • _free.LIBCMT ref: 00AAD788
                        • _free.LIBCMT ref: 00AAD79A
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 9b54cbf22596f591247c4131f33393a91f4caf7e397977904d8e8504f30f5c5c
                        • Instruction ID: 4695db3cc1e477f49eb5d69c5c3a0887bf42813eaa38eda87f037ef0aace3c3b
                        • Opcode Fuzzy Hash: 9b54cbf22596f591247c4131f33393a91f4caf7e397977904d8e8504f30f5c5c
                        • Instruction Fuzzy Hash: 3BF01232544208AF8666EBA8FAC5D2B7BDDBB46710BA50C05F089E7991CB30FC908765
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(?,000003E9), ref: 00AD5C58
                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 00AD5C6F
                        • MessageBeep.USER32(00000000), ref: 00AD5C87
                        • KillTimer.USER32(?,0000040A), ref: 00AD5CA3
                        • EndDialog.USER32(?,00000001), ref: 00AD5CBD
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                        • String ID:
                        • API String ID: 3741023627-0
                        • Opcode ID: 658cd9e0162003fe4d5472f83aa6bd2205efe392252d52234e005f167e14eea6
                        • Instruction ID: 1399d2c903c99b5f59e9b661cc9a82dca9f20214f92867738a5e505666db6674
                        • Opcode Fuzzy Hash: 658cd9e0162003fe4d5472f83aa6bd2205efe392252d52234e005f167e14eea6
                        • Instruction Fuzzy Hash: 62018630910B04ABEB345B20DD4EFA67BB8BB11B45F04165AA583A31E1DFF1AD848A90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00AA22BE
                          • Part of subcall function 00AA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AAD7D1,00000000,00000000,00000000,00000000,?,00AAD7F8,00000000,00000007,00000000,?,00AADBF5,00000000), ref: 00AA29DE
                          • Part of subcall function 00AA29C8: GetLastError.KERNEL32(00000000,?,00AAD7D1,00000000,00000000,00000000,00000000,?,00AAD7F8,00000000,00000007,00000000,?,00AADBF5,00000000,00000000), ref: 00AA29F0
                        • _free.LIBCMT ref: 00AA22D0
                        • _free.LIBCMT ref: 00AA22E3
                        • _free.LIBCMT ref: 00AA22F4
                        • _free.LIBCMT ref: 00AA2305
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 3c8d06fa4eaab2386c2267a7ed57465de9c4f577ac84dd07d1e955106bdbab17
                        • Instruction ID: 902b18843c588ce02565881e0edabe55f1c0000cc379226c7bedb255757308bd
                        • Opcode Fuzzy Hash: 3c8d06fa4eaab2386c2267a7ed57465de9c4f577ac84dd07d1e955106bdbab17
                        • Instruction Fuzzy Hash: 43F03079810210AF8753BFACBD01A5D3F64B76BB517100516F510D32F1CF300661ABE5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                        Download Yara Rule
                        APIs
                        • EndPath.GDI32(?), ref: 00A895D4
                        • StrokeAndFillPath.GDI32(?,?,00AC71F7,00000000,?,?,?), ref: 00A895F0
                        • SelectObject.GDI32(?,00000000), ref: 00A89603
                        • DeleteObject.GDI32 ref: 00A89616
                        • StrokePath.GDI32(?), ref: 00A89631
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Path$ObjectStroke$DeleteFillSelect
                        • String ID:
                        • API String ID: 2625713937-0
                        • Opcode ID: d6f33453b23fc260284e66098f2ef721082450072af02f530ed15c3f1bdcfa17
                        • Instruction ID: 532271bf52bbd6eae22fcf94dcbdb542fd7c002630383a91fda89f502ba7276e
                        • Opcode Fuzzy Hash: d6f33453b23fc260284e66098f2ef721082450072af02f530ed15c3f1bdcfa17
                        • Instruction Fuzzy Hash: 19F01938806204EBDB166F6DED187653F61BB12362F088324F469570F1DF308A96DF20
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: __freea$_free
                        • String ID: a/p$am/pm
                        • API String ID: 3432400110-3206640213
                        • Opcode ID: 2905b93c3f044dcd48b2a0f36c74b58e97337c94354f054a49632e09048726e3
                        • Instruction ID: 7d0afd6a4aa6692a6d8eb4dbcad6edd43bc89fbc9dd6365cc77a0162d01527a8
                        • Opcode Fuzzy Hash: 2905b93c3f044dcd48b2a0f36c74b58e97337c94354f054a49632e09048726e3
                        • Instruction Fuzzy Hash: FFD1D135900206FADF649F68C995BFAB7B5EF07310F284269E901AF6D0D3759D80CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A90242: EnterCriticalSection.KERNEL32(00B4070C,00B41884,?,?,00A8198B,00B42518,?,?,?,00A712F9,00000000), ref: 00A9024D
                          • Part of subcall function 00A90242: LeaveCriticalSection.KERNEL32(00B4070C,?,00A8198B,00B42518,?,?,?,00A712F9,00000000), ref: 00A9028A
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                          • Part of subcall function 00A900A3: __onexit.LIBCMT ref: 00A900A9
                        • __Init_thread_footer.LIBCMT ref: 00AF7BFB
                          • Part of subcall function 00A901F8: EnterCriticalSection.KERNEL32(00B4070C,?,?,00A88747,00B42514), ref: 00A90202
                          • Part of subcall function 00A901F8: LeaveCriticalSection.KERNEL32(00B4070C,?,00A88747,00B42514), ref: 00A90235
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                        • String ID: 5$G$Variable must be of type 'Object'.
                        • API String ID: 535116098-3733170431
                        • Opcode ID: 75651ae1119643ceeb9d8fe6170aa4900879fdbf2e1fcaab5c2fade514d5cab4
                        • Instruction ID: 934d6b0fadbc7d2511b2b2fb86774449d5ace1bd866196438c57246f2e1e8dc0
                        • Opcode Fuzzy Hash: 75651ae1119643ceeb9d8fe6170aa4900879fdbf2e1fcaab5c2fade514d5cab4
                        • Instruction Fuzzy Hash: 60919B71A04209EFCB14EF94D991DBDBBB1FF49300F508099FA069B2A2DB71AE41CB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00ADB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AD21D0,?,?,00000034,00000800,?,00000034), ref: 00ADB42D
                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00AD2760
                          • Part of subcall function 00ADB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AD21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00ADB3F8
                          • Part of subcall function 00ADB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00ADB355
                          • Part of subcall function 00ADB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00AD2194,00000034,?,?,00001004,00000000,00000000), ref: 00ADB365
                          • Part of subcall function 00ADB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00AD2194,00000034,?,?,00001004,00000000,00000000), ref: 00ADB37B
                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AD27CD
                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AD281A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                        • String ID: @
                        • API String ID: 4150878124-2766056989
                        • Opcode ID: aec9a5239514aef84bec5d3052bed79da4a3466d0ddc26d8639d6c50acf43e1d
                        • Instruction ID: c3d8cb9d7bb05f539a7b6228697cee75bfc2ae163bbc75003710fd43c41bf73b
                        • Opcode Fuzzy Hash: aec9a5239514aef84bec5d3052bed79da4a3466d0ddc26d8639d6c50acf43e1d
                        • Instruction Fuzzy Hash: D0411D72900218AFDB10DFA4CD45BDEBBB8EF15700F104056FA56B7281DB716E45DB61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\%01% (2).exe,00000104), ref: 00AA1769
                        • _free.LIBCMT ref: 00AA1834
                        • _free.LIBCMT ref: 00AA183E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _free$FileModuleName
                        • String ID: C:\Users\user\Desktop\%01% (2).exe
                        • API String ID: 2506810119-67666684
                        • Opcode ID: c62d3e2d435c6ee606c2ac58fe8008dde732957869a7b0fc85f7a62dfcad40c6
                        • Instruction ID: f22603a350d777d30f2b8c24f9062e1f5a92a67df5415d57496215111ffca9fc
                        • Opcode Fuzzy Hash: c62d3e2d435c6ee606c2ac58fe8008dde732957869a7b0fc85f7a62dfcad40c6
                        • Instruction Fuzzy Hash: F3316075E44218BFDB21DB99D985D9EBBFCEB8A310F144166F804D7291DBB08E80CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00ADC306
                        • DeleteMenu.USER32(?,00000007,00000000), ref: 00ADC34C
                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B41990,010A67F8), ref: 00ADC395
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Menu$Delete$InfoItem
                        • String ID: 0
                        • API String ID: 135850232-4108050209
                        • Opcode ID: 404a0cd4695bef315adb525af929a220167008ccdfe5bedbfc07bc4e42dc7a97
                        • Instruction ID: d8e580860fc990c15d3c8a80d08038336af804f5a16bea442060a03295b1eb65
                        • Opcode Fuzzy Hash: 404a0cd4695bef315adb525af929a220167008ccdfe5bedbfc07bc4e42dc7a97
                        • Instruction Fuzzy Hash: B441B1312043429FDB24DF28D985B5AFBE4AF85320F50861EF9A69B3D1D730E904CB62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B04416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                        Download Yara Rule
                        APIs
                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B0CC08,00000000,?,?,?,?), ref: 00B044AA
                        • GetWindowLongW.USER32 ref: 00B044C7
                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B044D7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$Long
                        • String ID: SysTreeView32
                        • API String ID: 847901565-1698111956
                        • Opcode ID: 3d7e37f03d70943915dc628e7e7dd3c6160b29cfd7cb1440d9dd741c73df5474
                        • Instruction ID: c46b5e1aac549855770dc87d9688541dd7ecb5da4aa01bc0f6a525f3e6e65491
                        • Opcode Fuzzy Hash: 3d7e37f03d70943915dc628e7e7dd3c6160b29cfd7cb1440d9dd741c73df5474
                        • Instruction Fuzzy Hash: BB31AD71200205AFDB209F38DC45BEA7BA9EB18334F208755FA79932E0DB70EC509750
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00AF335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00AF3077,?,?), ref: 00AF3378
                        • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00AF307A
                        • _wcslen.LIBCMT ref: 00AF309B
                        • htons.WSOCK32(00000000,?,?,00000000), ref: 00AF3106
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                        • String ID: 255.255.255.255
                        • API String ID: 946324512-2422070025
                        • Opcode ID: 1379d7d063cac12b9000ce1a2965612845243411de4fcbdfc82c48e59f842a4d
                        • Instruction ID: 8849ce49b20aac653ae80af0468e314bf4cf327906d2b6c541880ea03d7df75d
                        • Opcode Fuzzy Hash: 1379d7d063cac12b9000ce1a2965612845243411de4fcbdfc82c48e59f842a4d
                        • Instruction Fuzzy Hash: 7431A0366002099FCF10CFA8C585A7A77E0EF14318F24C15AFA158B392DB72DE45C761
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B03EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B03F40
                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B03F54
                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B03F78
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend$Window
                        • String ID: SysMonthCal32
                        • API String ID: 2326795674-1439706946
                        • Opcode ID: 255f6c7f6390a96bd8238b12da488de47eeb68139b2931d45b09a75348fa66eb
                        • Instruction ID: 04cb8b33b50a6559bdd8804fd9daffe919327083e14d7a6b15c0acc9ec2c717f
                        • Opcode Fuzzy Hash: 255f6c7f6390a96bd8238b12da488de47eeb68139b2931d45b09a75348fa66eb
                        • Instruction Fuzzy Hash: 69219F32600219BFDF219F54CC46FEA3FB9EF48714F110254FA556B1D0DAB1A951CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B04653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B04705
                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B04713
                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B0471A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend$DestroyWindow
                        • String ID: msctls_updown32
                        • API String ID: 4014797782-2298589950
                        • Opcode ID: 537693dd36fad0a9c3a0eaf085f1a429f52b0597e40f8295491b74652f15d03a
                        • Instruction ID: f1856f0b8cee29d6ab645e5d3ee5121d6d716f2aa6c660620e6c6cd8eda65f78
                        • Opcode Fuzzy Hash: 537693dd36fad0a9c3a0eaf085f1a429f52b0597e40f8295491b74652f15d03a
                        • Instruction Fuzzy Hash: 832151F5600208AFDB10DF68DCD1DA73BEDEB5A354B040499F6009B2A1DB31EC52CA60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _wcslen
                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                        • API String ID: 176396367-2734436370
                        • Opcode ID: 5ba1002df70bf3d42881167d1faf223c4246cbaaa48782246c22806835c7fcbd
                        • Instruction ID: 0ead5aa0ab45c21e39716f194961299ca34084b6772fd7b7be84edb03fa14cfe
                        • Opcode Fuzzy Hash: 5ba1002df70bf3d42881167d1faf223c4246cbaaa48782246c22806835c7fcbd
                        • Instruction Fuzzy Hash: DE21573230421166D731BB24AD02FBB73E89F91310F108037F94B97281EB55ED95C395
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B03840
                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B03850
                        • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B03876
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend$MoveWindow
                        • String ID: Listbox
                        • API String ID: 3315199576-2633736733
                        • Opcode ID: 1ea58b13dcbf86809ec8e0144c548b84311d4aa71462d02336679408451c02e5
                        • Instruction ID: 6b10a3063f7c5e9e772c8452f3458739262089c4c2519f49e5a9f52f1317f78b
                        • Opcode Fuzzy Hash: 1ea58b13dcbf86809ec8e0144c548b84311d4aa71462d02336679408451c02e5
                        • Instruction Fuzzy Hash: 7F218072610218BBEB218F54CC85FAB3BEEEF89B50F108154F9459B1D0CA71DD5287A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 00AE4A08
                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00AE4A5C
                        • SetErrorMode.KERNEL32(00000000,?,?,00B0CC08), ref: 00AE4AD0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ErrorMode$InformationVolume
                        • String ID: %lu
                        • API String ID: 2507767853-685833217
                        • Opcode ID: 0bdddef510fe35cc20f0327e985678ca8fb1610d8987d25b40ce72b85f3ada18
                        • Instruction ID: f5aacb6d323da66d1cb96bfc90e903a74e9ee62ea560d06dd5db68d8ae351920
                        • Opcode Fuzzy Hash: 0bdddef510fe35cc20f0327e985678ca8fb1610d8987d25b40ce72b85f3ada18
                        • Instruction Fuzzy Hash: 2D312175A00109AFDB10DF64C985EAA7BF8EF08318F1480A5F909DB262DB71ED45CB61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B0424F
                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B04264
                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B04271
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: msctls_trackbar32
                        • API String ID: 3850602802-1010561917
                        • Opcode ID: c9f738189ec9e52ca054bd2c477005a89c5fdfd91718adfc9f8f87c648ceac26
                        • Instruction ID: b6ae9e5980da24c927ce64e2c90dad15186f5dad9d59c681897e0a4ed0d3122d
                        • Opcode Fuzzy Hash: c9f738189ec9e52ca054bd2c477005a89c5fdfd91718adfc9f8f87c648ceac26
                        • Instruction Fuzzy Hash: C911C171250208BEEF205E28CC06FAB3BECEF95B54F114514FA55E60E0D671D8619B10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A76B57: _wcslen.LIBCMT ref: 00A76B6A
                          • Part of subcall function 00AD2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00AD2DC5
                          • Part of subcall function 00AD2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AD2DD6
                          • Part of subcall function 00AD2DA7: GetCurrentThreadId.KERNEL32 ref: 00AD2DDD
                          • Part of subcall function 00AD2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00AD2DE4
                        • GetFocus.USER32 ref: 00AD2F78
                          • Part of subcall function 00AD2DEE: GetParent.USER32(00000000), ref: 00AD2DF9
                        • GetClassNameW.USER32(?,?,00000100), ref: 00AD2FC3
                        • EnumChildWindows.USER32(?,00AD303B), ref: 00AD2FEB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                        • String ID: %s%d
                        • API String ID: 1272988791-1110647743
                        • Opcode ID: f14ad3c4f2b49244bca898bd72b200efb5efe00c42f36da60c8057cca9b9c77b
                        • Instruction ID: 2f6bb5a24b418db0f492938591e3e5e9289e65f71657f7c5aa0c8f789d8625b2
                        • Opcode Fuzzy Hash: f14ad3c4f2b49244bca898bd72b200efb5efe00c42f36da60c8057cca9b9c77b
                        • Instruction Fuzzy Hash: 5011E4752002056BCF507F708D85FED376AAFA4304F048076F90A9B292DF319A09CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B05882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B058C1
                        • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B058EE
                        • DrawMenuBar.USER32(?), ref: 00B058FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Menu$InfoItem$Draw
                        • String ID: 0
                        • API String ID: 3227129158-4108050209
                        • Opcode ID: 09e09dd8e8527b6688430d98865b28291f83bc4769f5363a4854152b1ba5c501
                        • Instruction ID: cb95ab06917a7ac04c794334dcf96f064d78bbc561070a1fe262079057a78275
                        • Opcode Fuzzy Hash: 09e09dd8e8527b6688430d98865b28291f83bc4769f5363a4854152b1ba5c501
                        • Instruction Fuzzy Hash: A0015735500218EEDB219F11DC85BAFBFB4FB45361F1080A9E849D6291DB308A94EF21
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 840eca73eba71a48ea707d9eca5458451cec78de6e6bf5f5aa22ed5f56a983d7
                        • Instruction ID: f5ba5e6a58f8af0d34e1d45c076d9f4d4cf6860a3fa688ae67d736f449ebfd27
                        • Opcode Fuzzy Hash: 840eca73eba71a48ea707d9eca5458451cec78de6e6bf5f5aa22ed5f56a983d7
                        • Instruction Fuzzy Hash: 06C12775A0020AAFDB14CFA8C894FAEB7B5FF48704F218599E506EB251D731EE41DB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: __alldvrm$_strrchr
                        • String ID:
                        • API String ID: 1036877536-0
                        • Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                        • Instruction ID: ca63c181d368ad09682b15737de994cd531c1539345956883f8c5f45ec3bdfd3
                        • Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                        • Instruction Fuzzy Hash: 91A128729103869FEB15CF18C8917AEBBE4EFAA350F14426DF5959B2C2C3B88941C750
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Variant$ClearInitInitializeUninitialize
                        • String ID:
                        • API String ID: 1998397398-0
                        • Opcode ID: b84674474bb65e73529f07b55efc89166155f5acfd7818e178206b7f00b918f9
                        • Instruction ID: 11f1ccd8ffc6cd718875a02889c209057041c34e576f8c9c98134cf022b84e09
                        • Opcode Fuzzy Hash: b84674474bb65e73529f07b55efc89166155f5acfd7818e178206b7f00b918f9
                        • Instruction Fuzzy Hash: 28A109756043049FCB10EF68C985A2AB7E5FF88714F14C959FA8A9B362DB30EE05CB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                        Download Yara Rule
                        APIs
                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B0FC08,?), ref: 00AD05F0
                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B0FC08,?), ref: 00AD0608
                        • CLSIDFromProgID.OLE32(?,?,00000000,00B0CC40,000000FF,?,00000000,00000800,00000000,?,00B0FC08,?), ref: 00AD062D
                        • _memcmp.LIBVCRUNTIME ref: 00AD064E
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: FromProg$FreeTask_memcmp
                        • String ID:
                        • API String ID: 314563124-0
                        • Opcode ID: 12f25c9772c39247dae1fbf5dc6034392b60aa9a91bbe6965dc944ed75e29bbb
                        • Instruction ID: 054c2df8999e362c0ecab5a4279b42e27b608dccd5367ef26e871fddaa11dc6e
                        • Opcode Fuzzy Hash: 12f25c9772c39247dae1fbf5dc6034392b60aa9a91bbe6965dc944ed75e29bbb
                        • Instruction Fuzzy Hash: DE810C75A00109EFCB04DF94C984EEEB7B9FF89315F208599E516AB250DB71AE06CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AB1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: 7ffb88be00e62de3e9370b2300a6f0804a017eb19ecbf60650d0f66989f8d3e7
                        • Instruction ID: 63af5b1c746067ec7ca07c8be35c9a7f167ea26756ace28812da1de4c438bc4d
                        • Opcode Fuzzy Hash: 7ffb88be00e62de3e9370b2300a6f0804a017eb19ecbf60650d0f66989f8d3e7
                        • Instruction Fuzzy Hash: 544126B5B00200AFDF216BBD8D56BEE3AECEF46370F644225F419D7193EB3489415262
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B06278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 00B062E2
                        • ScreenToClient.USER32(?,?), ref: 00B06315
                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00B06382
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$ClientMoveRectScreen
                        • String ID:
                        • API String ID: 3880355969-0
                        • Opcode ID: 1b94444178df4db7939eed6cc7e3cce9367a6eed5a63ec4f65004e471900d0d6
                        • Instruction ID: e0167fb7476364369988740214acbfb0a500c9bb1bb4be421646b1c1fcdb2ebb
                        • Opcode Fuzzy Hash: 1b94444178df4db7939eed6cc7e3cce9367a6eed5a63ec4f65004e471900d0d6
                        • Instruction Fuzzy Hash: 32510C74900209EFDB24DF68D981AAE7BF5FB55360F108699F8159B2D0DB30ED91CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                        Download Yara Rule
                        APIs
                        • socket.WSOCK32(00000002,00000002,00000011), ref: 00AF1AFD
                        • WSAGetLastError.WSOCK32 ref: 00AF1B0B
                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00AF1B8A
                        • WSAGetLastError.WSOCK32 ref: 00AF1B94
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ErrorLast$socket
                        • String ID:
                        • API String ID: 1881357543-0
                        • Opcode ID: e9046e68fd3be41d54039ed354f0d12aa289b04fbc86ce76cdf247d27b32b9e8
                        • Instruction ID: 56facc726b0930816c8ea4300ee69302be98ab6cb97ba755b16b48874040a168
                        • Opcode Fuzzy Hash: e9046e68fd3be41d54039ed354f0d12aa289b04fbc86ce76cdf247d27b32b9e8
                        • Instruction Fuzzy Hash: 58419E74640200AFE720AF24C986F3A77E5AB44718F54C598FA5A9F3D3D772ED428B90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AAB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 50fbca8d719012265b8a7e6fb257d83ec5b7e7c782a1bcb810e06cd247a125e2
                        • Instruction ID: ace9513e3b916d0907807cbb6595ed4dccd9e71656c45174c0651ff1592fff55
                        • Opcode Fuzzy Hash: 50fbca8d719012265b8a7e6fb257d83ec5b7e7c782a1bcb810e06cd247a125e2
                        • Instruction Fuzzy Hash: BA410472A10304AFD7249F78CD41BAABBE9EB89710F10852EF552DB2C3D771A94187A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00AE5783
                        • GetLastError.KERNEL32(?,00000000), ref: 00AE57A9
                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00AE57CE
                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00AE57FA
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CreateHardLink$DeleteErrorFileLast
                        • String ID:
                        • API String ID: 3321077145-0
                        • Opcode ID: 925725c721483c0b4ea05061a2c3d10a8578432b5b18bd7681291475f131eb01
                        • Instruction ID: 9a58110a21fd1fed0607397fefedb45828f9b833b3e434bdbda749d4ece7904a
                        • Opcode Fuzzy Hash: 925725c721483c0b4ea05061a2c3d10a8578432b5b18bd7681291475f131eb01
                        • Instruction Fuzzy Hash: BD410F35600610DFCB11EF25CA45A5EBBF2EF99724B19C888E84A5B362CB34FD41DB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AAD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00A96D71,00000000,00000000,00A982D9,?,00A982D9,?,00000001,00A96D71,8BE85006,00000001,00A982D9,00A982D9), ref: 00AAD910
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AAD999
                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00AAD9AB
                        • __freea.LIBCMT ref: 00AAD9B4
                          • Part of subcall function 00AA3820: RtlAllocateHeap.NTDLL(00000000,?,00B41444,?,00A8FDF5,?,?,00A7A976,00000010,00B41440,00A713FC,?,00A713C6,?,00A71129), ref: 00AA3852
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                        • String ID:
                        • API String ID: 2652629310-0
                        • Opcode ID: 9ca63313a20de1476e72d45d10d4f8e7b447d1e9e8d17728fc92fbda62663909
                        • Instruction ID: 173e3f07619fc07682482b6a09ee60c381c7de45953109b676e95fa4948ea4ee
                        • Opcode Fuzzy Hash: 9ca63313a20de1476e72d45d10d4f8e7b447d1e9e8d17728fc92fbda62663909
                        • Instruction Fuzzy Hash: 3331DE72A0020AABDF249F64DC45EAF7BA9EB42310F054268FC45DB690EB35CD54CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00B05352
                        • GetWindowLongW.USER32(?,000000F0), ref: 00B05375
                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B05382
                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B053A8
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: LongWindow$InvalidateMessageRectSend
                        • String ID:
                        • API String ID: 3340791633-0
                        • Opcode ID: 1ed920b5d155f53f3823f575fca9427f333e7a8cc83969db845201ce7ef98908
                        • Instruction ID: 9b4c2925c79a8cfbeb8de51ff3f7e75c2cdd5087d7fc057337ec75070b3575c8
                        • Opcode Fuzzy Hash: 1ed920b5d155f53f3823f575fca9427f333e7a8cc83969db845201ce7ef98908
                        • Instruction Fuzzy Hash: E331B434A55A0CAFEB309F14CC46BEA7FE5EB05390F584181FA12975E1CBB1A9809F49
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00ADABF1
                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 00ADAC0D
                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 00ADAC74
                        • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00ADACC6
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: KeyboardState$InputMessagePostSend
                        • String ID:
                        • API String ID: 432972143-0
                        • Opcode ID: a5dbbc5dbc8d9ee21d3c7dfa847781cd2cee4c5210620b9820c5b3b83a0ce8a5
                        • Instruction ID: 5807dce22294204cc0d9c156762e76ebcc84bfae2d09a9a4b5bf2fa9e1979ef2
                        • Opcode Fuzzy Hash: a5dbbc5dbc8d9ee21d3c7dfa847781cd2cee4c5210620b9820c5b3b83a0ce8a5
                        • Instruction Fuzzy Hash: 6C31F430A60718AFEB358BA58C057FA7BB5ABA9320F08431BE496933D1C775C9858752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B07674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                        Download Yara Rule
                        APIs
                        • ClientToScreen.USER32(?,?), ref: 00B0769A
                        • GetWindowRect.USER32(?,?), ref: 00B07710
                        • PtInRect.USER32(?,?,00B08B89), ref: 00B07720
                        • MessageBeep.USER32(00000000), ref: 00B0778C
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Rect$BeepClientMessageScreenWindow
                        • String ID:
                        • API String ID: 1352109105-0
                        • Opcode ID: eda696b92a038056615aa825e785a1394473c0e1d2c73cc0a7b1830d16a90d22
                        • Instruction ID: aa0cf56218f64d966fa4e680184307f64df6e09182765e060ba93d97f318cf84
                        • Opcode Fuzzy Hash: eda696b92a038056615aa825e785a1394473c0e1d2c73cc0a7b1830d16a90d22
                        • Instruction Fuzzy Hash: DD418E38E452149FCB11CF58C894EA9BBF4FB49340F1481E8E4149B2A1CB71BD42CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32 ref: 00B016EB
                          • Part of subcall function 00AD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AD3A57
                          • Part of subcall function 00AD3A3D: GetCurrentThreadId.KERNEL32 ref: 00AD3A5E
                          • Part of subcall function 00AD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00AD25B3), ref: 00AD3A65
                        • GetCaretPos.USER32(?), ref: 00B016FF
                        • ClientToScreen.USER32(00000000,?), ref: 00B0174C
                        • GetForegroundWindow.USER32 ref: 00B01752
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                        • String ID:
                        • API String ID: 2759813231-0
                        • Opcode ID: 2048df5e8139c2bb2b70af513d59e23319c3830ccc346e4607842c8813c8ec36
                        • Instruction ID: 350d90840931b6164106f7b34981c1b9f4cd90679010165328a958e45d8ec9be
                        • Opcode Fuzzy Hash: 2048df5e8139c2bb2b70af513d59e23319c3830ccc346e4607842c8813c8ec36
                        • Instruction Fuzzy Hash: B3315275D00249AFCB04DFA9C981DAEBBF9FF48304B5080AAE415E7251DB319E45CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00ADD501
                        • Process32FirstW.KERNEL32(00000000,?), ref: 00ADD50F
                        • Process32NextW.KERNEL32(00000000,?), ref: 00ADD52F
                        • CloseHandle.KERNEL32(00000000), ref: 00ADD5DC
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                        • String ID:
                        • API String ID: 420147892-0
                        • Opcode ID: ae7e57651cf98f915de7529f0b0c54b51550e8152afd0f480c73549315e1d474
                        • Instruction ID: ec63f3ce862ffe5a086195e6a8dbe97c7737e8215dc86dac248cd912f3fe359b
                        • Opcode Fuzzy Hash: ae7e57651cf98f915de7529f0b0c54b51550e8152afd0f480c73549315e1d474
                        • Instruction Fuzzy Hash: 873190311082009FD300EF64DC85AAFBBF8AF99354F10452EF586872A1EB719945CB93
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B08FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A89BB2
                        • GetCursorPos.USER32(?), ref: 00B09001
                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00AC7711,?,?,?,?,?), ref: 00B09016
                        • GetCursorPos.USER32(?), ref: 00B0905E
                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00AC7711,?,?,?), ref: 00B09094
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                        • String ID:
                        • API String ID: 2864067406-0
                        • Opcode ID: 2210ce6b3454e929a6b88b59ea834a02c3fc1a67ef3844d2aad1f8053af3bc2a
                        • Instruction ID: 6af0149897a5cdc6e76d5a15e5d774e9313c376535a64577ebaa2913d7f3dc09
                        • Opcode Fuzzy Hash: 2210ce6b3454e929a6b88b59ea834a02c3fc1a67ef3844d2aad1f8053af3bc2a
                        • Instruction Fuzzy Hash: 9921AD35600018AFCB258F98CC98EFB3FF9FB4A350F044195F945472A2D7319990DB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                        Download Yara Rule
                        APIs
                        • GetFileAttributesW.KERNEL32(?,00B0CB68), ref: 00ADD2FB
                        • GetLastError.KERNEL32 ref: 00ADD30A
                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00ADD319
                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00B0CB68), ref: 00ADD376
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CreateDirectory$AttributesErrorFileLast
                        • String ID:
                        • API String ID: 2267087916-0
                        • Opcode ID: ba7765cd1ee057460c0d14eb356227bf4e663c74c869988ee5f86c942a62db7c
                        • Instruction ID: b2e905329014b7504669f3c54ace89b78a9c44e605e5f5bf68e21c273b93a7c8
                        • Opcode Fuzzy Hash: ba7765cd1ee057460c0d14eb356227bf4e663c74c869988ee5f86c942a62db7c
                        • Instruction Fuzzy Hash: D3217F745092019FC710DF28C9818AA7BE4AE5A364F108A1EF49ADB3E1DB31D945CB93
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00AD1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AD102A
                          • Part of subcall function 00AD1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AD1036
                          • Part of subcall function 00AD1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD1045
                          • Part of subcall function 00AD1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD104C
                          • Part of subcall function 00AD1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD1062
                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00AD15BE
                        • _memcmp.LIBVCRUNTIME ref: 00AD15E1
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AD1617
                        • HeapFree.KERNEL32(00000000), ref: 00AD161E
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                        • String ID:
                        • API String ID: 1592001646-0
                        • Opcode ID: 2b4e2c4e6cce28d0eb1464457ce510197f793553f3ea81cfe9cc1f08fd484e17
                        • Instruction ID: 3bbf609de9e367f05b6da49ec4c24b76fa884ebaa4e8fe77f6755080179f12bc
                        • Opcode Fuzzy Hash: 2b4e2c4e6cce28d0eb1464457ce510197f793553f3ea81cfe9cc1f08fd484e17
                        • Instruction Fuzzy Hash: D9215971E00109FFDF10DFA4C949BEEB7B8EF54354F18855AE442AB241E735AA45CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B02782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowLongW.USER32(?,000000EC), ref: 00B0280A
                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B02824
                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B02832
                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B02840
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$Long$AttributesLayered
                        • String ID:
                        • API String ID: 2169480361-0
                        • Opcode ID: 3c4c250ce98814bbac8ea04af4afbdc3279e9c2d903e4cc4d0dfba0b6ccbfbcf
                        • Instruction ID: 8abd4748aecb447806fc468e8fe8f93aaa9ff1c33da39a4ec74a29aea67f337f
                        • Opcode Fuzzy Hash: 3c4c250ce98814bbac8ea04af4afbdc3279e9c2d903e4cc4d0dfba0b6ccbfbcf
                        • Instruction Fuzzy Hash: B721D635204211AFD7149B24CC49F6A7F95EF55324F14C298F4168B6D2CB71FC46C790
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00AD8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00AD790A,?,000000FF,?,00AD8754,00000000,?,0000001C,?,?), ref: 00AD8D8C
                          • Part of subcall function 00AD8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00AD8DB2
                          • Part of subcall function 00AD8D7D: lstrcmpiW.KERNEL32(00000000,?,00AD790A,?,000000FF,?,00AD8754,00000000,?,0000001C,?,?), ref: 00AD8DE3
                        • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00AD8754,00000000,?,0000001C,?,?,00000000), ref: 00AD7923
                        • lstrcpyW.KERNEL32(00000000,?), ref: 00AD7949
                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,00AD8754,00000000,?,0000001C,?,?,00000000), ref: 00AD7984
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: lstrcmpilstrcpylstrlen
                        • String ID: cdecl
                        • API String ID: 4031866154-3896280584
                        • Opcode ID: 4d933a24b35f838ffa9ccae26faf1ea4b1aa89cd765b2c95ba335d787b6eafc0
                        • Instruction ID: d8a715e914349d1b705cf744363443cfb0bdaeca93238a10c2f5d2f8ef7536be
                        • Opcode Fuzzy Hash: 4d933a24b35f838ffa9ccae26faf1ea4b1aa89cd765b2c95ba335d787b6eafc0
                        • Instruction Fuzzy Hash: 0211B13A200202ABCB19AF34D855D7E77A9FF95750B50402BE947C73A4FF319911C7A1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B07CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowLongW.USER32(?,000000F0), ref: 00B07D0B
                        • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00B07D2A
                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B07D42
                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00AEB7AD,00000000), ref: 00B07D6B
                          • Part of subcall function 00A89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A89BB2
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$Long
                        • String ID:
                        • API String ID: 847901565-0
                        • Opcode ID: 8109ae3df975b28d6ffdfeeb82acb87692c8ae9415f852c11f3b44375aa72e9e
                        • Instruction ID: 458e9f83a590e0559a17835e720292ef40d288726286a32491e2ae32e3452d02
                        • Opcode Fuzzy Hash: 8109ae3df975b28d6ffdfeeb82acb87692c8ae9415f852c11f3b44375aa72e9e
                        • Instruction Fuzzy Hash: 69119A76A05614AFCB109F28CC04AA67FE4EF46360B258764F839C72E0EB30A951CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B05660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00001060,?,00000004), ref: 00B056BB
                        • _wcslen.LIBCMT ref: 00B056CD
                        • _wcslen.LIBCMT ref: 00B056D8
                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B05816
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend_wcslen
                        • String ID:
                        • API String ID: 455545452-0
                        • Opcode ID: e7c531ef435fc6c9a33f4d416e0f630dbaee56d8028bdf268774c78e9138a42c
                        • Instruction ID: 87f83c0cde6bf9b946cff44207de1b5d8ffa78c44abe2ce6e9245dce6e54f211
                        • Opcode Fuzzy Hash: e7c531ef435fc6c9a33f4d416e0f630dbaee56d8028bdf268774c78e9138a42c
                        • Instruction Fuzzy Hash: B111DC35A00608A6DF309B65CCC5AEF7FECEF10360B1084A6F915965C1EFB09A80CF60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 340317d7643d3cb708c0e6dd002820fb5c0fda5f30ff792e0cfed60e88848e58
                        • Instruction ID: 443edcf5b0d54b5b26e31f9b75d0e10f51bd97130b1b856d2aeea16414e2bcd7
                        • Opcode Fuzzy Hash: 340317d7643d3cb708c0e6dd002820fb5c0fda5f30ff792e0cfed60e88848e58
                        • Instruction Fuzzy Hash: 87016DB26096167EFA612B786CC1F67676DEF937B8F340329F525A31D2DB608C005160
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00AD1A47
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AD1A59
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AD1A6F
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AD1A8A
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID:
                        • API String ID: 3850602802-0
                        • Opcode ID: c3c16e02554cb99fe4f2894ff668e669d47fc59f4514bfe4e5919ae9c1864d0e
                        • Instruction ID: 676101e25a39ebb28fc40113214fed21878cca2e2ea9cb2f99c6a0a0b8e27198
                        • Opcode Fuzzy Hash: c3c16e02554cb99fe4f2894ff668e669d47fc59f4514bfe4e5919ae9c1864d0e
                        • Instruction Fuzzy Hash: 8511093AD01219FFEB11DBA5CD85FADBB78EB08750F200092EA05B7290DB716E51DB94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 00ADE1FD
                        • MessageBoxW.USER32(?,?,?,?), ref: 00ADE230
                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00ADE246
                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00ADE24D
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                        • String ID:
                        • API String ID: 2880819207-0
                        • Opcode ID: 88ed39b147dac4762d256bfc8e99a27d18f55d6dc5fa58b8a45b53705652dbef
                        • Instruction ID: b32871f295178d089dbcb0277d1acd23e87b37b4a4f7b869fdf844ed56a08b47
                        • Opcode Fuzzy Hash: 88ed39b147dac4762d256bfc8e99a27d18f55d6dc5fa58b8a45b53705652dbef
                        • Instruction Fuzzy Hash: 9211E576E04214BBCB01EFA89C09ADE7FACEB45310F00461AF925E7390DB70DA0487A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A9D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateThread.KERNEL32(00000000,?,00A9CFF9,00000000,00000004,00000000), ref: 00A9D218
                        • GetLastError.KERNEL32 ref: 00A9D224
                        • __dosmaperr.LIBCMT ref: 00A9D22B
                        • ResumeThread.KERNEL32(00000000), ref: 00A9D249
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Thread$CreateErrorLastResume__dosmaperr
                        • String ID:
                        • API String ID: 173952441-0
                        • Opcode ID: bab2a9ed28d97797584d4e3582b9d4e144e82573e3d3042a56c22e39b1956c2d
                        • Instruction ID: e97890f26b58575ea44fd47895bbb1e98a1f79ac56314314ac2f6eaf79512c87
                        • Opcode Fuzzy Hash: bab2a9ed28d97797584d4e3582b9d4e144e82573e3d3042a56c22e39b1956c2d
                        • Instruction Fuzzy Hash: 0801D236A05214BBDF115BA9DC09BEA7EE9EF91730F200319F925971D0CF70C981C6A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B09EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A89BB2
                        • GetClientRect.USER32(?,?), ref: 00B09F31
                        • GetCursorPos.USER32(?), ref: 00B09F3B
                        • ScreenToClient.USER32(?,?), ref: 00B09F46
                        • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00B09F7A
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Client$CursorLongProcRectScreenWindow
                        • String ID:
                        • API String ID: 4127811313-0
                        • Opcode ID: 9094599e91610ab82a6b4c8879caeece729df802aa0102a76149b193bb5321f1
                        • Instruction ID: 7fb23326708213aec611fa6451e6846ecf3c0468a34618779b0d2ec3be7a3d2e
                        • Opcode Fuzzy Hash: 9094599e91610ab82a6b4c8879caeece729df802aa0102a76149b193bb5321f1
                        • Instruction Fuzzy Hash: 22112A3690011AAFDB10EF68D8899FE7BF9FB45311F104595F911E3192DB30BA91CBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A7600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                        Download Yara Rule
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A7604C
                        • GetStockObject.GDI32(00000011), ref: 00A76060
                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00A7606A
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CreateMessageObjectSendStockWindow
                        • String ID:
                        • API String ID: 3970641297-0
                        • Opcode ID: 8616afd5036a3c4623d321a636397e1e59ef9d191a6e728c55340f5952e6ebc8
                        • Instruction ID: 3ad3681112d4b6efdb7e31d2b3409e76c6b2fcae0b2b8eee65d2e519b52fdc8c
                        • Opcode Fuzzy Hash: 8616afd5036a3c4623d321a636397e1e59ef9d191a6e728c55340f5952e6ebc8
                        • Instruction Fuzzy Hash: B7115B72501909BFEF124FA49C44AEABF6DFF193A5F048215FA1852150DB329C619BA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A93B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___BuildCatchObject.LIBVCRUNTIME ref: 00A93B56
                          • Part of subcall function 00A93AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00A93AD2
                          • Part of subcall function 00A93AA3: ___AdjustPointer.LIBCMT ref: 00A93AED
                        • _UnwindNestedFrames.LIBCMT ref: 00A93B6B
                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00A93B7C
                        • CallCatchBlock.LIBVCRUNTIME ref: 00A93BA4
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                        • String ID:
                        • API String ID: 737400349-0
                        • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                        • Instruction ID: bfa4e252c7f698499c8dfcb6b43b4b1c51b6b09262132ba31d7928d5c7bbfd5c
                        • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                        • Instruction Fuzzy Hash: C201E933200149BBDF126F95CD46EEB7BBAEF98754F044014FE4896121C732E962EBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AA3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00A713C6,00000000,00000000,?,00AA301A,00A713C6,00000000,00000000,00000000,?,00AA328B,00000006,FlsSetValue), ref: 00AA30A5
                        • GetLastError.KERNEL32(?,00AA301A,00A713C6,00000000,00000000,00000000,?,00AA328B,00000006,FlsSetValue,00B12290,FlsSetValue,00000000,00000364,?,00AA2E46), ref: 00AA30B1
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00AA301A,00A713C6,00000000,00000000,00000000,?,00AA328B,00000006,FlsSetValue,00B12290,FlsSetValue,00000000), ref: 00AA30BF
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: LibraryLoad$ErrorLast
                        • String ID:
                        • API String ID: 3177248105-0
                        • Opcode ID: 7b45e26d39179713c21ea9da3174e2ec22ac9c785992cce3d49d7613f91d9653
                        • Instruction ID: a6b2cdd1f0aa6dd38f4089869dc7e80894d68762ac6fb04579258919f73a59f8
                        • Opcode Fuzzy Hash: 7b45e26d39179713c21ea9da3174e2ec22ac9c785992cce3d49d7613f91d9653
                        • Instruction Fuzzy Hash: E601A737711222ABCF314B79AC44A577B98AF57BA1B214720F906E71C0DB21D901C6E0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00AD747F
                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00AD7497
                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00AD74AC
                        • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00AD74CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Type$Register$FileLoadModuleNameUser
                        • String ID:
                        • API String ID: 1352324309-0
                        • Opcode ID: c5e9276f4a458e75bf787adba26c51e85183e483cf0be8dcafe496c42abcb33a
                        • Instruction ID: 94db391f788bcfa3464a757319a2c8335b8229fdade179c3b9f41aca04645667
                        • Opcode Fuzzy Hash: c5e9276f4a458e75bf787adba26c51e85183e483cf0be8dcafe496c42abcb33a
                        • Instruction Fuzzy Hash: 7C11ADF5205310ABE7218F18DC08B9ABFFCFB00B00F10856AA617D7291EBB0E904DB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ADB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                        Download Yara Rule
                        APIs
                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00ADACD3,?,00008000), ref: 00ADB0C4
                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00ADACD3,?,00008000), ref: 00ADB0E9
                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00ADACD3,?,00008000), ref: 00ADB0F3
                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00ADACD3,?,00008000), ref: 00ADB126
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CounterPerformanceQuerySleep
                        • String ID:
                        • API String ID: 2875609808-0
                        • Opcode ID: 615f9eeb145b878445222c5d4215fe6da13a4bf61fe1a80fc3aa408f95b5a8ff
                        • Instruction ID: 1f29107a9df707bf9d78fdbdab98f8272b1849efbf5250e89e2671ba943fd117
                        • Opcode Fuzzy Hash: 615f9eeb145b878445222c5d4215fe6da13a4bf61fe1a80fc3aa408f95b5a8ff
                        • Instruction Fuzzy Hash: 6C113C31C11618D7CF00AFA5E9596EEBF78FF19711F124286E942B3241CF3055508BA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B07E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 00B07E33
                        • ScreenToClient.USER32(?,?), ref: 00B07E4B
                        • ScreenToClient.USER32(?,?), ref: 00B07E6F
                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B07E8A
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ClientRectScreen$InvalidateWindow
                        • String ID:
                        • API String ID: 357397906-0
                        • Opcode ID: fb8c9af6c663b6a85f9019caf5976bd7f0573c513a83f67e6b60c6de95d713d5
                        • Instruction ID: e473692838aee4a64032086dc6e96043394e99b1e30238a73748d9a3c8be01b8
                        • Opcode Fuzzy Hash: fb8c9af6c663b6a85f9019caf5976bd7f0573c513a83f67e6b60c6de95d713d5
                        • Instruction Fuzzy Hash: 6C1163B9D0020AAFDB41CF98C8849EEBBF9FB18310F104156E915E3250DB35AA54CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00AD2DC5
                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00AD2DD6
                        • GetCurrentThreadId.KERNEL32 ref: 00AD2DDD
                        • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00AD2DE4
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                        • String ID:
                        • API String ID: 2710830443-0
                        • Opcode ID: a46319ac9de205475f736de79be2d65e72e08112cd7815d91b401077ba7677d9
                        • Instruction ID: aa5c9d476e4bd747d2661046d67921014099bca77bfd7d54347c2b8879919c9c
                        • Opcode Fuzzy Hash: a46319ac9de205475f736de79be2d65e72e08112cd7815d91b401077ba7677d9
                        • Instruction Fuzzy Hash: E8E06D711012247AD7201B629C0DFEB3E6DEB66BA1F100216B106D31809BA18840C6B0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B08863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A89639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A89693
                          • Part of subcall function 00A89639: SelectObject.GDI32(?,00000000), ref: 00A896A2
                          • Part of subcall function 00A89639: BeginPath.GDI32(?), ref: 00A896B9
                          • Part of subcall function 00A89639: SelectObject.GDI32(?,00000000), ref: 00A896E2
                        • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00B08887
                        • LineTo.GDI32(?,?,?), ref: 00B08894
                        • EndPath.GDI32(?), ref: 00B088A4
                        • StrokePath.GDI32(?), ref: 00B088B2
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                        • String ID:
                        • API String ID: 1539411459-0
                        • Opcode ID: 07cd7b74aacf514d438308b1f110dceffb9d4afe263c64cbd10fc0e3dd183fcc
                        • Instruction ID: d15cdfa3bcff798a50952473570ec0559e39188ecdac23eab54e117dd9a784df
                        • Opcode Fuzzy Hash: 07cd7b74aacf514d438308b1f110dceffb9d4afe263c64cbd10fc0e3dd183fcc
                        • Instruction Fuzzy Hash: 38F05E36041258FAEB126F98AC0DFCE3F59AF16310F048140FA12660E2CB755651DFE5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(00000008), ref: 00A898CC
                        • SetTextColor.GDI32(?,?), ref: 00A898D6
                        • SetBkMode.GDI32(?,00000001), ref: 00A898E9
                        • GetStockObject.GDI32(00000005), ref: 00A898F1
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Color$ModeObjectStockText
                        • String ID:
                        • API String ID: 4037423528-0
                        • Opcode ID: e8c4b4016038fb0f596ba69891a1741e86c2fa1f49ce49a909aa04d428fbd3c9
                        • Instruction ID: f8c8247bcad1391a2b40812530cc887aab83cf1fde1f08fae0a39e7b5e12cc7d
                        • Opcode Fuzzy Hash: e8c4b4016038fb0f596ba69891a1741e86c2fa1f49ce49a909aa04d428fbd3c9
                        • Instruction Fuzzy Hash: 76E06D31244284AEDB215B74AC09BED3F20AB22336F048319FAFA690E1CB7146509F10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThread.KERNEL32 ref: 00AD1634
                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,00AD11D9), ref: 00AD163B
                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00AD11D9), ref: 00AD1648
                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,00AD11D9), ref: 00AD164F
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CurrentOpenProcessThreadToken
                        • String ID:
                        • API String ID: 3974789173-0
                        • Opcode ID: a2c340dea0972c5965fc7b07935a5feeed46a9fb5f7cf4796559a883d4fa5948
                        • Instruction ID: 65282d7ae489d5888b98c080512862fbb7b3a254f55d8f865d8c53649530321f
                        • Opcode Fuzzy Hash: a2c340dea0972c5965fc7b07935a5feeed46a9fb5f7cf4796559a883d4fa5948
                        • Instruction Fuzzy Hash: 28E08C32602211EBE7201FA0AE0DB863F7CBF64796F148909F246CA080EB348440CB68
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ACD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                        Download Yara Rule
                        APIs
                        • GetDesktopWindow.USER32 ref: 00ACD858
                        • GetDC.USER32(00000000), ref: 00ACD862
                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00ACD882
                        • ReleaseDC.USER32(?), ref: 00ACD8A3
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CapsDesktopDeviceReleaseWindow
                        • String ID:
                        • API String ID: 2889604237-0
                        • Opcode ID: d3926243a89edee76398109ead84bc26321a8bdb90d4894764d529dd87d25091
                        • Instruction ID: 510f4506cfae3beeba4e4ed5d17f37e9d5c208af5c16ef79d114fc110b0cfb42
                        • Opcode Fuzzy Hash: d3926243a89edee76398109ead84bc26321a8bdb90d4894764d529dd87d25091
                        • Instruction Fuzzy Hash: FEE092B5800205EFCF51AFA0D908A6EBFB6FB18311F258559F84AE7290DB399941EF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ACD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                        Download Yara Rule
                        APIs
                        • GetDesktopWindow.USER32 ref: 00ACD86C
                        • GetDC.USER32(00000000), ref: 00ACD876
                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00ACD882
                        • ReleaseDC.USER32(?), ref: 00ACD8A3
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CapsDesktopDeviceReleaseWindow
                        • String ID:
                        • API String ID: 2889604237-0
                        • Opcode ID: f99028fb15366fffae10cea2111373d7cc599658a7cb83d51236b77f27448970
                        • Instruction ID: af8b4b065f0618a303d6ffa6725155e6ed3a861bc1c10ba71515cf8606459362
                        • Opcode Fuzzy Hash: f99028fb15366fffae10cea2111373d7cc599658a7cb83d51236b77f27448970
                        • Instruction Fuzzy Hash: 97E092B5800204EFCF61AFA0D90866EBFB5BB18311F148549E94AE7290DB395901EF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AE4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A77620: _wcslen.LIBCMT ref: 00A77625
                        • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00AE4ED4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Connection_wcslen
                        • String ID: *$LPT
                        • API String ID: 1725874428-3443410124
                        • Opcode ID: ad047a5e10bbafd443c17857c8cde7c5541c2f22223b59c4bf5d9a263616d7df
                        • Instruction ID: f8a0bd957bcaec8d2bbcc186d2923310ffdfcdb6be21767e59ed4c7ef7439677
                        • Opcode Fuzzy Hash: ad047a5e10bbafd443c17857c8cde7c5541c2f22223b59c4bf5d9a263616d7df
                        • Instruction Fuzzy Hash: 3B918F75A002449FCB14DF59C584EAABBF5BF48704F19C099E80A9F3A2C735ED85CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A8E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID:
                        • String ID: #
                        • API String ID: 0-1885708031
                        • Opcode ID: dd46414ca79076bb9187bd91860f97a078fe036ebfb886b6e9cd204fb2c921c2
                        • Instruction ID: a1b0bad033dbea6026c31da241d8a0cc72be49a35270fe8374a9bdd371cbaf20
                        • Opcode Fuzzy Hash: dd46414ca79076bb9187bd91860f97a078fe036ebfb886b6e9cd204fb2c921c2
                        • Instruction Fuzzy Hash: A2510275604246DFDF25EF68C481FFA7BA8EF25310F258059E8919B2D0EB349D52CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A8F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(00000000), ref: 00A8F2A2
                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 00A8F2BB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: GlobalMemorySleepStatus
                        • String ID: @
                        • API String ID: 2783356886-2766056989
                        • Opcode ID: 5eb75f71b8ed30c643efcad80da766253cabf2d82a82904916aa2966e5ea5bdf
                        • Instruction ID: 9646756daf0c6f745c5bd872b7bc22a8db32f8ffd24bc6100d2c05440f5f9bab
                        • Opcode Fuzzy Hash: 5eb75f71b8ed30c643efcad80da766253cabf2d82a82904916aa2966e5ea5bdf
                        • Instruction Fuzzy Hash: 795134714087449BD320AF24DD86BAFBBF8FB95710F81885DF199421A5EF30852ACB66
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00AF57E0
                        • _wcslen.LIBCMT ref: 00AF57EC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: BuffCharUpper_wcslen
                        • String ID: CALLARGARRAY
                        • API String ID: 157775604-1150593374
                        • Opcode ID: 7362782355bb76bf57fc28a617102e92c12a531540fd7d1fb0eb5650925fd05d
                        • Instruction ID: 2e6a5b18fc4ee74928130722f14f8dd3589f5ac7035947d8f3d42993da7b11cc
                        • Opcode Fuzzy Hash: 7362782355bb76bf57fc28a617102e92c12a531540fd7d1fb0eb5650925fd05d
                        • Instruction Fuzzy Hash: 0F418E71E002099FCB14EFB8C9818BEBBF5EF593A0F108169F605A7291E7349D81CB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 00AED130
                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00AED13A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CrackInternet_wcslen
                        • String ID: |
                        • API String ID: 596671847-2343686810
                        • Opcode ID: 1806adb2980e1419b8215e63124e4906f6201216a46dc59d9c1bd18e8152d40b
                        • Instruction ID: 32e1edddf82149b659b3221088369e2b7345b57f6a58b3ab6c010001e2706dfb
                        • Opcode Fuzzy Hash: 1806adb2980e1419b8215e63124e4906f6201216a46dc59d9c1bd18e8152d40b
                        • Instruction Fuzzy Hash: 93313E71D00209ABCF15EFA5CD85EEE7FB9FF04340F008119F819A6161EB31AA46CB61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B0356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(?,?,?,?), ref: 00B03621
                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B0365C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$DestroyMove
                        • String ID: static
                        • API String ID: 2139405536-2160076837
                        • Opcode ID: 2b9ce07d3cff97865b26364e65030ec841f391e23ffe5b8d24f7d2be00b3c0c7
                        • Instruction ID: ad5a11a195b1201afec3439dcad81a37aef2ae58fc14ec3abf08b904fb66711f
                        • Opcode Fuzzy Hash: 2b9ce07d3cff97865b26364e65030ec841f391e23ffe5b8d24f7d2be00b3c0c7
                        • Instruction Fuzzy Hash: 3F318B71100604AEDB209F68DC84EBB7BEDFF98B20F109619F8A597290DB31AD91C760
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B04537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00B0461F
                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B04634
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: '
                        • API String ID: 3850602802-1997036262
                        • Opcode ID: c7f48b6f7e6eee38313808805780d5d3d9956bd01367d966e9df5510c9675d0f
                        • Instruction ID: 642ebc9ebc753abd9e6a3ece8fb3701502405e434f83f444e86f8012e630301e
                        • Opcode Fuzzy Hash: c7f48b6f7e6eee38313808805780d5d3d9956bd01367d966e9df5510c9675d0f
                        • Instruction Fuzzy Hash: 1E3128B4A012099FDF14CFA9C980BDA7BF5FF59300F1044AAEA04AB381E771A941CF90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B0327C
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B03287
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: Combobox
                        • API String ID: 3850602802-2096851135
                        • Opcode ID: f664e161d97daca7af9a4cf2779ea5275fd5b75a87fa04cd374fc2057e4ee8f9
                        • Instruction ID: 39c59bf64d8b23e5236dd9cd144edb579693274d4f94e3089db2dabf5f2156ce
                        • Opcode Fuzzy Hash: f664e161d97daca7af9a4cf2779ea5275fd5b75a87fa04cd374fc2057e4ee8f9
                        • Instruction Fuzzy Hash: 9A1190712002087FEF219F54DC89EBB3BEEEB98764F104165F918972D0DA319D518760
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B03710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A7600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A7604C
                          • Part of subcall function 00A7600E: GetStockObject.GDI32(00000011), ref: 00A76060
                          • Part of subcall function 00A7600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A7606A
                        • GetWindowRect.USER32(00000000,?), ref: 00B0377A
                        • GetSysColor.USER32(00000012), ref: 00B03794
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                        • String ID: static
                        • API String ID: 1983116058-2160076837
                        • Opcode ID: 20501ef1f356f1856a81386175ceafbf788019b2f1f4cbe06fdf4656c5bbcfb5
                        • Instruction ID: 43e5a0b99ee0af06e3235f07f87847da57b714fd0ccf22aa1867ec7748f19279
                        • Opcode Fuzzy Hash: 20501ef1f356f1856a81386175ceafbf788019b2f1f4cbe06fdf4656c5bbcfb5
                        • Instruction Fuzzy Hash: 871129B2610209AFDB00DFA8CC4AEEA7BF8FB08714F004A55F955E3290DB35E9519B50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00AECD7D
                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00AECDA6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Internet$OpenOption
                        • String ID: <local>
                        • API String ID: 942729171-4266983199
                        • Opcode ID: a99bd922e2783b4e9653c5d0c8898682a4d3772d96a7027ab004221dd76f213d
                        • Instruction ID: d3c485c349ecaeadf70d1d7aa7730ada4ad721094f05c2d38150c53a99442673
                        • Opcode Fuzzy Hash: a99bd922e2783b4e9653c5d0c8898682a4d3772d96a7027ab004221dd76f213d
                        • Instruction Fuzzy Hash: 5E11C271205671BAD7384B678C89EE7BEACEF227B4F00422AB10983080D7769942D6F0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B03429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowTextLengthW.USER32(00000000), ref: 00B034AB
                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B034BA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: LengthMessageSendTextWindow
                        • String ID: edit
                        • API String ID: 2978978980-2167791130
                        • Opcode ID: 2d58fe8bd9af21a6bc9c6aab29e29bbc75be7d837f1cca97ba334a6007134ad2
                        • Instruction ID: 1c5894752917ed96271ea365992d3294188c6159fa4fddfd41637deea447e1c6
                        • Opcode Fuzzy Hash: 2d58fe8bd9af21a6bc9c6aab29e29bbc75be7d837f1cca97ba334a6007134ad2
                        • Instruction Fuzzy Hash: 0E116D71100108AEEB124F64DC88AAA3FEEEB15B74F508764F9659B2E0CB71DD919750
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                        • CharUpperBuffW.USER32(?,?,?), ref: 00AD6CB6
                        • _wcslen.LIBCMT ref: 00AD6CC2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _wcslen$BuffCharUpper
                        • String ID: STOP
                        • API String ID: 1256254125-2411985666
                        • Opcode ID: 5bb8da8c6607c4f1ba8fb29a049e6444c26aa6074986d8ef47500a90ad94160f
                        • Instruction ID: 9956c27b88dbc7bae40b2ac3b3dae19d8c847ff92f1d2939598c7a4fff9809f6
                        • Opcode Fuzzy Hash: 5bb8da8c6607c4f1ba8fb29a049e6444c26aa6074986d8ef47500a90ad94160f
                        • Instruction Fuzzy Hash: EC012232A209278BCB20AFBDDC808BF37B5EB64710B10052AE8A393291EB31D800C750
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                          • Part of subcall function 00AD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AD3CCA
                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AD1D4C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_wcslen
                        • String ID: ComboBox$ListBox
                        • API String ID: 624084870-1403004172
                        • Opcode ID: 84dc1d9e319517e38ba4ba3ba3089876091affadb9f78c804fcaf08d6c37f563
                        • Instruction ID: 8a6dbfd8eefa056776bb7cf5aaa680da481377f33afa1a2dd29d8511ebf5abf6
                        • Opcode Fuzzy Hash: 84dc1d9e319517e38ba4ba3ba3089876091affadb9f78c804fcaf08d6c37f563
                        • Instruction Fuzzy Hash: 1601F131700218ABCF18EBA0CE51CFF73A9EB12350B10460BE877673D1EB3059088661
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                          • Part of subcall function 00AD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AD3CCA
                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00AD1C46
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_wcslen
                        • String ID: ComboBox$ListBox
                        • API String ID: 624084870-1403004172
                        • Opcode ID: 34fa74c4a83a0682a43628742fba06823257db752f56f4e2c9e2f579f6bd31fc
                        • Instruction ID: 30090be1148a2403477f9d405c7aca4ac8c2fd85ae5899966a82ecbaa811c992
                        • Opcode Fuzzy Hash: 34fa74c4a83a0682a43628742fba06823257db752f56f4e2c9e2f579f6bd31fc
                        • Instruction Fuzzy Hash: 37016275B911087ADF15EBA0CE52EFF77A89B15344F14401BA81B67392EE219F0C86B2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                          • Part of subcall function 00AD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AD3CCA
                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00AD1CC8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_wcslen
                        • String ID: ComboBox$ListBox
                        • API String ID: 624084870-1403004172
                        • Opcode ID: a39e832194be67c0d474affbcb60b7e87d61db4f08be84ad580a882bdd664cb5
                        • Instruction ID: f36c52d1efd4e56bf653a8b4edbe493785fd2a8005a03563bfe92bbcb59adea6
                        • Opcode Fuzzy Hash: a39e832194be67c0d474affbcb60b7e87d61db4f08be84ad580a882bdd664cb5
                        • Instruction Fuzzy Hash: 9901A2717901187ACF14EBA0CF02EFF77A89B21740F144417B80773381EA219F198672
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A79CB3: _wcslen.LIBCMT ref: 00A79CBD
                          • Part of subcall function 00AD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00AD3CCA
                        • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00AD1DD3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_wcslen
                        • String ID: ComboBox$ListBox
                        • API String ID: 624084870-1403004172
                        • Opcode ID: dd08621cf220cbebc0115b0d34203176110c1771a4aa10caddc5e50dc0fdf4be
                        • Instruction ID: 07fccc452c14850e8d65fb30c0ce37848eeaa506a7f476b7922f349c6b12ff15
                        • Opcode Fuzzy Hash: dd08621cf220cbebc0115b0d34203176110c1771a4aa10caddc5e50dc0fdf4be
                        • Instruction Fuzzy Hash: 46F0A471B512187ADB14EBA4CE52EFF77B8AB11750F144917B867633C1EF605A088261
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AF747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: _wcslen
                        • String ID: 3, 3, 16, 1
                        • API String ID: 176396367-3042988571
                        • Opcode ID: 28fc3c49f45ecb24afe1475eb53149c26069c1264aacf24bf887b4c39ef3484a
                        • Instruction ID: 67983e21e2b87d6ceb91b899706d991f695c1ceb10eec1974ea53deead09566e
                        • Opcode Fuzzy Hash: 28fc3c49f45ecb24afe1475eb53149c26069c1264aacf24bf887b4c39ef3484a
                        • Instruction Fuzzy Hash: 8FE02B0231422410973123B99DC1D7F56C9CFCD751710182BFA81C2266EA948D9393A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AD0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                        Download Yara Rule
                        APIs
                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00AD0B23
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: Message
                        • String ID: AutoIt$Error allocating memory.
                        • API String ID: 2030045667-4017498283
                        • Opcode ID: df76f2feeec6e37e08858cc1cfe7dc9472302e0e69005cb8494bad7167398e30
                        • Instruction ID: 552f78e0db600917f3467ebb2ec003b85efb0e1365c687cbed10a3e3c63ee56c
                        • Opcode Fuzzy Hash: df76f2feeec6e37e08858cc1cfe7dc9472302e0e69005cb8494bad7167398e30
                        • Instruction Fuzzy Hash: CDE0DF322883086AD6243794BD03F897FC48F09B61F20446BFB88955D38BE268A006E9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00A90D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00A8F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A90D71,?,?,?,00A7100A), ref: 00A8F7CE
                        • IsDebuggerPresent.KERNEL32(?,?,?,00A7100A), ref: 00A90D75
                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A7100A), ref: 00A90D84
                        Strings
                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A90D7F
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                        • API String ID: 55579361-631824599
                        • Opcode ID: 2f61cf16b355ccfa0010b562a520a2b7e28363af15e1f2088bd2be7f3b1c512c
                        • Instruction ID: 25d65e8b50d34894cb2ecbbc0f8694be4ea052cf8eaef15ed847c72a048abf8d
                        • Opcode Fuzzy Hash: 2f61cf16b355ccfa0010b562a520a2b7e28363af15e1f2088bd2be7f3b1c512c
                        • Instruction Fuzzy Hash: 82E06D743003128FE7309FBCD908B527FE4BB10780F008A6DE896C7AA1EBB0E4448B91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00ACD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: LocalTime
                        • String ID: %.3d$X64
                        • API String ID: 481472006-1077770165
                        • Opcode ID: 51c967a367446d8c4e8f4351fa742e55f4a34e1fd5a05ec096b4a61ecce5f121
                        • Instruction ID: 4e090febcbec47b48ff97330d1b630b0774bb3a8a4ab1e56c2aab55ba9791dcb
                        • Opcode Fuzzy Hash: 51c967a367446d8c4e8f4351fa742e55f4a34e1fd5a05ec096b4a61ecce5f121
                        • Instruction Fuzzy Hash: D9D012B1C08109E9CB50A7D0CC49EFAB7BCEB19301F618476F806A2040DA34C5496B61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B02322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                        Download Yara Rule
                        APIs
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B0232C
                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B0233F
                          • Part of subcall function 00ADE97B: Sleep.KERNEL32 ref: 00ADE9F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: FindMessagePostSleepWindow
                        • String ID: Shell_TrayWnd
                        • API String ID: 529655941-2988720461
                        • Opcode ID: 283c69f89dc7ce9e772e30bbf3445a68bd50f576a43a6739ff146256c9b11dca
                        • Instruction ID: b202cb7ccaa03d7a7f14d5b090bdaa9672b3b47b77563a46ba4f37ce63feda3f
                        • Opcode Fuzzy Hash: 283c69f89dc7ce9e772e30bbf3445a68bd50f576a43a6739ff146256c9b11dca
                        • Instruction Fuzzy Hash: 95D0C976395310B6E668B7709C1FFC6BA58AB20B14F104A167646AB1E0CEA0A8018A54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00B02356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                        Download Yara Rule
                        APIs
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B0236C
                        • PostMessageW.USER32(00000000), ref: 00B02373
                          • Part of subcall function 00ADE97B: Sleep.KERNEL32 ref: 00ADE9F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: FindMessagePostSleepWindow
                        • String ID: Shell_TrayWnd
                        • API String ID: 529655941-2988720461
                        • Opcode ID: 0dbbda4e9de4d70228845432f8e3031d6829a51ded8173ba8de886c3631558e0
                        • Instruction ID: 56f88426d84d0df98245fa9e05f869bb6bfcdad2938c23b0c416b8b6c9fde05d
                        • Opcode Fuzzy Hash: 0dbbda4e9de4d70228845432f8e3031d6829a51ded8173ba8de886c3631558e0
                        • Instruction Fuzzy Hash: 42D0C976381310BAE668B7709C0FFC6BA58AB24B14F504A167646AB1E0CEA0A8018A54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00AABDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00AABE93
                        • GetLastError.KERNEL32 ref: 00AABEA1
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AABEFC
                        Memory Dump Source
                        • Source File: 00000000.00000002.3596711095.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                        • Associated: 00000000.00000002.3596693415.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596763469.0000000000B32000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596803008.0000000000B3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3596819483.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_a70000_%01% (2).jbxd
                        Similarity
                        • API ID: ByteCharMultiWide$ErrorLast
                        • String ID:
                        • API String ID: 1717984340-0
                        • Opcode ID: 91abf28083ae4325754c0e01139379ef25611de61cec5ef21af17b663543aebb
                        • Instruction ID: d17f1aa2d3a6a7e6f2510fc998472f0947fffd97e08d26831d4d656ef7d6e046
                        • Opcode Fuzzy Hash: 91abf28083ae4325754c0e01139379ef25611de61cec5ef21af17b663543aebb
                        • Instruction Fuzzy Hash: EA41C134615246AFCF218FA4CD54AAEBBA5AF43320F18426DF9599B1E2DB30CD01CB70
                        Uniqueness

                        Uniqueness Score: -1.00%